I followed the instructions in the "Gentoo Printing Guide" to get CUPS working on a standalone pc some weeks ago. Now, after doing a port scan, I found out that port 631 is open to internet (check ShieldsUP URL above). Does this mean that it's free printing at my place ;-( or even worse? If so, I think the manual should provide some info to warn for this, or a solution to block port 631 for the rest of the world. The "Gentoo Linux Security Guide" doesn't say anything about CUPS, and that installing a firewall may not be needed... Reproducible: Always Steps to Reproduce: 1. # /etc/init.d/cupsd start 2. scan port 631 (without firewall) 3. Actual Results: According to the CUPS access logs, no bad things happened... :-) Expected Results: No firewall installed yet.
this is actually desired behaviour so you can do work remotely. it is expected that if anyone installs programs which primarily rely on networks for administration, they understand that it is open to the world. if you were to try to do anything, though, note that it requires a root password a line or two in the guide with a link to a iptables page might be a good idea though...
default setup listens on all interfaces but doesnt allow anything to be changed except for if you connect via localhost ... all other interfaces will be denied we should just update default cupsd.conf with a 'Listen 127.0.0.1' imho printing team: what do you think ?
Thanks for the tips. Tried adding Listen 127.0.0.1, but then I get: cupsd: Child exited with status 98; error_log: StartListening: Unable to bind socket - Address already in use. Got iptables running now, but that's a lot of work! :)
Near or around line 428 is a line which states 'Port 631' To get more secure behavior of only allowing connections on the localhost, comment this out and add a line below which states 'Listen 127.0.0.1:631' Done. If this was done by default it would save me the trouble of manually integrating my changes everytime cupsd.conf is updated... Seems like the desired behavior most of the time. IMHO the severity of this bug needs to be lowered.
Last solution works.
This is expected behavior for cups, not a critical bug. It's normal behavior when cups is manually compiled and also with every other distro I've used. The package is, after all, in the "net"-print group, and "net" services tend to operate this way. A user should always be cautious when starting any such service with an open connection to the net.
I've added a paragraph on Port -> Listen for systems that are immediately connected to the Internet
The rewrite (see http://www.gentoo.org/doc/en/handbook/draft/printing-howto.xml) does not have this paragraph anymore as it is no security issue. You can not print to the printer anyway unless you explicitly allow it in cupsd.conf (by default only localhost can print).