On Wed, 28 Jun 2006, Johannes Meixner wrote: > If hpiod/hpssd become full network accessible services > (i.e. accessible from other IPs than 127.0.0.1), > we (i.e. the distributors or at least Suse/Novell) have the > problem that network accessible services must not run as root > because of obvious security reasons.
This is easily done by having hpiod/hpssd always go on pairs, make hpiod localhost-only (in fact, IMO it should be using UNIX sockets instead of INET sockets to talk to hpssd -- they are much faster and less prone to abuse). Hpssd can, and *does* run fine without root access since 0.9.10 or thereabouts. hpiod can be made to run *most* of its code without root too, but that depends on someone implementing a privsep layer on it as openssh does, or the distros doing something that gives it root-equivalent rights for the very few things it needs them for. Any takers? :-) > Perhaps it is easiest to leave hpiod/hpssd running as root > and keep it listening only on 127.0.0.1 and have an additional > new hpproxy service which does not run as root and which > listens on 0.0.0.0 on a fixed registred port? (There is no > "hplip" at http://www.iana.org/assignments/port-numbers). That would work as well. Make it a safe transport handler capable of using authenticated messages (probably best to just go with gnutls TLSv1 with both server and client certificates, always verifying both or facing the pain of using SASL), and you will be set. But we are not there yet, there is no worry to waste much time discussing this right now. > (e.g. check for allowed source IPs, do additional optional > user authentication, check if data is valid, ...) because it Since when checking if data is valid is *optional*? That should always be done by hpssd and hpiod every time they get untrustable data from anywhere, and I certainly include the printers here (who knows who really is behind IP 10.0.0.1 posing as an laserjet? :-p). And an "hpproxy" would have to do it as well to any hpproxy-only data, of course. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ HPLIP-Devel mailing list HPLIP-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hplip-devel
