Tim Waugh wrote: > Something that occurred to me today is that for LSPP, CUPS should be > configured to restrict the IPP notification operations: > > Create-Subscription > Renew-Subscription > Get-Notifications > > Otherwise, information about jobs and printers can be discovered. The > way subscriptions work is that I make an IPP connection to the local > CUPS server is made, and a 'Create-Subscription' operation sets up the > list of events to notify me of. Then, later, a 'Get-Notifications' > operation retrieves a list of events such as job-created, printer-added. > These events carry information such as job IDs, job names etc.
Thanks for bringing this up Tim. Is this the config file lines you were thinking we needed? <Limit Create-Subscription Renew-Subscription Get-Notifications> AuthType Basic Require user @SYSTEM Order deny,allow </Limit> I added that to my system and the server parsed the config file, accepted the options and was able to start, but I'm not sure how to test the attack you are describing. I get the feeling this would require a custom client. -matt -- redhat-lspp mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-lspp
