[thirdparty/cups.git] / doc / help / security.html

<HTML>
<!-- SECTION: Getting Started -->
<HEAD>
	<TITLE>Server Security</TITLE>
	<LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
</HEAD>
<BODY>

<H1 CLASS="title">Server Security</H1>

<P>In the default "standalone" configuration, there are few
potential security risks - the CUPS server does not accept remote
connections, and only accepts shared printer information from the
local subnet. When you share printers and/or enable remote
administration, you expose your system to potential unauthorized
access. This help page provides an analysis of possible CUPS
security concerns and describes how to better secure your
server.</P>

<H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2>

<P>When you enable remote administration, the server will use Basic authentication for administration tasks. The current CUPS server supports Basic, Kerberos, and local certificate authentication:</P>

<OL>

	<LI>Basic authentication essentially places the clear
	text of the username and password on the network.

	<P>Since CUPS uses the system username and password
	account information, the authentication information could
	be used to gain access to possibly privileged accounts on
	the server.</P>

	<P><B>Recommendation:</B> Enable encryption to hide the
	username and password information - this is the default on
	MacmacOS and systems with GNU TLS or OpenSSL installed.</P></LI>

	<LI>Local certificate authentication passes 128-bit
	"certificates" that identify an authenticated user.
	Certificates are created on-the-fly from random data and
	stored in files under <VAR>/var/run/cups/certs</VAR>.
	They have restricted read permissions: root +
	system-group(s) for the root certificate, and lp + lp
	for CGI certificates.

	<P>Because certificates are only available on the local
	system, the CUPS server does not accept local
	authentication unless the client is connected to the
	loopback interface (127.0.0.1 or ::1) or domain
	socket.</P>

	<P><B>Recommendation:</B> Ensure that unauthorized users
	are not added to the system group(s).</P></LI>

</OL>

<H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2>

<P>When printer sharing or remote administration is enabled, the
CUPS server, like all Internet services, is vulnerable to a
variety of denial of service attacks:</P>

<OL>

	<LI>Establishing multiple connections to the server until
	the server will accept no more.

	<P>This cannot be protected against by any known
	software. The <CODE>MaxClientsPerHost</CODE> directive
	can be used to configure CUPS to limit the number of
	connections allowed from a single host, however that does
	not prevent a distributed attack.</P>

	<P><B>Recommendation:</B> Limit access to trusted systems
	and networks.</P></LI>

	<LI>Repeatedly opening and closing connections to the
	server as fast as possible.

	<P>There is no easy way of protecting against this in the
	CUPS software. If the attack is coming from outside the
	local network, it may be possible to filter such an
	attack. However, once the connection request has been
	received by the server it must at least accept the
	connection to find out who is connecting.</P>

	<P><B>Recommendation:</B> None.</P></LI>

	<LI>Sending partial IPP requests; specifically, sending
	part of an attribute value and then stopping
	transmission.

	<P>The current code will wait up to 1 second before
	timing out the partial value and closing the connection.
	This will slow the server responses to valid requests and
	may lead to dropped browsing packets, but will otherwise
	not affect the operation of the server.</P>

	<P><B>Recommendation:</B> Block IPP packets from foreign
	or untrusted networks using a router or
	firewall.</P></LI>

	<LI>Sending large/long print jobs to printers, preventing
	other users from printing.

	<P>There are limited facilities for protecting against
	large print jobs (the <CODE>MaxRequestSize</CODE>
	attribute), however this will not protect printers from
	malicious users and print files that generate hundreds or
	thousands of pages.</P>

	<P><B>Recommendation:</B> Restrict printer access to
	known hosts or networks, and add user-level access
	controls as needed for expensive printers.</P></LI>

</OL>

<H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2>

<P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, macOS Security framework, and Windows Schannel APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P>

</BODY>
</HTML>
Commit	Line	Data
4744bd90	1	<HTML>
	2	<!-- SECTION: Getting Started -->
	3	<HEAD>
	4	<TITLE>Server Security</TITLE>
178cb736	5	<LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
4744bd90	6	</HEAD>
	7	<BODY>
	8
178cb736 MS	9	<H1 CLASS="title">Server Security</H1>
178cb736 MS	10
4744bd90	11	<P>In the default "standalone" configuration, there are few
	12	potential security risks - the CUPS server does not accept remote
	13	connections, and only accepts shared printer information from the
	14	local subnet. When you share printers and/or enable remote
eac3a0a0	15	administration, you expose your system to potential unauthorized
4744bd90	16	access. This help page provides an analysis of possible CUPS
	17	security concerns and describes how to better secure your
	18	server.</P>
	19
	20	<H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2>
	21
159df568	22	<P>When you enable remote administration, the server will use Basic authentication for administration tasks. The current CUPS server supports Basic, Kerberos, and local certificate authentication:</P>
4744bd90	23
	24	<OL>
	25
	26	<LI>Basic authentication essentially places the clear
	27	text of the username and password on the network.
	28
	29	<P>Since CUPS uses the system username and password
	30	account information, the authentication information could
	31	be used to gain access to possibly privileged accounts on
	32	the server.</P>
	33
	34	<P><B>Recommendation:</B> Enable encryption to hide the
e1d6a774	35	username and password information - this is the default on
8072030b	36	MacmacOS and systems with GNU TLS or OpenSSL installed.</P></LI>
4744bd90	37
4744bd90	38	<LI>Local certificate authentication passes 128-bit
	39	"certificates" that identify an authenticated user.
	40	Certificates are created on-the-fly from random data and
	41	stored in files under <VAR>/var/run/cups/certs</VAR>.
	42	They have restricted read permissions: root +
e1d6a774	43	system-group(s) for the root certificate, and lp + lp
e1d6a774	44	for CGI certificates.
4744bd90	45
	46	<P>Because certificates are only available on the local
	47	system, the CUPS server does not accept local
	48	authentication unless the client is connected to the
	49	loopback interface (127.0.0.1 or ::1) or domain
	50	socket.</P>
	51
	52	<P><B>Recommendation:</B> Ensure that unauthorized users
7374e9e5	53	are not added to the system group(s).</P></LI>
4744bd90	54
	55	</OL>
	56
	57	<H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2>
	58
	59	<P>When printer sharing or remote administration is enabled, the
	60	CUPS server, like all Internet services, is vulnerable to a
	61	variety of denial of service attacks:</P>
	62
	63	<OL>
	64
	65	<LI>Establishing multiple connections to the server until
	66	the server will accept no more.
	67
	68	<P>This cannot be protected against by any known
	69	software. The <CODE>MaxClientsPerHost</CODE> directive
	70	can be used to configure CUPS to limit the number of
	71	connections allowed from a single host, however that does
	72	not prevent a distributed attack.</P>
	73
	74	<P><B>Recommendation:</B> Limit access to trusted systems
	75	and networks.</P></LI>
	76
	77	<LI>Repeatedly opening and closing connections to the
	78	server as fast as possible.
	79
	80	<P>There is no easy way of protecting against this in the
	81	CUPS software. If the attack is coming from outside the
	82	local network, it may be possible to filter such an
	83	attack. However, once the connection request has been
	84	received by the server it must at least accept the
	85	connection to find out who is connecting.</P>
	86
	87	<P><B>Recommendation:</B> None.</P></LI>
	88
4744bd90	89	<LI>Sending partial IPP requests; specifically, sending
	90	part of an attribute value and then stopping
	91	transmission.
	92
	93	<P>The current code will wait up to 1 second before
	94	timing out the partial value and closing the connection.
	95	This will slow the server responses to valid requests and
	96	may lead to dropped browsing packets, but will otherwise
	97	not affect the operation of the server.</P>
	98
	99	<P><B>Recommendation:</B> Block IPP packets from foreign
	100	or untrusted networks using a router or
	101	firewall.</P></LI>
	102
	103	<LI>Sending large/long print jobs to printers, preventing
	104	other users from printing.
	105
	106	<P>There are limited facilities for protecting against
	107	large print jobs (the <CODE>MaxRequestSize</CODE>
	108	attribute), however this will not protect printers from
	109	malicious users and print files that generate hundreds or
	110	thousands of pages.</P>
	111
	112	<P><B>Recommendation:</B> Restrict printer access to
	113	known hosts or networks, and add user-level access
	114	controls as needed for expensive printers.</P></LI>
	115
	116	</OL>
	117
	118	<H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2>
	119
8072030b	120	<P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, macOS Security framework, and Windows Schannel APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P>
4744bd90	121
	122	</BODY>
	123	</HTML>