Discussion:
Is there a way to password protect the website, but not print requests?
Paul Conklin
2013-01-30 21:52:00 UTC
Permalink
on cups 1.6.1. I plan on exposing my server to the internet via port forwarding on port 631. I want the CUPS WI to prompt for a username / PW, but not when i submit a job. I *think* i can do this with the limit section but not fully sure how... Ideas?
Michael Sweet
2013-02-01 20:55:15 UTC
Permalink
Paul,

The hard part will be PPD files; at a basic level you can use:

<Location />
<Limit GET>
AuthType Basic
Require valid-User
</Limit>
Order deny,allow
...
</Location>

but then you probably want to allow getting of PPD files without a password, which means adding:

<Location /printers>
Order deny,allow
...
</Location>

but that will mean that access to /printers will not require a password.

The totally unmanageable solution is to add the following for every print queue:

<Location /printers/printername.ppd>
Order deny,allow
</Location>
Post by Paul Conklin
on cups 1.6.1. I plan on exposing my server to the internet via port forwarding on port 631. I want the CUPS WI to prompt for a username / PW, but not when i submit a job. I *think* i can do this with the limit section but not fully sure how... Ideas?
_______________________________________________
cups mailing list
http://lists.easysw.com/mailman/listinfo/cups
_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
Paul Conklin
2013-02-04 19:07:49 UTC
Permalink
Thanks, this at least gives me a fair amount of ideas.
Post by Michael Sweet
Paul,
<Location />
<Limit GET>
AuthType Basic
Require valid-User
</Limit>
Order deny,allow
...
</Location>
<Location /printers>
Order deny,allow
...
</Location>
but that will mean that access to /printers will not require a password.
<Location /printers/printername.ppd>
Order deny,allow
</Location>
Post by Paul Conklin
on cups 1.6.1. I plan on exposing my server to the internet via port forwarding on port 631. I want the CUPS WI to prompt for a username / PW, but not when i submit a job. I *think* i can do this with the limit section but not fully sure how... Ideas?
_______________________________________________
cups mailing list
http://lists.easysw.com/mailman/listinfo/cups
_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
Johannes Meixner
2013-02-05 09:34:23 UTC
Permalink
Hello,
Post by Paul Conklin
I plan on exposing my server to the internet
via port forwarding on port 631.
I want the CUPS WI to prompt for a username / PW,
but not when i submit a job.
Could this mean that there is no good protection when
print jobs are submitted?

If yes, it could result that arbitrary print job data can be
submitted to your printers (e.g. by using the "-o raw" option
when the print job is submitted).

As far as I know at least some printers support firmware update
by sending them special data in the same way as ordinary printing
data. Who can change a printer's firmware can hijack the printer.

Nowadays network printers are also real computers with full
network capabilities. Someone who controls a network printer
controls a printing unit plus a computer with network access.
(Google for "network printer security risk").

Therefore it is crucial to limit access to network printer
devices to trusted users.

You may also have a look at
http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings


Kind Regards
Johannes Meixner
--
SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany
HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
Paul Conklin
2013-02-08 21:37:07 UTC
Permalink
I can protect against that via my filters, what I don't want to do is open up the WI to the world, just the ability to print. then my filters will determine if it passes to the printer or not.
Post by Johannes Meixner
Hello,
Post by Paul Conklin
I plan on exposing my server to the internet
via port forwarding on port 631.
I want the CUPS WI to prompt for a username / PW,
but not when i submit a job.
Could this mean that there is no good protection when
print jobs are submitted?
If yes, it could result that arbitrary print job data can be
submitted to your printers (e.g. by using the "-o raw" option
when the print job is submitted).
As far as I know at least some printers support firmware update
by sending them special data in the same way as ordinary printing
data. Who can change a printer's firmware can hijack the printer.
Nowadays network printers are also real computers with full
network capabilities. Someone who controls a network printer
controls a printing unit plus a computer with network access.
(Google for "network printer security risk").
Therefore it is crucial to limit access to network printer
devices to trusted users.
You may also have a look at
http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
Kind Regards
Johannes Meixner
--
SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany
HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
Continue reading on narkive:
Loading...