[PLUG] Printing question for non-Linux users
Don Buchholz
don at truedisk.com
Mon Apr 29 20:56:08 UTC 2002
Three main points for print security:
1) Print queus areas:
In the past (prior to all these graphical printer config tools),
my approach used to be:
drwxrwx--- lp lp /var/spool/lp # directory for all print queues
drwxrwx--- lp lp /var/spool/lp/printer1 # ... spool area for printer 1
drwxrwx--- lp lp /var/spool/lp/printer2 # ... spool area for printer 2
... .. .. ... # ... etc.
Usually this is stricter than the original operating system
setup.
I haven't paid too much attention lately (environment doesn't
have 'hostile' print services users), so I can't speak to the
configurations used by new systems like 'printconf' and 'CUPS'.
2) Print Filters:
Should the print queue call out for a pre- or post-processing
filter, the filter must be protected from any mischief (i.e. it,
nor any of it's parent directories, must be writable by any
non-administrative account).
3) Network:
Make sure your system only accepts print requests from allowed
hosts. Ways to implement this include /etc/hosts.lpd, TCP wrappers
(/etc/hosts.allow and /etc/hosts.deny), and firewall rules.
I find the denial-of-service problem is sufficiently bad even
with allowed users. ;-)
Hope that helps.
- Don
T wrote:
>
> Just a real quick question for those running *BSD or any of the
> commercial UNIX variants - What are the typical/default permissions on
> the print queue? Is it typically possible (at least in theory) to view
> items in the queue? I have a Linux box myself, so I can check that, but
> I don't currently have access to any *NIX boxes, so I'm limited in that
> regard.
>
> The reason for my inquiry is that I'm involved in a course of study that
> includes security. One of the attacks that was described involved the
> print queue, & I have my questions about how feasible this particular
> attack would be.
>
> I *really* don't want to know any details about anyone's setup, just
> what the defaults usually are - or even just some well-reasoned
> discussion on the subject.
>
> Many thanks,
>
> T.
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
--
- Don Buchholz <don at truedisk.com>
- TrueDisk, 7431 NW Evergreen Pkwy - #110, Hillsboro, OR 97124
- voice: 503/615-0888 x266 FAX: 503/693-0873
More information about the PLUG
mailing list