TIL CUPS, the print queue server came from Apple and enables a web server by default (port 631) on a lot of systems. Is this really a good idea?

Follow

@tomosaigon It's bound to localhost, (not 127.0.0.1) and inaccessible from the network. It can be *made* so, but it must be explicitly done so.

@nathand the server has to bind to an ip address, not a hostname, so it actually is 127.0.0.1 is it not? Practically speaking, how is it different?

Also, a bug in their web app stack could lead to root privileges, I think, even if it's only locally accessible (which could include random users)...

@tomosaigon Yes and no.

> the server has to bind to an ip address, not a hostname, so it actually is 127.0.0.1 is it not? Practically speaking, how is it different?

Yes, practically speaking, localhost == 127.0.0.1. In the case of CUPS, it is *only* listening for requests from the local system. Any other requests are dropped by default.

(1/2?)

@tomosaigon (2/2?)

> Also, a bug in their web app stack could lead to root privileges, I think, even if it's only locally accessible (which could include random users)...

Yes, it *could*. So could many of the accessible pieces of software on the system. In this case, you have to be part of the admin group to access it, reducing potential impact.

With the default configuration, the software is decently well secured. If you're going to have random users connect, you'll want to tweak that.

@tomosaigon It's also interesting to note that it's the same way on Macs. CUPS will listen to localhost:631. Only local users in the CUPS(?) group are allowed to connect and configure it. Though, you often have less difficulty configuring it through the Printers settings app.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.