Deny/Allow override in Location
Antti Harri
iku at openbsd.fi
Mon Nov 28 11:18:49 PST 2005
> In the future, please report this sort of thing using the STR form
> at:
>
> http://www.cups.org/str.php
I didn't want to register for submitting just one bug report.
It doesn't allow submitting without a login, does it?
>
> That said, there is no compelling reason to change the current
> behavior. Denying access from the local system will just make it
> impossible to make any changes to the server and break commands like
> lpadmin.
>
> So we will not be adding this change to CUPS, ever.
>
> --
> ______________________________________________________________________
> Michael Sweet, Easy Software Products mike at easysw dot com
> Internet Printing and Document Software http://www.easysw.com
Sometimes one wants to disable the ability to make changes to the
running system. I mean, what quarantees do you have that the user is
privileged to view other people's print jobs just by having access to
localhost? Such user can be legitimate user added by root or malicious
attacker who has gained access to the system and can further exploit to
system due this kind of behaviour in the printing system.
If someone wants to give all access from localhost that can be achieved
by two ways: making sure there is 127.0.0.1 listed in Allow or by not
having Deny/Allow at all. So I don't see any point for having that
hard-coded in the code. The default configuration can reflect this
behaviour so it will continue to work like it used to.
It only 'breaks' commands that you want. For example lpq still works if
one lists access to /jobs etc.
Consider a scenario where there is a server with two clients connected.
All three computers have CUPS installed. Only the clients are supposed
to send print jobs to the server which prints them. So there isn't
any reason to allow access from localhost, because there isn't any need.
For /jobs and /printers the admin lists those two clients. Like that
one can print from the clients and delete jobs and so on. Everything
that is required, at least in my point of view.
More information about the cups-devel
mailing list