[Printing-architecture] IPP-over-USB and Printer Applications: DNS-SD-advertise localhost:PORT a security problem?

Michael Sweet msweet at apple.com
Sat Dec 1 17:29:17 UTC 2018


> On Nov 30, 2018, at 8:52 PM, Sean Kau <skau at chromium.org> wrote:
> ...
> We could perform discovery over a domain socket, even continuing to use DNS-SD if we register the

DNS-SD discovery happens through Avahi, which uses DBUS as its communications mechanism.  If the discovered printer has no equivalent CUPS queue, libcups will use a CUPS-Create-Local-Printer request to ask cupsd to resolve and talk to the printer to setup a (temporary) local print queue, and thereafter the client application only ever communicates with cupsd unless it explicitly requests a connection to the printer itself (CUPS_DEST_FLAGS_DEVICE passed to cupsConnectDest) - that would be used by a management application OR by a print dialog wanting to show the currently loaded media. Longer term we would like to be able to relay the currently loaded media via cupsd as well, but that is problematic from a performance perspective...

> ...
> printers at a given endpoint.  As far as I can tell, the primary advantage to using TCP over localhost is the presence of port numbers.

No, it is because the IPP and IPPS URI schemes are based on HTTP and HTTPS, which only recognize Internet Protocol addresses and DNS-style names.  The use of the domain socket by cupsd is non-standard, and even the URIs you pass to cupsd must still use "localhost" when communicating over the domain socket since you can't embed a domain socket filename in the URI without causing a lot of problems...

Michael Sweet, Senior Printing System Engineer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/printing-architecture/attachments/20181201/eb07632f/attachment.html>

More information about the Printing-architecture mailing list