[cups.bugs] Re: cups administration how to log on?

Johannes Meixner jsmeix at suse.de
Tue Feb 7 08:38:05 PST 2006


Hello,

On Feb 7 10:49 Anonymous wrote (shortened):
> ... added the LPP password by using
> 
> lppasswd -g sys -a root
> 
> And (after restart of cups) could indeed log in as
> root to cups on port 631.
> 
> I guess, if I understand this correctly, there was even no
> need to have an LPP password for root; I could have just
> put one in for a different user. Correct?

Simply try it out.
You can add as many users to /etc/cups/passwd.md5 as you like.


Background information
(hopefully it is not too bad to post it on cups-bugs):


If the root pasword would be the CUPS admin pasword,
there are two places where the root password is stored
(/etc/shadow and /etc/cups/passwd.md5) and therefore
two possible ways to crack the root password.

The unexperienced Suse user can use YaST to set up the queues
and then he doesn't need to know about lppasswd at all.

The experienced user is expected to read the documentation
if something doesn't work out of the box.

Any printer admin tool which runs as root on localhost
doesn't need CUPS admin authentication because root on
localhost has admin access to the cupsd by default.
Therefore YaST and lpadmin don't need special CUPS admin
authentication.

When other printer admin tools don't provide a way to run
as root on localhost, those tools don't support all ways
to administrate printers in CUPS.

Only the CUPS web interface must do CUPS admin authentication
in any case because the server (cupsd) cannot know for sure where
the client (browser) runs and which user runs it (as root on
localhost or as any user on any remote system).

In particular in business environment it is a big problem if the
root password would be stored at an additional place without
explicite notification of the system administrator.

The business system admin may like to use the CUPS web frontend
and then he must set the CUPS admin password explicitely.

We cannot prevent him to use the root password for the CUPS admin
but then he hopefully knows what this means when he does the
authentication via network using the HTTP protocol.
It is almost the same as if he writes down the root password
on a memo and places it at the entrance door of the building ;-)

Have a look at
"CUPS Software Administrators Manual"
"Printing System Security"
and think about to set up SSL, on Suse see for example
/usr/share/doc/packages/cups/ENCRYPTION.txt
To allow only HTTPS for administration stuff
set in cupsd.conf
---------------------------------------
<Location /admin>
....
Encryption Required
---------------------------------------
To be technically 100% correct: Actually it is not HTTP
but IPP and not HTTPS but IPP with SSL/TLS.
Drawback:
Neither Mozilla nor Konqueror work with it because neither
Mozilla nor Konqueror support "Upgrading to TLS Within HTTP",
see for example the Mozilla bug report
https://bugzilla.mozilla.org/show_bug.cgi?id=276813
Workaround:
Specify a CUPS-specific SSLPort in cupsd.conf (to avoid
a possible conflict with a web-server's HTTPS port 443)
and change the HTTP templates in CUPS so that the administration
links point to the right "https" URLs.


Kind Regards
Johannes Meixner
-- 
SUSE LINUX Products GmbH, Maxfeldstrasse 5      Mail: jsmeix at suse.de
90409 Nuernberg, Germany                    WWW: http://www.suse.de/





More information about the cups mailing list