Bug 864522 - Reduce cupsd attack surface
Reduce cupsd attack surface
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
18
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 853068
  Show dependency treegraph
 
Reported: 2012-10-09 09:51 EDT by Steve Grubb
Modified: 2013-03-07 11:50 EST (History)
2 users (show)

See Also:
Fixed In Version: cups-1.6.1-9.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-07 11:50:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2012-10-09 09:51:47 EDT
Description of problem:
We would like to lower the attack surface of the OS. We would like to see the default configuration no longer listen on port 631. As I understand it, the desktop uses the af_unix socket for its printing. So this should not affect any desktop users. A lot of printers are networked these days so hopefully there is not much need to be a print server.

Separately, I am also wondering why the web interface is turned on by default? It seems like extra attack surface for a root running process.

Thanks.
Comment 1 Tim Waugh 2012-10-10 10:59:56 EDT
In the default configuration for cups-1.5.4-5.fc18 (containing "Listen localhost:631"), I only see TCP sockets bound to localhost:ipp:

$ netstat -tlp | grep -w ipp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:ipp           *:*                     LISTEN      -                   
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      -                   

I'm pretty sure you had indicated that "Listen localhost:631" caused a socket bound to [::]:ipp.

Could you please re-test and verify?  Thanks.
Comment 2 Steve Grubb 2012-11-05 09:20:29 EST
Yes, it does appear to be local. What's your thoughts on disabling the web server interface by default? Thanks.
Comment 3 Tim Waugh 2012-11-06 11:06:40 EST
CUPS provides a web of just serving a stub page saying "this is not enabled" with instructions on how to enable the web interface.  How about if we try that in rawhide?

i.e. the result of "cupsctl WebInterface=no"
Comment 4 Tim Waugh 2012-11-19 12:17:51 EST
It turns out (see bug #878090) that the web interface is required in order to adjust server settings in system-config-printer.  This is because server settings adjustment is performed by first fetching cupsd.conf via HTTP GET, then making adjustments, and finally replacing the config file using HTTP PUT.
Comment 5 Steve Grubb 2013-03-07 11:50:58 EST
Closing this bug as all that can be done is done. Thanks for looking at it.

Note You need to log in before you can comment on or make changes to this bug.