Red Hat Bugzilla – Bug 220886
RFE: Disable cups IPP broadcasting by default.
Last modified: 2008-11-29 09:44:23 EST
Description of problem:
By default, once you enable printer sharing in system-config-printer, cups
starts broadcasting IPP packets on all available subnets.
Most users are unaware of this behaviour and might unknowingly send IPP messages
over insecure cable/ADSL lines.
Version-Release number of selected component (if applicable):
Relates to bug
This is a limitation of how CUPS's 'Share published printers connected to this
system' checkbox works on http://localhost:631/admin. system-config-printer
uses the same mechanism.
I'm not sure I see the difference between this bug and bug #220884. The default
"as-shipped" state is not to publish printers at all.
What default are you proposing to change?
220884 is an RFE, 220886 is a bug report.
IMHO, having cups broadcast IPP packets by default, without the user knowing
about it (or needing it), is both a security and a network traffic issue. (886).
I may be wrong, but accepting network requests (over IPP, lpr, samba, etc) is
radically different then having the cups send IPP packets to all available
sub-nets - especially if the host is also connected to the Internet over a
L2TP/PPTP DSL/cable line.
On the other hand, having a way to enable it when you need it, or disable it
when you don't need it without breaking the tool-chain (by editing the
cupsd.conf by hand) is an RFE (884).
By default, we already avoid broadcasting IPP packets by default. You have to
explicitly enable shared queue publishing in the Server Settings.
So I don't see anything to change here.
Still seeing the same problem in F9.
By default, "Browsing" is enabled once you share a print - causing cups to broadcast IPP packets.
Again, should system-config-printer have an an opt-in option to enable broadcast once you enable sharing?
Immediately after installing F-9, only the 'Show printers shared by other systems' option is enabled.
The 'Share published printers connected to this system' option is not enabled. This is the option that controls whether, on the one hand, no local printers are accessible to the network, or on the other hand, all local printers marked as shared are accessible to the network and IPP broadcasts are made to advertise them on local network interfaces (i.e. 'BrowseAddress @LOCAL', all non-loopback network interfaces that do not have IFF_POINTOPOINT set).
There is no CUPS option in the http://localhost:631/admin interface to individually control the cupsd.conf 'BrowseAddress' directive, separately from the 'Port'/'Listen' directives.
It sounds like that's what you're asking for. I've filed this upstream as STR #3020.
Just for the archives.