]>
Commit | Line | Data |
---|---|---|
4744bd90 | 1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Server Security</TITLE> | |
178cb736 | 5 | <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> |
4744bd90 | 6 | </HEAD> |
7 | <BODY> | |
8 | ||
178cb736 MS |
9 | <H1 CLASS="title">Server Security</H1> |
10 | ||
4744bd90 | 11 | <P>In the default "standalone" configuration, there are few |
12 | potential security risks - the CUPS server does not accept remote | |
13 | connections, and only accepts shared printer information from the | |
14 | local subnet. When you share printers and/or enable remote | |
eac3a0a0 | 15 | administration, you expose your system to potential unauthorized |
4744bd90 | 16 | access. This help page provides an analysis of possible CUPS |
17 | security concerns and describes how to better secure your | |
18 | server.</P> | |
19 | ||
20 | <H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> | |
21 | ||
22 | <P>When you enable remote administration, the server will use | |
eac3a0a0 | 23 | Basic authentication for administration tasks. The current CUPS |
178cb736 | 24 | server supports Basic, Digest, Kerberos, and local certificate |
4744bd90 | 25 | authentication:</P> |
26 | ||
27 | <OL> | |
28 | ||
29 | <LI>Basic authentication essentially places the clear | |
30 | text of the username and password on the network. | |
31 | ||
32 | <P>Since CUPS uses the system username and password | |
33 | account information, the authentication information could | |
34 | be used to gain access to possibly privileged accounts on | |
35 | the server.</P> | |
36 | ||
37 | <P><B>Recommendation:</B> Enable encryption to hide the | |
e1d6a774 | 38 | username and password information - this is the default on |
39 | MacOS X and systems with GNU TLS or OpenSSL installed.</P></LI> | |
4744bd90 | 40 | |
4744bd90 | 41 | <LI>Local certificate authentication passes 128-bit |
42 | "certificates" that identify an authenticated user. | |
43 | Certificates are created on-the-fly from random data and | |
44 | stored in files under <VAR>/var/run/cups/certs</VAR>. | |
45 | They have restricted read permissions: root + | |
e1d6a774 | 46 | system-group(s) for the root certificate, and lp + lp |
47 | for CGI certificates. | |
4744bd90 | 48 | |
49 | <P>Because certificates are only available on the local | |
50 | system, the CUPS server does not accept local | |
51 | authentication unless the client is connected to the | |
52 | loopback interface (127.0.0.1 or ::1) or domain | |
53 | socket.</P> | |
54 | ||
55 | <P><B>Recommendation:</B> Ensure that unauthorized users | |
7374e9e5 | 56 | are not added to the system group(s).</P></LI> |
4744bd90 | 57 | |
58 | </OL> | |
59 | ||
60 | <H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> | |
61 | ||
62 | <P>When printer sharing or remote administration is enabled, the | |
63 | CUPS server, like all Internet services, is vulnerable to a | |
64 | variety of denial of service attacks:</P> | |
65 | ||
66 | <OL> | |
67 | ||
68 | <LI>Establishing multiple connections to the server until | |
69 | the server will accept no more. | |
70 | ||
71 | <P>This cannot be protected against by any known | |
72 | software. The <CODE>MaxClientsPerHost</CODE> directive | |
73 | can be used to configure CUPS to limit the number of | |
74 | connections allowed from a single host, however that does | |
75 | not prevent a distributed attack.</P> | |
76 | ||
77 | <P><B>Recommendation:</B> Limit access to trusted systems | |
78 | and networks.</P></LI> | |
79 | ||
80 | <LI>Repeatedly opening and closing connections to the | |
81 | server as fast as possible. | |
82 | ||
83 | <P>There is no easy way of protecting against this in the | |
84 | CUPS software. If the attack is coming from outside the | |
85 | local network, it may be possible to filter such an | |
86 | attack. However, once the connection request has been | |
87 | received by the server it must at least accept the | |
88 | connection to find out who is connecting.</P> | |
89 | ||
90 | <P><B>Recommendation:</B> None.</P></LI> | |
91 | ||
4744bd90 | 92 | <LI>Sending partial IPP requests; specifically, sending |
93 | part of an attribute value and then stopping | |
94 | transmission. | |
95 | ||
96 | <P>The current code will wait up to 1 second before | |
97 | timing out the partial value and closing the connection. | |
98 | This will slow the server responses to valid requests and | |
99 | may lead to dropped browsing packets, but will otherwise | |
100 | not affect the operation of the server.</P> | |
101 | ||
102 | <P><B>Recommendation:</B> Block IPP packets from foreign | |
103 | or untrusted networks using a router or | |
104 | firewall.</P></LI> | |
105 | ||
106 | <LI>Sending large/long print jobs to printers, preventing | |
107 | other users from printing. | |
108 | ||
109 | <P>There are limited facilities for protecting against | |
110 | large print jobs (the <CODE>MaxRequestSize</CODE> | |
111 | attribute), however this will not protect printers from | |
112 | malicious users and print files that generate hundreds or | |
113 | thousands of pages.</P> | |
114 | ||
115 | <P><B>Recommendation:</B> Restrict printer access to | |
116 | known hosts or networks, and add user-level access | |
117 | controls as needed for expensive printers.</P></LI> | |
118 | ||
119 | </OL> | |
120 | ||
121 | <H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> | |
122 | ||
1a18c85c | 123 | <P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, OS X Security framework, and Windows SSPI APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P> |
4744bd90 | 124 | |
125 | </BODY> | |
126 | </HTML> |