Visability Security Issue with Samba Printers

pipitas k1pfeifle at gmx.net
Wed Dec 22 12:49:43 PST 2004


Jeff Sadowski wrote:

> Description: Samba Printer
> Location: Work
> Printer State: idle, accepting jobs.
> Device URI: smb://Username:Password@WindowsDomain/Computer/SharedPrinter
> 
> Everyone on my computer can see my username and password for my windows
> network at work.

That's a valid grievance of you. Please use a recent version of CUPS to get 
rid of it. See 

   http://www.cups.org/str.php?L933
   http://www.cups.org/str.php?L920

Recent versions put user credentials only in the DEVICE_URI environment
variable (which isnt visible in "ps" or "lpstat -v" outputs). Any user
accessible device URI is "sanitized" from the credential content before
presenting it to the user.

> p.s. the process to setting up a windows shared printer could have been
> much better documented 

I am looking forward to your contributed documentation.

> and could have been made alot easier.

I am looking forward to your source code patches or new implementations.

> It took alot  
> of looking to find the format for the username password for a windiws
> shared printer.

Wait... Let's see:

 * open your favourite browser, 
 * type "http://localhost:631/sam.html" into location bar,
 * search on page for "Windows".

The first hit will read "Printing from Windows Clients", the second one is
"Printing to Windows Servers" in the TOC. Click on the second one (it is a
hyperlink), and you are there.

Or use Google...

Hmmm.... maybe I shouldnt wait for any contributed docu from your site.
Maybe I should rather expect more complaints.

> One other problem I have with this is that the windows username and
> password might contain characters that screw with this format like what if
> the username had colons in it (Im not sure its possable but what if) Is
> there any plans on changing/solving some of these issues?

Try escape the characters in question, or try to put it into quotes.

Above all, be aware that printing *from* CUPS *to* Windows is not the 
main purpose and feature CUPS was designed for. It is rather the other 
way round: make Windows the print clients printing to a CUPS print 
server.

Note that the usage of the "username:password at servername" lingo inside
the device URI is recommended nowhere. It is only provided by the CUPS
developers as a possibility so we can *at all* print if we *urgently* 
need to use that print path. 

In the past I for myself preferred to set up the Windows printer with 
no authentication at all and allow anonymous/guest access to it, so I 
can forego the "username:password" part of the device URI, instead of 
exposing them.

Cheers,
Kurt





More information about the cups mailing list