[PLUG] Printing question for non-Linux users

Don Buchholz don at truedisk.com
Mon Apr 29 20:56:08 UTC 2002


Three main points for print security:

1)  Print queus areas:
    In the past (prior to all these graphical printer config tools),
    my approach used to be:

    drwxrwx---   lp    lp      /var/spool/lp           # directory for all print queues
    drwxrwx---   lp    lp      /var/spool/lp/printer1  #  ... spool area for printer 1
    drwxrwx---   lp    lp      /var/spool/lp/printer2  #  ... spool area for printer 2
          ...    ..    ..      ...                     #  ... etc.   

    Usually this is stricter than the original operating system
    setup.

    I haven't paid too much attention lately (environment doesn't
    have 'hostile' print services users), so I can't speak to the
    configurations used by new systems like 'printconf' and 'CUPS'.

2)  Print Filters:
    Should the print queue call out for a pre- or post-processing
    filter, the filter must be protected from any mischief (i.e. it,
    nor any of it's parent directories, must be writable by any
    non-administrative account).

3)  Network:
    Make sure your system only accepts print requests from allowed
    hosts.  Ways to implement this include /etc/hosts.lpd, TCP wrappers
    (/etc/hosts.allow and /etc/hosts.deny), and firewall rules.
    I find the denial-of-service problem is sufficiently bad even
    with allowed users. ;-)
    
Hope that helps.

- Don



T wrote:
> 
> Just a real quick question for those running *BSD or any of the
> commercial UNIX variants - What are the typical/default permissions on
> the print queue?  Is it typically possible (at least in theory) to view
> items in the queue?  I have a Linux box myself, so I can check that, but
> I don't currently have access to any *NIX boxes, so I'm limited in that
> regard.
> 
> The reason for my inquiry is that I'm involved in a course of study that
> includes security.  One of the attacks that was described involved the
> print queue, & I have my questions about how feasible this particular
> attack would be.
> 
> I *really* don't want to know any details about anyone's setup, just
> what the defaults usually are - or even just some well-reasoned
> discussion on the subject.
> 
> Many thanks,
> 
> T.
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

-- 

- Don Buchholz                               <don at truedisk.com>
- TrueDisk, 7431 NW Evergreen Pkwy - #110, Hillsboro, OR  97124
- voice: 503/615-0888 x266                    FAX: 503/693-0873




More information about the PLUG mailing list