On Fri, Apr 13, 2007 at 04:14:47PM -0400, Matt Anderson wrote:
> Tim Waugh wrote:
> > Something that occurred to me today is that for LSPP, CUPS should be
> > configured to restrict the IPP notification operations:
> >
> > Create-Subscription
> > Renew-Subscription
> > Get-Notifications
Are you sure about the name? The config file refers to
"Create-Job-Subscription" not "Create-Subscription".
> > Otherwise, information about jobs and printers can be discovered. The
> > way subscriptions work is that I make an IPP connection to the local
> > CUPS server is made, and a 'Create-Subscription' operation sets up the
> > list of events to notify me of. Then, later, a 'Get-Notifications'
> > operation retrieves a list of events such as job-created, printer-added.
> > These events carry information such as job IDs, job names etc.
>
> Thanks for bringing this up Tim.
>
> Is this the config file lines you were thinking we needed?
>
> <Limit Create-Subscription Renew-Subscription Get-Notifications>
> AuthType Basic
> Require user @SYSTEM
> Order deny,allow
> </Limit>
>
> I added that to my system and the server parsed the config file,
> accepted the options and was able to start, but I'm not sure how to test
> the attack you are describing. I get the feeling this would require a
> custom client.
I've made this change in the config file - since there were already
settings for the items you mention mixed with other permissions, I
separated those out. Note that the original config file uses
"Create-Job-Subscription", not "Create-Subscription" as in your example,
and I'm using that below, and adding "Cancel-Subscription" for
consistency.
The 'sed' approach was getting unmanageable, I now just import a static
file instead of modifying the existing one in the script.
For reference, below are the changes between the default shipped
cupsd.conf and the one currently set up by the evaluated config. Please
have a look if that matches what you expect.
-Klaus
--- /etc/cups/cupsd.conf-20070322-0930 2007-03-21 09:40:04.000000000 -0500
+++ /etc/cups/cupsd.conf 2007-03-23 12:08:14.000000000 -0500
@@ -1,10 +1,11 @@
-#
-# "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $"
+# cupsd.conf
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
+# Configuration modified for LSPP compliant operation
+#
MaxLogSize 2000000000
# Log general information in error_log - change "info" to "debug" for
@@ -13,13 +14,27 @@
# Administrator user group...
SystemGroup sys root
+User lp
+Group lp
+
+#Classification selinux # Use the whole SELinux context as the job label
+#Classification te # Use the type as the label
+#Classification mls # Use the range as the label
+Classification mls
+
+# Allow users to override banners with job-sheets=none,none
+# set to No users can still override one banner (e.g. job-sheets=mls,none)
+ClassifyOverride No
-# Only listen for connections from the local machine.
-Listen localhost:631
+# Print the label at the top and bottom of each page
+#PerPageLabels Yes
+
+# MUST disable TCP port in LSPP mode, use socket only
+#Listen localhost:631
Listen /var/run/cups/cups.sock
-# Show shared printers on the local network.
-Browsing On
+# No browsing in LSPP mode
+Browsing Off
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
@@ -51,11 +66,17 @@
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an adminstrator...
- <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job CUPS-Move-Job>
+ <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
Set-Job-Attributes Reprocess-Job Cancel-Current-Job Suspend-Current-Job
Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
+ <Limit Create-Job-Subscription Cancel-Subscription Renew-Subscription
Get-Notifications>
+ AuthType Basic
+ Require user @SYSTEM
+ Order deny,allow
+ </Limit>
+
# All administration operations require an adminstrator to authenticate...
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer
Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs
Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer
Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After
CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
@@ -65,6 +86,7 @@
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
+ AuthType Basic
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
@@ -75,5 +97,4 @@
</Policy>
#
-# End of "$Id: cupsd.conf.in 5454 2006-04-23 21:46:38Z mike $".
-#
+# End of cupsd.conf
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
