Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'CUPS and network security' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
CUPS and network security
Authored by: TrNSZ on Dec 01, '03 12:12:43PM
Um, not a security hole the last I checked. TCP port 631 is never bound to the outside world. You can use netstat -ano to verify.

tcp4       0      0  127.0.0.1.631          *.*                    LISTEN
Just the local computer itself is bound. This is only a problem if you are giving shell accounts to users on your box and you don't trust them, but there is still a lot of other ways they can gather information about you. Running a secure unix shell server, or a secure multiuser operating system of any type, is really an evolving challenge. Even OpenVMS has been hit with some security updates recently. But I wouldn't worry that much about this CUPS thing.

[ Reply to This | # ]
CUPS and network security
Authored by: robg on Dec 01, '03 01:07:09PM

When I tested this with my (completely stock) 10.3 install on my desktop Mac, my laptop could see the desktop machine's CUPS page -- I could see a list of every job that I'd printed right there on my laptop.

Once I made the change and removed LOCAL, then the laptop could no longer see the machine.

So I'm not sure I know exactly what you're saying, but the way my stock CUPS install works, anyone on the local network can see the CUPS page for any other local machine via http://that.machine.ip:631

-rob.



[ Reply to This | # ]
Location directive
Authored by: hayne on Dec 01, '03 04:14:18PM
This may be something that has changed between Jaguar and Panther. My stock cupsd.conf file on Jaguar has the following:
<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
</Location>
I.e. there is no access from the local network. This may also be one of the things that gets preserved if you do an "upgrade" install.

[ Reply to This | # ]
Location directive
Authored by: robg on Dec 01, '03 06:44:30PM

Probably true -- all of my machines get clean installs on major dot upgrades. Much more of a pain in the butt, obviously, but generally worth it to make sure I see everything that a "new" install would get.

-rob.



[ Reply to This | # ]
CUPS and network security
Authored by: robg on Dec 01, '03 06:55:30PM

And just to clarify, I don't mean visible to the outside world. But it's clearly visible to the rest of the internal network ... and if that's a large segment at a university, that might be a cause for (very minor) concern.

-rob.



[ Reply to This | # ]