Better 'BrowseAllow' default #2008

michaelrsweet opened this Issue Oct 5, 2006 · 6 comments


None yet
1 participant

michaelrsweet commented Oct 5, 2006

Version: 1.3-feature User: twaugh.redhat

I think a better default for 'BrowseAllow' than '@Local' is 'ALL'. It seems to be quite common to have a CUPS server on one subnet, with 'BrowseAddress' lines for other subnets, and the routers in between having directed broadcasts enabled.


michaelrsweet commented Oct 10, 2006 User: mike

Um, yeah, speaking to the choir here. It was changed from "all" to "@Local" (actually, we added it since the previous default allowed all) for the SuSE and Debian folks to address their security concerns.

If we change it to "all" by default, we'll just need to manipulate the BrowseOrder directive (allow,deny will hide remote printers, deny,allow will show all remote printers).

I personally don't see how blocking non-local IP browse packets by default is at all useful for security - all of the routers I've used don't forward UDP broadcasts without additional configuration anyways, and you can fake the source address making any IP-based security for the UDP stuff pretty much useless...

This won't get changed in 1.2.x, but we'll see about adding this in 1.3.

BTW, does Linux provide any way to discover where a UDP packet came from, i.e. which interface? At least then @Local and @if(name) would be more useful.



michaelrsweet commented Oct 13, 2006 User: twaugh.redhat

I think SO_BINDTODEVICE is what you're after.


michaelrsweet commented Oct 13, 2006 User: mike

SO_BINDTODEVICE only allows you to bind to a single interface, it doesn't allow you to discover where a particular packet arrived.


michaelrsweet commented Oct 13, 2006 User: twaugh.redhat

Indeed -- so you need one socket per interface.

In fact there may be more than one interface through which a particular packet arrived, in the case that fragmented packets have been reassembled.


michaelrsweet commented Oct 13, 2006 User: mike

Fortunately we don't have to worry about fragmentation - CUPS browse packets are not broken up into separate packets, and CUPS will drop any partials if you do something like set the MTU to 128 bytes or something.

Anyways, I don't think we'll be using SO_BINDTODEVICE, but at the very least we can change the default allow stuff...


michaelrsweet commented Feb 12, 2007 User: mike

Fixed in Subversion repository.

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment