Bug 864522 - Reduce cupsd attack surface
Summary: Reduce cupsd attack surface
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: cups
Version: 18
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 853068
TreeView+ depends on / blocked
 
Reported: 2012-10-09 13:51 UTC by Steve Grubb
Modified: 2013-03-07 16:50 UTC (History)
2 users (show)

Fixed In Version: cups-1.6.1-9.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-07 16:50:58 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Steve Grubb 2012-10-09 13:51:47 UTC
Description of problem:
We would like to lower the attack surface of the OS. We would like to see the default configuration no longer listen on port 631. As I understand it, the desktop uses the af_unix socket for its printing. So this should not affect any desktop users. A lot of printers are networked these days so hopefully there is not much need to be a print server.

Separately, I am also wondering why the web interface is turned on by default? It seems like extra attack surface for a root running process.

Thanks.

Comment 1 Tim Waugh 2012-10-10 14:59:56 UTC
In the default configuration for cups-1.5.4-5.fc18 (containing "Listen localhost:631"), I only see TCP sockets bound to localhost:ipp:

$ netstat -tlp | grep -w ipp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 localhost:ipp           *:*                     LISTEN      -                   
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      -                   

I'm pretty sure you had indicated that "Listen localhost:631" caused a socket bound to [::]:ipp.

Could you please re-test and verify?  Thanks.

Comment 2 Steve Grubb 2012-11-05 14:20:29 UTC
Yes, it does appear to be local. What's your thoughts on disabling the web server interface by default? Thanks.

Comment 3 Tim Waugh 2012-11-06 16:06:40 UTC
CUPS provides a web of just serving a stub page saying "this is not enabled" with instructions on how to enable the web interface.  How about if we try that in rawhide?

i.e. the result of "cupsctl WebInterface=no"

Comment 4 Tim Waugh 2012-11-19 17:17:51 UTC
It turns out (see bug #878090) that the web interface is required in order to adjust server settings in system-config-printer.  This is because server settings adjustment is performed by first fetching cupsd.conf via HTTP GET, then making adjustments, and finally replacing the config file using HTTP PUT.

Comment 5 Steve Grubb 2013-03-07 16:50:58 UTC
Closing this bug as all that can be done is done. Thanks for looking at it.


Note You need to log in before you can comment on or make changes to this bug.