cgi-bin: localhost
Michael R Sweet
mike at easysw.com
Sun Jul 17 16:27:56 PDT 2005
Peter Somogyi wrote:
> Hi Michael,
>
> I'd like to ressurect an old topic (subject: "cgi-bin: localhost").
> Our customer still needs the change (that the web client should connect to any other cups server, not only localhost).
> We need a detailed explanation what does it mean:
> "you will seriously break normal authentication..."
The CGI programs rely on the local certificate authentication
supported by CUPS which uses the 128-bit random numbers that are
stored in the /etc/cups/certs directory (moved in CUPS 1.2) to
do authentication over the local loopback interface. CUPS will
not use local authentication over any other interface, so if you
don't listen on 127.0.0.1 then you will not be able to use any
web interface feature that requires authentication.
> What's the difficulty: too much work, too much security risk, or some incompatibility?
There are serious security issues to deal with; our implementation
provides proxy authentication on the local machine (the web interface
is mostly implemented using external CGI processes). Since you can
only use the locally-generated certificates to authenticate, we only
send the authentication information when talking to the local server.
(technically we could query all of the network interfaces to see if
we are accessing the server using a local address, however not all
systems support interface queries as a regular user and they would
affect performance and potentially lead to a security vulnerability
due to exposure of the certificate data...
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Publishing Software http://www.easysw.com
More information about the cups
mailing list