[Printing-architecture] IPP-over-USB and Printer Applications: DNS-SD-advertise localhost:PORT a security problem?

Johannes Meixner jsmeix at suse.de
Thu Nov 22 09:20:22 UTC 2018


Hello,

On Nov 21 23:26 Till Kamppeter wrote (excerpt):
> ... advertising ... via DNS-SD ... security problem

in general regarding DNS-SD and security see also
https://github.com/apple/cups/issues/5011

I think (but I know nothing at all about the details here)
advertising a locally connected USB printer via any method
(e.g. via DNS-SD) only on the local host should not result
that more users can access the USB printer than before.

Traditionally the device node of a locally connected USB printer
gets by default appropriate traditional Unix permissions so that
the user who runs the CUPS backend (usually user 'lp' group 'lp')
can access the USB printer (usually via the group 'lp').
This means local USB printer access is not permitted for each
individual local user (e.g. via appropriate group settings).
Direct USB printer access is not permitted for normal users.
For normal users USB printer access is only permitted
indirectly via CUPS.

Another crucial point with any kind of networking advertisments
of local USB printers is that the devices must not accidentally
become accessible to any remote user.


Kind Regards
Johannes Meixner
-- 
SUSE LINUX GmbH - GF: Felix Imendoerffer, Jane Smithard,
Graham Norton - HRB 21284 (AG Nuernberg)



More information about the Printing-architecture mailing list