CUPS and network security

Dec 01, '03 09:45:00AM

Contributed by: mematron

CUPS or Common Unix Printing System is enabled by default in OS X and can be configure through a web interface. Just type in 127.0.0.1:631 in your web browser to connect locally to your computer. The problem with this little convenience is that anyone else can do the same and get the same results. Now you see where this is going? Basically what can be done beyond possibly reprinting old documents would be to reconfigure your print services either for good or for bad and getting whatever personal information that is revealed by the way you name your documents.

So my advice would be to disable CUPS if you are not printing anything on a public network. One way to do this is by killing the CUPS Daemon from the terminal. Just type in ps ax | grep cupsd and then sudo kill -9 PID# (where PID# is the first number in the output of the ps command) and it's dead Jim!

Another way would be to use "Printer Setup Repair", a shareware app by Fixamac Software. You can turn CUPS on/off or even choose for it to remain off after startup.

[robg adds: I'm going to use this hint to provide a hopefully better solution, along with a bit of information, on the CUPS web interface. By default, the CUPS web interface will indeed allow anyone on your local network to reach it ... but that's it. If anyone other than the local user clicks the Administration button, they'll get a 'Forbidden' response from the CUPS server. The same thing happens if they try to delete a printer you've set up, restart a printed job, or generally, do anything more than view a few pages. About the only security hole I could find is that a local user could see the list of jobs that you have printed, which includes the title of the job, the date it was printed, and the file size. But they cannot see the file itself, nor can they reprint it. In short, unless you're the local user, there's not a lot someone can do to the printers that you've installed yourself.

However, if the visibility of your jobs bothers you, you can prevent all access to the CUPS interface while still leaving the system itself running. In the Terminal, type:

 % cd /etc/cups
 % sudo vi cupsd.conf
Replace vi with the name of your favorite UNIX editor. Once in the file, search on Location and you should jump to somewhere around line 760 in the file. You should see something like:

<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From @LOCAL
</Location>
To prevent others from seeing your web admin interface, just add a # as the first character in the Allow From @LOCAL line and save the file. The # is a comment character, and it disables access for anyone other than the local user. You'll need to restart CUPS to have the changes take effect; the easiest way is to restart the machine (I'll leave it for others to describe the command-line solution). CUPS brings many benefits to the OS X print system, and it seems to me that this is a much better solution than just disabling it completely.]

Comments (16)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20031124044732910