Red Hat Bugzilla – Bug 864522
Reduce cupsd attack surface
Last modified: 2013-03-07 11:50:58 EST
Description of problem:
We would like to lower the attack surface of the OS. We would like to see the default configuration no longer listen on port 631. As I understand it, the desktop uses the af_unix socket for its printing. So this should not affect any desktop users. A lot of printers are networked these days so hopefully there is not much need to be a print server.
Separately, I am also wondering why the web interface is turned on by default? It seems like extra attack surface for a root running process.
In the default configuration for cups-1.5.4-5.fc18 (containing "Listen localhost:631"), I only see TCP sockets bound to localhost:ipp:
$ netstat -tlp | grep -w ipp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 localhost:ipp *:* LISTEN -
tcp6 0 0 localhost:ipp [::]:* LISTEN -
I'm pretty sure you had indicated that "Listen localhost:631" caused a socket bound to [::]:ipp.
Could you please re-test and verify? Thanks.
Yes, it does appear to be local. What's your thoughts on disabling the web server interface by default? Thanks.
CUPS provides a web of just serving a stub page saying "this is not enabled" with instructions on how to enable the web interface. How about if we try that in rawhide?
i.e. the result of "cupsctl WebInterface=no"
It turns out (see bug #878090) that the web interface is required in order to adjust server settings in system-config-printer. This is because server settings adjustment is performed by first fetching cupsd.conf via HTTP GET, then making adjustments, and finally replacing the config file using HTTP PUT.
Closing this bug as all that can be done is done. Thanks for looking at it.