Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

CUPS and network security Network
CUPS or Common Unix Printing System is enabled by default in OS X and can be configure through a web interface. Just type in 127.0.0.1:631 in your web browser to connect locally to your computer. The problem with this little convenience is that anyone else can do the same and get the same results. Now you see where this is going? Basically what can be done beyond possibly reprinting old documents would be to reconfigure your print services either for good or for bad and getting whatever personal information that is revealed by the way you name your documents.

So my advice would be to disable CUPS if you are not printing anything on a public network. One way to do this is by killing the CUPS Daemon from the terminal. Just type in ps ax | grep cupsd and then sudo kill -9 PID# (where PID# is the first number in the output of the ps command) and it's dead Jim!

Another way would be to use "Printer Setup Repair", a shareware app by Fixamac Software. You can turn CUPS on/off or even choose for it to remain off after startup.

[robg adds: I'm going to use this hint to provide a hopefully better solution, along with a bit of information, on the CUPS web interface. By default, the CUPS web interface will indeed allow anyone on your local network to reach it ... but that's it. If anyone other than the local user clicks the Administration button, they'll get a 'Forbidden' response from the CUPS server. The same thing happens if they try to delete a printer you've set up, restart a printed job, or generally, do anything more than view a few pages. About the only security hole I could find is that a local user could see the list of jobs that you have printed, which includes the title of the job, the date it was printed, and the file size. But they cannot see the file itself, nor can they reprint it. In short, unless you're the local user, there's not a lot someone can do to the printers that you've installed yourself.

However, if the visibility of your jobs bothers you, you can prevent all access to the CUPS interface while still leaving the system itself running. In the Terminal, type:
 % cd /etc/cups
 % sudo vi cupsd.conf
Replace vi with the name of your favorite UNIX editor. Once in the file, search on Location and you should jump to somewhere around line 760 in the file. You should see something like:

<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From @LOCAL
</Location>
To prevent others from seeing your web admin interface, just add a # as the first character in the Allow From @LOCAL line and save the file. The # is a comment character, and it disables access for anyone other than the local user. You'll need to restart CUPS to have the changes take effect; the easiest way is to restart the machine (I'll leave it for others to describe the command-line solution). CUPS brings many benefits to the OS X print system, and it seems to me that this is a much better solution than just disabling it completely.]
    •    
  • Currently 3.67 / 5
  You rated: 5 / 5 (3 votes cast)
 
[12,022 views]  

CUPS and network security | 16 comments | Create New Account
Click here to return to the 'CUPS and network security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
CUPS and network security
Authored by: aaronfreimark on Dec 01, '03 11:49:48AM
There's a typo here -- the address to see CUPS is actually: http://127.0.0.1:631 (not 120...)

[ Reply to This | # ]
CUPS and network security
Authored by: TrNSZ on Dec 01, '03 12:12:43PM
Um, not a security hole the last I checked. TCP port 631 is never bound to the outside world. You can use netstat -ano to verify.

tcp4       0      0  127.0.0.1.631          *.*                    LISTEN
Just the local computer itself is bound. This is only a problem if you are giving shell accounts to users on your box and you don't trust them, but there is still a lot of other ways they can gather information about you. Running a secure unix shell server, or a secure multiuser operating system of any type, is really an evolving challenge. Even OpenVMS has been hit with some security updates recently. But I wouldn't worry that much about this CUPS thing.

[ Reply to This | # ]
CUPS and network security
Authored by: robg on Dec 01, '03 01:07:09PM

When I tested this with my (completely stock) 10.3 install on my desktop Mac, my laptop could see the desktop machine's CUPS page -- I could see a list of every job that I'd printed right there on my laptop.

Once I made the change and removed LOCAL, then the laptop could no longer see the machine.

So I'm not sure I know exactly what you're saying, but the way my stock CUPS install works, anyone on the local network can see the CUPS page for any other local machine via http://that.machine.ip:631

-rob.



[ Reply to This | # ]
Location directive
Authored by: hayne on Dec 01, '03 04:14:18PM
This may be something that has changed between Jaguar and Panther. My stock cupsd.conf file on Jaguar has the following:
<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
</Location>
I.e. there is no access from the local network. This may also be one of the things that gets preserved if you do an "upgrade" install.

[ Reply to This | # ]
Location directive
Authored by: robg on Dec 01, '03 06:44:30PM

Probably true -- all of my machines get clean installs on major dot upgrades. Much more of a pain in the butt, obviously, but generally worth it to make sure I see everything that a "new" install would get.

-rob.



[ Reply to This | # ]
CUPS and network security
Authored by: robg on Dec 01, '03 06:55:30PM

And just to clarify, I don't mean visible to the outside world. But it's clearly visible to the rest of the internal network ... and if that's a large segment at a university, that might be a cause for (very minor) concern.

-rob.



[ Reply to This | # ]
CUPS and network security
Authored by: monickels on Dec 01, '03 12:16:31PM

There's another typo: the file to edit should be cupsd.conf, not cupds.conf.



[ Reply to This | # ]
CUPS and network security
Authored by: djn1 on Dec 01, '03 12:21:29PM

To restart CUPS simply type the following in Terminal:

sudo killall -1 cupsd

As described here:

http://www.macosxhints.com/article.php?story=20021101062604548&query=cups+970



[ Reply to This | # ]
RootCertDuration?
Authored by: zacht on Dec 02, '03 09:36:13AM
I found the following in my cupsd.conf:

#
# RootCertDuration: How frequently the root certificate is regenerated.
# Defaults to 300 seconds.
#

RootCertDuration 43200
Should this be changed? It seems a little odd, but maybe it's not a big deal?

zach

[ Reply to This | # ]

CUPS and network security
Authored by: mstoops on Dec 02, '03 04:22:56PM

An alternate (and probably more proper) way to deal with port 631, if you're not using Printer Sharing, is make sure it's turned off (System Preferences:Sharing:Services). This will tell the firewall to plug up port 631, and no one will be able to get through regardless. A little safer then mucking around in the config files.

As a corollary to this, if you know how to use the firewall from the command line (ipfw), you could let certain machines through to port 631 for administration purposes.

Obviously, more than one way to skin the cat.



[ Reply to This | # ]
And Yet Another Issue...
Authored by: EatingPie on Dec 02, '03 08:58:21PM

Cups respawns (restarts) even if you kill it via "kill -9 PID" as suggested in the hint.

Which leads to a question... how do you permanently disable cups?

---
-Pie
<http://www.storybytes.com>



[ Reply to This | # ]
Disable CUPS...
Authored by: gatorparrots on Dec 03, '03 01:43:12AM
Disabling CUPS is fairly simple:
cd /System/Library/StartupItems/PrintingServices/
sudo cp -p PrintingServices PrintingServices.default
sudo pico PrintingServices
add "exit 0" after the !/bin/sh shebang line, so the script starts:
!/bin/sh
exit 0
Ctrl+o to write out the file, ctrl+x to exit pico.

[ Reply to This | # ]
How bout a TEMPORARY disable?
Authored by: EatingPie on Dec 05, '03 03:33:40PM

Your suggestion permanently disables CUPS. I'm looking for a command-line solution that kills it until I restart the computer or run it by hand. (IE, no editing of the startup script).


---
-Pie
<http://www.storybytes.com>



[ Reply to This | # ]
sudo /System/Library/StartupItems/PrintingServices/PrintingServices stop
Authored by: EatingPie on Dec 05, '03 03:40:11PM

Whelp I chased my tail to the point of even downloading and recompiling cups. But the solution was simple:


sudo /System/Library/StartupItems/PrintingServices/PrintingServices stop

---
-Pie


[ Reply to This | # ]

CUPS and network security
Authored by: everette on Dec 16, '03 10:13:20AM

So for those looking for a solution that does not disable cups there is another option. You can edit /etc/cups/cupd.conf as suggested but change the following (tested in 10.3 only but should work in 10.2 or any cups).
Change:
<Location /admin>
#
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.
#

AuthType None
AuthClass Anonymous

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1

#Encryption Required
</Location>
to:
<Location /admin>
## Require Password and Restict to Users in admin group
AuthType Basic
AuthClass Group
AuthGroupName admin

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From 127.0.0.1

</Location>
-----
This will effectively disable Printer Setup Utility except for setting the user's default printer. http://localhost:631 will still let folks in but when you click on a button for admin task a login dialog will appear (type in the name and password of an admin account to use it). Also any user using lpadmin, enable, disable, etc will be asked for a password. For some reason Printer Setup will not prompt for passwords so you have to disable this location if you want to add printers. To disable it put # in front of each of the lines you just changed and restart the printing subsystem.
An easy way to to restart the printing subsystem is in Terminal type:
sudo -s (and type admin password if asked)
SystemStarter stop PrintingServices
SystemStarter start PrintingServices

Also if you need to set a default printer as a user without Printer Setup you can try:
lpoptions -d printername
Where printername is replaced by the CUPS name of the printer you want (doing the same command under sudo should set the default system wide). To get the CUPS names of the printers and find the default printer use
lpstat -d -p
I hope these tips will help.



[ Reply to This | # ]
CUPS and network security
Authored by: artemio on Feb 01, '05 06:35:49AM

In connection with this hint (which I found quite useful), after not using the web interface to manage printers for a while I've run into a weird and frustrating problem, namely when I try to perform an administrative task (changing a printer configuration, say) my user name and password are not recognized. Do you have any idea why this is so and, more importantly, how to correct this?

Thanks a lot,

Artemio Gonzalez
artemio@eresmas.net



[ Reply to This | # ]