re: [SECURITY] [DSA 3283-1] cups security update
EDIS GmbH The email you recently sent with the subject "[SECURITY] [DSA 3283-1] cups security update" could not be processed. You do not meet the requirements to submit a new ticket. You're receiving this because you are a registered user of EDIS GmbH. You may change email notifications in My Settings.
Re: [SECURITY] [DSA 2600-1] cups security update
* Nico Golde [2013-01-06 18:40]: > - > Debian Security Advisory DSA-2600-1 secur...@debian.org > http://www.debian.org/security/Nico Golde > January 06, 2013 http://www.debian.org/security/faq > - > > Package: rails Of course this is a copy&paste fail on my side and this should have been cups ;) Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 pgpRgrs9oXDm5.pgp Description: PGP signature
Re: cups security (fwd)
On Thu, Apr 11, 2002 at 07:12:33PM -0500, Torrin wrote: > Oops, forgot to send this to the list. so i forgot the reply to the list... (btw, it begins to be out of the list topic...) > > -- Forwarded message -- > Date: Thu, 11 Apr 2002 19:09:22 -0500 (CDT) > From: Torrin <[EMAIL PROTECTED]> > To: Emmanuel Lacour <[EMAIL PROTECTED]> > Subject: Re: cups security > > Hmmm . . . you forgot, > > apt-get install cupsys-driver-gimpprint > gunzip .gz > cp driver /usr/share/cups/model > > I guess that is only if the proper driver isn't included with cups. > Yep, that's only for unsuported printers. But I never needed to ungzip files for this in woody, just apt-get install and all of those drivers appears in the web admin... > also, I used lpadmin to configure the printer. I didn't even realize > there was a web server listening on 631. Doh!! Oh, but it does ask for > username and password. I suppose that's secure enough. > By default it's the root login and password of your system...maybe it will be a great idea to change it and to use https (cupsd.conf) > On Thu, 11 Apr 2002, Emmanuel Lacour wrote: > > > > Howto: > > > > apt-get install cupsys cupsys-bsd > > > > customize /etc/cups/cupsd.conf for security, it's easy to understand I > > think. > > > > Go to http://localhost:631/ and configure your printer > > > > echo test | lpr > > > > ... it works (theoritically...) > > > > > > -- > http://www.torrin.net > Give me mutt any day. http://www.mutt.org -- Easter-eggsSp?cialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security (fwd)
On Thu, Apr 11, 2002 at 07:12:33PM -0500, Torrin wrote: > Oops, forgot to send this to the list. so i forgot the reply to the list... (btw, it begins to be out of the list topic...) > > -- Forwarded message -- > Date: Thu, 11 Apr 2002 19:09:22 -0500 (CDT) > From: Torrin <[EMAIL PROTECTED]> > To: Emmanuel Lacour <[EMAIL PROTECTED]> > Subject: Re: cups security > > Hmmm . . . you forgot, > > apt-get install cupsys-driver-gimpprint > gunzip .gz > cp driver /usr/share/cups/model > > I guess that is only if the proper driver isn't included with cups. > Yep, that's only for unsuported printers. But I never needed to ungzip files for this in woody, just apt-get install and all of those drivers appears in the web admin... > also, I used lpadmin to configure the printer. I didn't even realize > there was a web server listening on 631. Doh!! Oh, but it does ask for > username and password. I suppose that's secure enough. > By default it's the root login and password of your system...maybe it will be a great idea to change it and to use https (cupsd.conf) > On Thu, 11 Apr 2002, Emmanuel Lacour wrote: > > > > Howto: > > > > apt-get install cupsys cupsys-bsd > > > > customize /etc/cups/cupsd.conf for security, it's easy to understand I > > think. > > > > Go to http://localhost:631/ and configure your printer > > > > echo test | lpr > > > > ... it works (theoritically...) > > > > > > -- > http://www.torrin.net > Give me mutt any day. http://www.mutt.org -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Dale" == Dale Southard <[EMAIL PROTECTED]> writes: Dale> If you've done step 1, step 2 is redundant protection. There Dale> shouldn't be anything listening on 631 anyplace except loopback. Right, but step 2 has no negative effects (other than some extra time needed to learn how to set up the firewall), and ensures that no one can connect to port 631 even if you accidentally misconfigure something, or something overwrites your configuration. IMHO, pretty much every box should have its own firewall installed. It prevents various bad things from happening (trojans, misconfigured daemons) and is an extra layer of protection "just in case". You can set it up to deny all packets except for - packets which are part of a connection that you established (e.g. HTTP replies) - whatever ports you want open to the public - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tm2nZRhU33H9o38RAlB6AJ9dCp2HsASAYX4lnF0OHRxlhyXKLQCgwWol lKhtaGUMfqM8VW5kqzL8zps= =dMWw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Dale" == Dale Southard <[EMAIL PROTECTED]> writes: Dale> If you've done step 1, step 2 is redundant protection. There Dale> shouldn't be anything listening on 631 anyplace except loopback. Right, but step 2 has no negative effects (other than some extra time needed to learn how to set up the firewall), and ensures that no one can connect to port 631 even if you accidentally misconfigure something, or something overwrites your configuration. IMHO, pretty much every box should have its own firewall installed. It prevents various bad things from happening (trojans, misconfigured daemons) and is an extra layer of protection "just in case". You can set it up to deny all packets except for - packets which are part of a connection that you established (e.g. HTTP replies) - whatever ports you want open to the public - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tm2nZRhU33H9o38RAlB6AJ9dCp2HsASAYX4lnF0OHRxlhyXKLQCgwWol lKhtaGUMfqM8VW5kqzL8zps= =dMWw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
Torrin <[EMAIL PROTECTED]> writes: > OK, in summary. > > 1. I should set it to listen only on the local interface by setting > > Listen 127.0.0.1:631 > > in the cupsd.conf file. > > 2. I should firewall off the port. This part is already done, I just > don't like to have ports open. > > So from what people have said, I guess there isn't a way to run cups and > close the port. Step 1 causes cups to bind to only to the loopback interface. After making the change, restart the cupsd and nmap scan your loopback (localhost) and public interfaces -- you shouldn't see 631 open on anything but the loopback. If you've done step 1, step 2 is redundant protection. There shouldn't be anything listening on 631 anyplace except loopback. > Is the open port essential to it's operation, like open > port 22 is essential to the operation of ssh? In any unix printing architecture, there has to be a way to get the client's data to the host's print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why lp/lpr is usually SUID or SGID). In cups, the print data is transferred to the server via http protocol. This means the client program doesn't need any special privileges, but does require that the server be listening on a port somewhere. Which is ultimately a better idea from a security perspective is a matter of opinion and situation -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security (fwd)
Oops, forgot to send this to the list. -- Forwarded message -- Date: Thu, 11 Apr 2002 19:09:22 -0500 (CDT) From: Torrin <[EMAIL PROTECTED]> To: Emmanuel Lacour <[EMAIL PROTECTED]> Subject: Re: cups security Hmmm . . . you forgot, apt-get install cupsys-driver-gimpprint gunzip .gz cp driver /usr/share/cups/model I guess that is only if the proper driver isn't included with cups. also, I used lpadmin to configure the printer. I didn't even realize there was a web server listening on 631. Doh!! Oh, but it does ask for username and password. I suppose that's secure enough. On Thu, 11 Apr 2002, Emmanuel Lacour wrote: > > Howto: > > apt-get install cupsys cupsys-bsd > > customize /etc/cups/cupsd.conf for security, it's easy to understand I > think. > > Go to http://localhost:631/ and configure your printer > > echo test | lpr > > ... it works (theoritically...) > > -- http://www.torrin.net Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? -- http://www.torrin.net I hate pine. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
Torrin <[EMAIL PROTECTED]> writes: > OK, in summary. > > 1. I should set it to listen only on the local interface by setting > > Listen 127.0.0.1:631 > > in the cupsd.conf file. > > 2. I should firewall off the port. This part is already done, I just > don't like to have ports open. > > So from what people have said, I guess there isn't a way to run cups and > close the port. Step 1 causes cups to bind to only to the loopback interface. After making the change, restart the cupsd and nmap scan your loopback (localhost) and public interfaces -- you shouldn't see 631 open on anything but the loopback. If you've done step 1, step 2 is redundant protection. There shouldn't be anything listening on 631 anyplace except loopback. > Is the open port essential to it's operation, like open > port 22 is essential to the operation of ssh? In any unix printing architecture, there has to be a way to get the client's data to the host's print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why lp/lpr is usually SUID or SGID). In cups, the print data is transferred to the server via http protocol. This means the client program doesn't need any special privileges, but does require that the server be listening on a port somewhere. Which is ultimately a better idea from a security perspective is a matter of opinion and situation -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security (fwd)
Oops, forgot to send this to the list. -- Forwarded message -- Date: Thu, 11 Apr 2002 19:09:22 -0500 (CDT) From: Torrin <[EMAIL PROTECTED]> To: Emmanuel Lacour <[EMAIL PROTECTED]> Subject: Re: cups security Hmmm . . . you forgot, apt-get install cupsys-driver-gimpprint gunzip .gz cp driver /usr/share/cups/model I guess that is only if the proper driver isn't included with cups. also, I used lpadmin to configure the printer. I didn't even realize there was a web server listening on 631. Doh!! Oh, but it does ask for username and password. I suppose that's secure enough. On Thu, 11 Apr 2002, Emmanuel Lacour wrote: > > Howto: > > apt-get install cupsys cupsys-bsd > > customize /etc/cups/cupsd.conf for security, it's easy to understand I > think. > > Go to http://localhost:631/ and configure your printer > > echo test | lpr > > ... it works (theoritically...) > > -- http://www.torrin.net Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security summary
OK, in summary. 1. I should set it to listen only on the local interface by setting Listen 127.0.0.1:631 in the cupsd.conf file. 2. I should firewall off the port. This part is already done, I just don't like to have ports open. So from what people have said, I guess there isn't a way to run cups and close the port. Is the open port essential to it's operation, like open port 22 is essential to the operation of ssh? -- http://www.torrin.net I hate pine. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Luis" == Luis Gómez Miralles <[EMAIL PROTECTED]> writes: Luis> Why don't you cut access to that port via tcp wrappers? At least Luis> in my Woody, cups is in inetd.conf: #:OTHER: Other services Luis> printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd Luis> cups-lpd (actually i'm not sure whether this corresponds to cups Luis> or to lpr) That would be CUPS's lpr compatability daemon. If you don't have other hosts needing to use your computer to print, you can just drop it completely. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tdPQZRhU33H9o38RAkS0AKC0R6XGDpv6W234SbjNsugnPHRlywCgwtBx NmPy6N9I1BWsy/Vl1vnA7BI= =DE37 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
On Thu, Apr 11, 2002 at 09:56:51AM -0500, Torrin wrote: > Good morning everybody, well at least morning over here in Cali. For > everybody else, Good afternoon, good evening and good night. > > I just installed cups and I was wondering if it's possible to have cups > run properly without having port 631 open. I don't like having ports > open, especially since this computer will be the only one printing to > this printer. I looked at some of the doc on http://www.cups.org and > didn't see anything. Any ideas? > 631 is ipp port. It's needed for admin and remote printing, you can enable it only for localhost (127.0.0.1) by adding Listen 127.0.0.1:631 in /etc/cups/cupsd.conf (there are many security options like allow/deny networks/hosts in this config file, but in your case, listen only on localhost will be the good choice). > Also, when I installed cups it said something about me needing to do a . > . . > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > What's up with that? I didn't see anything in the doc about that > either. That's for slp protocol (www.openslp.org), if you don't need it (I think it's not usefull in your case), don't add the route line and don't install slpd. > > You know, a howto would be nice right about now. Anyway, thanks in > advance for your insight. > Howto: apt-get install cupsys cupsys-bsd customize /etc/cups/cupsd.conf for security, it's easy to understand I think. Go to http://localhost:631/ and configure your printer echo test | lpr ... it works (theoritically...) > Oh, and if any of you use pine, I won't hold it against you. :) Mutt -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpZmqNWpJiPF.pgp Description: PGP signature
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Torrin" == Torrin <[EMAIL PROTECTED]> writes: Torrin> I just installed cups and I was wondering if it's possible to Torrin> have cups run properly without having port 631 open. I don't Torrin> like having ports open, especially since this computer will be Torrin> the only one printing to this printer. I looked at some of the Torrin> doc on http://www.cups.org and didn't see anything. Any ideas? You can set CUPS to listen only on the loopback interface. Edit /etc/cups/cupsd.conf, and replace the line "Port 631" with "Listen 127.0.0.1:631". Also, if you're paranoid, set up a firewall too. Even if you don't have any extra ports open right now, a firewall can save you if you accidentally misconfigure something (or if a trojan gets installed). - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tdMRZRhU33H9o38RAp2UAJ9BCtEEAvRZA6msirIg4M8Lubu2LQCeNnKH QMWtis/bOgPGlLpjKPqtiiw= =a1Js -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
Luis Gómez Miralles <[EMAIL PROTECTED]> writes: > El jue, 11-04-2002 a las 16:56, Torrin escribió: > > Good morning everybody, well at least morning over here in Cali. For > > everybody else, Good afternoon, good evening and good night. > > > > I just installed cups and I was wondering if it's possible to have cups > > run properly without having port 631 open. I don't like having ports > > open, especially since this computer will be the only one printing to > > this printer. I looked at some of the doc on http://www.cups.org and > > didn't see anything. Any ideas? > > Why don't you cut access to that port via tcp wrappers? At least in my > Woody, cups is in inetd.conf: > #:OTHER: Other services > printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd > (actually i'm not sure whether this corresponds to cups or to lpr) It corresponds to the cups server that accepts lpd jobs on port 515, which is an optional part of cups. The primary part of cups is a daemon that accepts IPP jobs (and serves html documentation) on port 631. > so you could add > "printer: ALL BUT LOCAL" [or something like that] > to /etc/hosts.deny If you are not accepting lpd print jobs from other hosts, there is no reason I am aware of to run cups-lpd. Securing cups itself is done though the /etc/cups/cupsd.conf file. In particular, something like the following will limit access of the printers and documentation to localhost: Order Deny,Allow Deny From All Allow From 127.0.0.1 The cupsd.conf file has lots of goodies that are not turned on by default, including things like SSL/TLS certificates and crypto, restricting of the daemon binding, and lots of other hooks. The manuals are avaiable at http://localhost:631/ or at cups.org. > > > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > > > What's up with that? I didn't see anything in the doc about that > > either. Google for the term ``multicast'' and you'll find the answer. It has (to the best of my knowledge, nothing to do with CUPS. -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
El jue, 11-04-2002 a las 16:56, Torrin escribió: > Good morning everybody, well at least morning over here in Cali. For > everybody else, Good afternoon, good evening and good night. > > I just installed cups and I was wondering if it's possible to have cups > run properly without having port 631 open. I don't like having ports > open, especially since this computer will be the only one printing to > this printer. I looked at some of the doc on http://www.cups.org and > didn't see anything. Any ideas? Why don't you cut access to that port via tcp wrappers? At least in my Woody, cups is in inetd.conf: #:OTHER: Other services printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd (actually i'm not sure whether this corresponds to cups or to lpr) so you could add "printer: ALL BUT LOCAL" [or something like that] to /etc/hosts.deny Regards > > Also, when I installed cups it said something about me needing to do a . > . . > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > What's up with that? I didn't see anything in the doc about that > either. I never did that and it's working ok for me :) > > You know, a howto would be nice right about now. Anyway, thanks in > advance for your insight. > > Oh, and if any of you use pine, I won't hold it against you. :) > -- > http://www.torrin.net > I hate pine. It's the worst E-mail client ever. > Give me mutt any day. http://www.mutt.org > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
On Thu, Apr 11, 2002 at 09:56:51AM -0500, Torrin wrote: > Good morning everybody, well at least morning over here in Cali. For > everybody else, Good afternoon, good evening and good night. :)) Hi, pal. > Also, when I installed cups it said something about me needing to do a . > . . > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > What's up with that? I didn't see anything in the doc about that > either. The "route" line is going to add an entry in the kernel's routing table. This entry would make the kernel think it is running on a host which is in the network 0xE?.???.???.??? where 0xE? is in hexadecimal and the "?" can match any number of the addressing IP. Moreover, the kernel is going to redirect all packets received by it to the network interface "". Sorry, if I'm not of much help, but I am using LPRNG and can't really help you with cups. Generally, if you want to use the server on your host only, you should set up a firewall. Until someone helps you, -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > "Luis" == Luis Gómez Miralles <[EMAIL PROTECTED]> writes: Luis> Why don't you cut access to that port via tcp wrappers? At least Luis> in my Woody, cups is in inetd.conf: #:OTHER: Other services Luis> printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd Luis> cups-lpd (actually i'm not sure whether this corresponds to cups Luis> or to lpr) That would be CUPS's lpr compatability daemon. If you don't have other hosts needing to use your computer to print, you can just drop it completely. - -- Hubert Chan <[EMAIL PROTECTED]> - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tdPQZRhU33H9o38RAkS0AKC0R6XGDpv6W234SbjNsugnPHRlywCgwtBx NmPy6N9I1BWsy/Vl1vnA7BI= =DE37 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said Torrin on Thu, Apr 11, 2002 at 09:56:51AM -0500: > I just installed cups and I was wondering if it's possible to have > cups run properly without having port 631 open. I don't like having > ports open, especially since this computer will be the only one > printing to this printer. I looked at some of the doc on > http://www.cups.org and didn't see anything. Any ideas? In general, I would recommend a firewall, and in this specific case, I would stick with that suggestion :-) If you don't feel like getting into the internals, I would recommend firestarter as a great app for graphical firewall configuration. - -- [!] Justin R. Miller <[EMAIL PROTECTED]> PGP 0xC9C40C31 -=- http://codesorcery.net http://news.independent.co.uk/world/asia_china/story.jsp?story=281067 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tbQB94d6K8nEDDERAtdrAJ0fRlS9HeCFds+1y0gMu4XVSKMZ6ACcCMdp +ypUfZL9smttMQjlmtr6XXw= =tkFF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
Luis Gómez Miralles <[EMAIL PROTECTED]> writes: > El jue, 11-04-2002 a las 16:56, Torrin escribió: > > Good morning everybody, well at least morning over here in Cali. For > > everybody else, Good afternoon, good evening and good night. > > > > I just installed cups and I was wondering if it's possible to have cups > > run properly without having port 631 open. I don't like having ports > > open, especially since this computer will be the only one printing to > > this printer. I looked at some of the doc on http://www.cups.org and > > didn't see anything. Any ideas? > > Why don't you cut access to that port via tcp wrappers? At least in my > Woody, cups is in inetd.conf: > #:OTHER: Other services > printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd > (actually i'm not sure whether this corresponds to cups or to lpr) It corresponds to the cups server that accepts lpd jobs on port 515, which is an optional part of cups. The primary part of cups is a daemon that accepts IPP jobs (and serves html documentation) on port 631. > so you could add > "printer: ALL BUT LOCAL" [or something like that] > to /etc/hosts.deny If you are not accepting lpd print jobs from other hosts, there is no reason I am aware of to run cups-lpd. Securing cups itself is done though the /etc/cups/cupsd.conf file. In particular, something like the following will limit access of the printers and documentation to localhost: Order Deny,Allow Deny From All Allow From 127.0.0.1 The cupsd.conf file has lots of goodies that are not turned on by default, including things like SSL/TLS certificates and crypto, restricting of the daemon binding, and lots of other hooks. The manuals are avaiable at http://localhost:631/ or at cups.org. > > > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > > > What's up with that? I didn't see anything in the doc about that > > either. Google for the term ``multicast'' and you'll find the answer. It has (to the best of my knowledge, nothing to do with CUPS. -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
cups security
Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev What's up with that? I didn't see anything in the doc about that either. You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Oh, and if any of you use pine, I won't hold it against you. :) -- http://www.torrin.net I hate pine. It's the worst E-mail client ever. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
El jue, 11-04-2002 a las 16:56, Torrin escribió: > Good morning everybody, well at least morning over here in Cali. For > everybody else, Good afternoon, good evening and good night. > > I just installed cups and I was wondering if it's possible to have cups > run properly without having port 631 open. I don't like having ports > open, especially since this computer will be the only one printing to > this printer. I looked at some of the doc on http://www.cups.org and > didn't see anything. Any ideas? Why don't you cut access to that port via tcp wrappers? At least in my Woody, cups is in inetd.conf: #:OTHER: Other services printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd (actually i'm not sure whether this corresponds to cups or to lpr) so you could add "printer: ALL BUT LOCAL" [or something like that] to /etc/hosts.deny Regards > > Also, when I installed cups it said something about me needing to do a . > . . > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > What's up with that? I didn't see anything in the doc about that > either. I never did that and it's working ok for me :) > > You know, a howto would be nice right about now. Anyway, thanks in > advance for your insight. > > Oh, and if any of you use pine, I won't hold it against you. :) > -- > http://www.torrin.net > I hate pine. It's the worst E-mail client ever. > Give me mutt any day. http://www.mutt.org > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
On Thu, Apr 11, 2002 at 09:56:51AM -0500, Torrin wrote: > Good morning everybody, well at least morning over here in Cali. For > everybody else, Good afternoon, good evening and good night. :)) Hi, pal. > Also, when I installed cups it said something about me needing to do a . > . . > > route add -net 224.0.0.0 netmask 240.0.0.0 dev > > What's up with that? I didn't see anything in the doc about that > either. The "route" line is going to add an entry in the kernel's routing table. This entry would make the kernel think it is running on a host which is in the network 0xE?.???.???.??? where 0xE? is in hexadecimal and the "?" can match any number of the addressing IP. Moreover, the kernel is going to redirect all packets received by it to the network interface "". Sorry, if I'm not of much help, but I am using LPRNG and can't really help you with cups. Generally, if you want to use the server on your host only, you should set up a firewall. Until someone helps you, -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: cups security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Said Torrin on Thu, Apr 11, 2002 at 09:56:51AM -0500: > I just installed cups and I was wondering if it's possible to have > cups run properly without having port 631 open. I don't like having > ports open, especially since this computer will be the only one > printing to this printer. I looked at some of the doc on > http://www.cups.org and didn't see anything. Any ideas? In general, I would recommend a firewall, and in this specific case, I would stick with that suggestion :-) If you don't feel like getting into the internals, I would recommend firestarter as a great app for graphical firewall configuration. - -- [!] Justin R. Miller <[EMAIL PROTECTED]> PGP 0xC9C40C31 -=- http://codesorcery.net http://news.independent.co.uk/world/asia_china/story.jsp?story=281067 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tbQB94d6K8nEDDERAtdrAJ0fRlS9HeCFds+1y0gMu4XVSKMZ6ACcCMdp +ypUfZL9smttMQjlmtr6XXw= =tkFF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
cups security
Good morning everybody, well at least morning over here in Cali. For everybody else, Good afternoon, good evening and good night. I just installed cups and I was wondering if it's possible to have cups run properly without having port 631 open. I don't like having ports open, especially since this computer will be the only one printing to this printer. I looked at some of the doc on http://www.cups.org and didn't see anything. Any ideas? Also, when I installed cups it said something about me needing to do a . . . route add -net 224.0.0.0 netmask 240.0.0.0 dev What's up with that? I didn't see anything in the doc about that either. You know, a howto would be nice right about now. Anyway, thanks in advance for your insight. Oh, and if any of you use pine, I won't hold it against you. :) -- http://www.torrin.net I hate pine. It's the worst E-mail client ever. Give me mutt any day. http://www.mutt.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]