Bug#755807: CUPS listens on *all* interfaces per default when installed on machines using systemd
Hi! On Thu, 2014-07-24 at 22:06 +0200, Didier 'OdyX' Raboud wrote: For the record, I disagree with the severity and the security tag, but will focus on fixing this bug. :) Thanks! I suppose the severity might have been a little overrated, but I get a bit nervous when one of my desktop machines suddenly shows up on one of my regular nmap runs. Anyway, cups 1.7.4-4 just migrated to testing and I can happily report that everything now works as intended both on new installations and on upgrades. Thank you very much for your work! Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
Bug#755807: CUPS listens on *all* interfaces per default when installed on machines using systemd
Control: forcemerge -1 751370 Control: tags -1 +confirmed +patch Hi Alexander, Thanks for this bug, which was already reported by Brian Potkin as #751370 and pending action from me. Le mercredi, 23 juillet 2014, 15.35:56 Alexander Kurtz a écrit : Package: cups-daemon Version: 1.7.4-1 Severity: serious Justification: Information leak and possible security vulnerability Tags: security For the record, I disagree with the severity and the security tag, but will focus on fixing this bug. :) installing (not upgrading!) the cups-daemon package on a machine using systemd as PID 1 creates the /etc/cups/cupsd-systemd-listen.conf file like this: [Socket] ListenStream=0.0.0.0:631 ListenStream=[::]:631 As this file gets symlinked from the /etc/systemd/system/cups.socket.d/ directory, this means that systemd will listen on *all* interfaces and hand the incoming connections to CUPS. That's a mistake indeed, a typo leftover from initial development work. Admittedly, CUPS still enforces it's own access limitations set in /etc/cups/cupsd.conf, but only after initially accepting the connection. It will then respond with a HTTP 403 (Forbidden) error page, confirming that there is indeed a CUPS daemon running and leaking (at least) its version number and the system locale. I disagree that this constitutes a serious leak though, but as said, will focus on fixing this. The result is, that because of problem #2, /etc/cups/cupsd.conf will never actually be parsed on new installations. Instead the incorrect fallback configuration will be used (problem #3). And because of problem #1, this will never be corrected, even when the package is updated or reinstalled. This implies that fixing #3 to have the correct default and #1 to let it go if the systemd configuration file has ListenStream=0.0.0.0 while cupsd.conf has Listen localhost* (as it has by default). A tested patch that does this is attached, I'll upload this later tomorrow. Cheers, OdyXcommit 12a1e3786b3746339cc671054e2fcc99e9a0ef88 Author: Didier Raboud o...@debian.org Date: Thu Jul 24 22:02:16 2014 +0200 Correct default listening address used under systemd for new installations; also correct the discrepancy on upgrades Closes: #755807 diff --git a/debian/cups-daemon.preinst b/debian/cups-daemon.preinst index 0d0a711..63087f0 100644 --- a/debian/cups-daemon.preinst +++ b/debian/cups-daemon.preinst @@ -10,10 +10,12 @@ install|upgrade) mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.conffile-bak fi -# If file doesn't exist or if it has two conflicting stanzas +# If file doesn't exist, has two conflicting stanzas or has a listen-to-all while cupsd.conf says it should 'listen-to-localhost' if [ ! -f /etc/cups/cupsd-systemd-listen.conf ] || \ ( grep -q '^ListenStream=0.0.0.0:' /etc/cups/cupsd-systemd-listen.conf 2/dev/null \ - grep -q '^ListenStream=127.0.0.1:' /etc/cups/cupsd-systemd-listen.conf 2/dev/null ) ;\ + grep -q '^ListenStream=127.0.0.1:' /etc/cups/cupsd-systemd-listen.conf 2/dev/null ) || + ( grep -q '^ListenStream=0.0.0.0:' /etc/cups/cupsd-systemd-listen.conf 2/dev/null \ + grep -q '^\s*Listen localhost:' /etc/cups/cupsd.conf 2/dev/null );\ then mkdir -p /etc/cups cat /etc/cups/cupsd-systemd-listen.conf EOF @@ -43,8 +45,8 @@ EOF else cat /etc/cups/cupsd-systemd-listen.conf EOF # Matches the default 'Listen localhost:631' from cupsd.conf.default -ListenStream=0.0.0.0:631 -ListenStream=[::]:631 +ListenStream=127.0.0.1:631 +ListenStream=[::1]:631 EOF fi fi
Processed: Re: Bug#755807: CUPS listens on *all* interfaces per default when installed on machines using systemd
Processing control commands: forcemerge -1 751370 Bug #755807 [cups-daemon] CUPS listens on *all* interfaces per default when installed on machines using systemd Bug #751370 [cups-daemon] cups-daemon: Matching 'Listen localhost:631' from cupsd.conf.default Severity set to 'serious' from 'normal' Marked as found in versions cups/1.7.4-1. Added tag(s) security. Merged 751370 755807 tags -1 +confirmed +patch Bug #755807 [cups-daemon] CUPS listens on *all* interfaces per default when installed on machines using systemd Bug #751370 [cups-daemon] cups-daemon: Matching 'Listen localhost:631' from cupsd.conf.default Added tag(s) confirmed. Added tag(s) confirmed. Bug #755807 [cups-daemon] CUPS listens on *all* interfaces per default when installed on machines using systemd Bug #751370 [cups-daemon] cups-daemon: Matching 'Listen localhost:631' from cupsd.conf.default Added tag(s) patch. Added tag(s) patch. -- 751370: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751370 755807: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755807 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#755807: CUPS listens on *all* interfaces per default when installed on machines using systemd
Package: cups-daemon Version: 1.7.4-1 Severity: serious Justification: Information leak and possible security vulnerability Tags: security Hi, installing (not upgrading!) the cups-daemon package on a machine using systemd as PID 1 creates the /etc/cups/cupsd-systemd-listen.conf file like this: [Socket] # This file was generated by CUPS and _WILL_ be deleted or overwritten by it! # It has to be kept in sync with the Port and Listen stanzas in /etc/cups/cupsd.conf # It is by default symlinked as cups-listen.conf in the # /etc/systemd/system/cups.socket.d/ directory. Remove the symlink # and write your own file there if you don't want this. See systemd.socket(5). # Matches the default 'Listen localhost:631' from cupsd.conf.default ListenStream=0.0.0.0:631 ListenStream=[::]:631 As this file gets symlinked from the /etc/systemd/system/cups.socket.d/ directory, this means that systemd will listen on *all* interfaces and hand the incoming connections to CUPS. Admittedly, CUPS still enforces it's own access limitations set in /etc/cups/cupsd.conf, but only after initially accepting the connection. It will then respond with a HTTP 403 (Forbidden) error page, confirming that there is indeed a CUPS daemon running and leaking (at least) its version number and the system locale. Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
Bug#755807: CUPS listens on *all* interfaces per default when installed on machines using systemd
Hi, After looking over cups-daemon's preinst script which generates the cupsd-systemd-listen.conf file, I think I found the problem(s): 1 #!/bin/sh 2 3 set -e 4 5 6 case $1 in 7 install|upgrade) 8 if dpkg --compare-versions $2 le 1.6.1 [ -e /etc/cups/cupsd.conf ]; then 9 # Move cupsd.conf away as it becomes a non-conffile 10 mv /etc/cups/cupsd.conf /etc/cups/cupsd.conf.conffile-bak 11 fi 12 13 # If file doesn't exist or if it has two conflicting stanzas 14 if [ ! -f /etc/cups/cupsd-systemd-listen.conf ] || \ 15 ( grep -q '^ListenStream=0.0.0.0:' /etc/cups/cupsd-systemd-listen.conf 2/dev/null \ 16 grep -q '^ListenStream=127.0.0.1:' /etc/cups/cupsd-systemd-listen.conf 2/dev/null ) ;\ 17 then This is problem #1. This means that /etc/cups/cupsd-systemd-listen.conf will not regenerated if it already exists unless there are conflicting stanzas. While this is generally a good idea for configuration files, it also means that an incorrect file will never be corrected. 18 mkdir -p /etc/cups 19 cat /etc/cups/cupsd-systemd-listen.conf EOF 20 [Socket] 21 # This file was generated by CUPS and _WILL_ be deleted or overwritten by it! 22 # It has to be kept in sync with the Port and Listen stanzas in /etc/cups/cupsd.conf 23 # It is by default symlinked as cups-listen.conf in the 24 # /etc/systemd/system/cups.socket.d/ directory. Remove the symlink 25 # and write your own file there if you don't want this. See systemd.socket(5). 26 EOF 27 if [ -e /etc/cups/cupsd.conf ]; then This is problem #2. This means, that the /etc/cups/cupsd.conf file will only be parsed if it exists. However, this is the *pre*inst script, meaning that this check will always fail on new installations since the package isn't unpacked yet when this runs. [0] 28 if grep -q '^\s*Port' /etc/cups/cupsd.conf 2/dev/null; then 29 localport=`grep '^\s*Port' /etc/cups/cupsd.conf | head -n1 | sed -e 's/.*Port \([[:digit:]]*\)$/\1/'` 30 cat /etc/cups/cupsd-systemd-listen.conf EOF 31 # Matches 'Port $localport' from cupsd.conf 32 ListenStream=0.0.0.0:$localport 33 ListenStream=[::]:$localport 34 EOF 35 elif grep -q '^\s*Listen localhost:' /etc/cups/cupsd.conf 2/dev/null; then 36 localport=`grep '^\s*Listen localhost:' /etc/cups/cupsd.conf | head -n1 | sed -e 's/.*localhost\:\([[:digit:]]*\)$/\1/'` 37 cat /etc/cups/cupsd-systemd-listen.conf EOF 38 # Matches 'Listen localhost:$localport' from cupsd.conf 39 ListenStream=127.0.0.1:$localport 40 ListenStream=[::1]:$localport 41 EOF 42 fi 43 else 44 cat /etc/cups/cupsd-systemd-listen.conf EOF 45 # Matches the default 'Listen localhost:631' from cupsd.conf.default 46 ListenStream=0.0.0.0:631 47 ListenStream=[::]:631 This is problem #3. This means that CUPS will listen on all interfaces even though the comment directly above says exactly the opposite. This looks a lot like a simple typo. 48 EOF 49 fi 50 fi 51 esac 52 53 # Automatically added by dh_installdeb 54 dpkg-maintscript-helper rm_conffile /etc/cups/cupsd.conf.default 1.7.1-3~ -- $@ 55 # End automatically added section 56 # Automatically added by dh_installdeb 57 dpkg-maintscript-helper rm_conffile /etc/default/cups 1.7.1-6~ -- $@ 58 # End automatically added section 59 # Automatically added by dh_installdeb 60 dpkg-maintscript-helper mv_conffile /etc/pam.d/cups-daemon /etc/pam.d/cups 1.7.3-2~ -- $@ 61 # End automatically added section 62 63 64 exit 0 The result is, that because of problem #2, /etc/cups/cupsd.conf will never actually be parsed on new installations. Instead the incorrect fallback configuration will be used (problem #3). And because of problem #1, this will never be corrected, even when the package is updated or reinstalled. Best regards Alexander Kurtz [0] http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html signature.asc Description: This is a digitally signed message part