Follow

TIL CUPS, the print queue server came from Apple and enables a web server by default (port 631) on a lot of systems. Is this really a good idea?

@tomosaigon Well, no, you should run it on BSD, but if that's what you've got…

@mdhughes hah, if I was still running OpenBSD this would be unfathomable. It makes me wonder what other services are running by default on Linux distros.

@tomosaigon It's bound to localhost, (not 127.0.0.1) and inaccessible from the network. It can be *made* so, but it must be explicitly done so.

@nathand the server has to bind to an ip address, not a hostname, so it actually is 127.0.0.1 is it not? Practically speaking, how is it different?

Also, a bug in their web app stack could lead to root privileges, I think, even if it's only locally accessible (which could include random users)...

@tomosaigon Yes and no.

> the server has to bind to an ip address, not a hostname, so it actually is 127.0.0.1 is it not? Practically speaking, how is it different?

Yes, practically speaking, localhost == 127.0.0.1. In the case of CUPS, it is *only* listening for requests from the local system. Any other requests are dropped by default.

(1/2?)

@tomosaigon (2/2?)

> Also, a bug in their web app stack could lead to root privileges, I think, even if it's only locally accessible (which could include random users)...

Yes, it *could*. So could many of the accessible pieces of software on the system. In this case, you have to be part of the admin group to access it, reducing potential impact.

With the default configuration, the software is decently well secured. If you're going to have random users connect, you'll want to tweak that.

@tomosaigon It's also interesting to note that it's the same way on Macs. CUPS will listen to localhost:631. Only local users in the CUPS(?) group are allowed to connect and configure it. Though, you often have less difficulty configuring it through the Printers settings app.

@tomosaigon It was actually developed by Michael Sweet at his company Easy Software Products.

He moved to Apple and took CUPS with him. Apple's claims to having developed CUPS are not actually true.

@neildarlow Maybe I didn't actually see Apple claim to invent it but they certainly imply some kind of stewardship of the project! Interesting to find out it's not true.

The man page lists Apple Inc as copyright owner.

@tomosaigon Also interesting to note: Apple only recently-ish bought CUPS (and hired the developer) so that they could have a ready-made print stack and not worry about it going GPLv3 (like Samba did). CUPS existed for *far* longer than their ownership, though. IIRC, Red Hat and some others have made contributions to it over the years, because it's just *that* good.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.