Better 'BrowseAllow' default #2008

Closed
michaelrsweet opened this Issue Oct 5, 2006 · 6 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Oct 5, 2006

Version: 1.3-feature
CUPS.org User: twaugh.redhat

I think a better default for 'BrowseAllow' than '@Local' is 'ALL'. It seems to be quite common to have a CUPS server on one subnet, with 'BrowseAddress' lines for other subnets, and the routers in between having directed broadcasts enabled.

Collaborator

michaelrsweet commented Oct 10, 2006

CUPS.org User: mike

Um, yeah, speaking to the choir here. It was changed from "all" to "@Local" (actually, we added it since the previous default allowed all) for the SuSE and Debian folks to address their security concerns.

If we change it to "all" by default, we'll just need to manipulate the BrowseOrder directive (allow,deny will hide remote printers, deny,allow will show all remote printers).

I personally don't see how blocking non-local IP browse packets by default is at all useful for security - all of the routers I've used don't forward UDP broadcasts without additional configuration anyways, and you can fake the source address making any IP-based security for the UDP stuff pretty much useless...

This won't get changed in 1.2.x, but we'll see about adding this in 1.3.

BTW, does Linux provide any way to discover where a UDP packet came from, i.e. which interface? At least then @Local and @if(name) would be more useful.

Thanks!

Collaborator

michaelrsweet commented Oct 13, 2006

CUPS.org User: twaugh.redhat

I think SO_BINDTODEVICE is what you're after.

Collaborator

michaelrsweet commented Oct 13, 2006

CUPS.org User: mike

SO_BINDTODEVICE only allows you to bind to a single interface, it doesn't allow you to discover where a particular packet arrived.

Collaborator

michaelrsweet commented Oct 13, 2006

CUPS.org User: twaugh.redhat

Indeed -- so you need one socket per interface.

In fact there may be more than one interface through which a particular packet arrived, in the case that fragmented packets have been reassembled.

Collaborator

michaelrsweet commented Oct 13, 2006

CUPS.org User: mike

Fortunately we don't have to worry about fragmentation - CUPS browse packets are not broken up into separate packets, and CUPS will drop any partials if you do something like set the MTU to 128 bytes or something.

Anyways, I don't think we'll be using SO_BINDTODEVICE, but at the very least we can change the default allow stuff...

Collaborator

michaelrsweet commented Feb 12, 2007

CUPS.org User: mike

Fixed in Subversion repository.

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment