]>
Commit | Line | Data |
---|---|---|
4744bd90 | 1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Server Security</TITLE> | |
178cb736 | 5 | <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> |
4744bd90 | 6 | </HEAD> |
7 | <BODY> | |
8 | ||
178cb736 MS |
9 | <H1 CLASS="title">Server Security</H1> |
10 | ||
4744bd90 | 11 | <P>In the default "standalone" configuration, there are few |
12 | potential security risks - the CUPS server does not accept remote | |
13 | connections, and only accepts shared printer information from the | |
14 | local subnet. When you share printers and/or enable remote | |
eac3a0a0 | 15 | administration, you expose your system to potential unauthorized |
4744bd90 | 16 | access. This help page provides an analysis of possible CUPS |
17 | security concerns and describes how to better secure your | |
18 | server.</P> | |
19 | ||
20 | <H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> | |
21 | ||
159df568 | 22 | <P>When you enable remote administration, the server will use Basic authentication for administration tasks. The current CUPS server supports Basic, Kerberos, and local certificate authentication:</P> |
4744bd90 | 23 | |
24 | <OL> | |
25 | ||
26 | <LI>Basic authentication essentially places the clear | |
27 | text of the username and password on the network. | |
28 | ||
29 | <P>Since CUPS uses the system username and password | |
30 | account information, the authentication information could | |
31 | be used to gain access to possibly privileged accounts on | |
32 | the server.</P> | |
33 | ||
34 | <P><B>Recommendation:</B> Enable encryption to hide the | |
e1d6a774 | 35 | username and password information - this is the default on |
6ccb19f3 | 36 | macOS and systems with GNU TLS installed.</P></LI> |
4744bd90 | 37 | |
4744bd90 | 38 | <LI>Local certificate authentication passes 128-bit |
39 | "certificates" that identify an authenticated user. | |
40 | Certificates are created on-the-fly from random data and | |
41 | stored in files under <VAR>/var/run/cups/certs</VAR>. | |
42 | They have restricted read permissions: root + | |
e1d6a774 | 43 | system-group(s) for the root certificate, and lp + lp |
44 | for CGI certificates. | |
4744bd90 | 45 | |
46 | <P>Because certificates are only available on the local | |
47 | system, the CUPS server does not accept local | |
48 | authentication unless the client is connected to the | |
49 | loopback interface (127.0.0.1 or ::1) or domain | |
50 | socket.</P> | |
51 | ||
52 | <P><B>Recommendation:</B> Ensure that unauthorized users | |
7374e9e5 | 53 | are not added to the system group(s).</P></LI> |
4744bd90 | 54 | |
55 | </OL> | |
56 | ||
57 | <H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> | |
58 | ||
59 | <P>When printer sharing or remote administration is enabled, the | |
60 | CUPS server, like all Internet services, is vulnerable to a | |
61 | variety of denial of service attacks:</P> | |
62 | ||
63 | <OL> | |
64 | ||
65 | <LI>Establishing multiple connections to the server until | |
66 | the server will accept no more. | |
67 | ||
68 | <P>This cannot be protected against by any known | |
69 | software. The <CODE>MaxClientsPerHost</CODE> directive | |
70 | can be used to configure CUPS to limit the number of | |
71 | connections allowed from a single host, however that does | |
72 | not prevent a distributed attack.</P> | |
73 | ||
74 | <P><B>Recommendation:</B> Limit access to trusted systems | |
75 | and networks.</P></LI> | |
76 | ||
77 | <LI>Repeatedly opening and closing connections to the | |
78 | server as fast as possible. | |
79 | ||
80 | <P>There is no easy way of protecting against this in the | |
81 | CUPS software. If the attack is coming from outside the | |
82 | local network, it may be possible to filter such an | |
83 | attack. However, once the connection request has been | |
84 | received by the server it must at least accept the | |
85 | connection to find out who is connecting.</P> | |
86 | ||
87 | <P><B>Recommendation:</B> None.</P></LI> | |
88 | ||
4744bd90 | 89 | <LI>Sending partial IPP requests; specifically, sending |
90 | part of an attribute value and then stopping | |
91 | transmission. | |
92 | ||
93 | <P>The current code will wait up to 1 second before | |
94 | timing out the partial value and closing the connection. | |
95 | This will slow the server responses to valid requests and | |
96 | may lead to dropped browsing packets, but will otherwise | |
97 | not affect the operation of the server.</P> | |
98 | ||
99 | <P><B>Recommendation:</B> Block IPP packets from foreign | |
100 | or untrusted networks using a router or | |
101 | firewall.</P></LI> | |
102 | ||
103 | <LI>Sending large/long print jobs to printers, preventing | |
104 | other users from printing. | |
105 | ||
106 | <P>There are limited facilities for protecting against | |
107 | large print jobs (the <CODE>MaxRequestSize</CODE> | |
108 | attribute), however this will not protect printers from | |
109 | malicious users and print files that generate hundreds or | |
110 | thousands of pages.</P> | |
111 | ||
112 | <P><B>Recommendation:</B> Restrict printer access to | |
113 | known hosts or networks, and add user-level access | |
114 | controls as needed for expensive printers.</P></LI> | |
115 | ||
116 | </OL> | |
117 | ||
118 | <H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> | |
119 | ||
8072030b | 120 | <P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, macOS Security framework, and Windows Schannel APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P> |
4744bd90 | 121 | |
122 | </BODY> | |
123 | </HTML> |