[Printing-architecture] CUPS systemd issues

[Printing-architecture] CUPS systemd issues

[Michael Sweet]

[-- Attachment #1: Type: text/plain, Size: 2284 bytes --]

All,

Posting here to get the widest possible audience, as systemd support in CUPS is relatively new (at least for upstream) and we have a few serious bugs reported against CUPS 2.0 on CUPS.org...


STR #4491: CUPS mis-categorizes v1.::127.0.0.1 as not being localhost
    http://www.cups.org/str.php?L4491

Systemd is mapping IPv4 addresses to the 6to4 address space, so instead of getting separate v4 and v6 listeners we have two v6 listeners. This bug MUST be fixed in systemd - treating 6to4 addresses as equivalent to an IPv4 address is a major security hole that we closed during the development of CUPS 1.2, and we will not be opening that hole just to support systemd.  However, if we change the socket file to not list any IP socket listeners (option 1 below) that fix will no longer be required (at least not by CUPS - I still think you'll want to fix it for other IP services that have adopted systemd)


STR #4497: "Port 631" binds to localhost only (systemd regression)
    http://www.cups.org/str.php/L4497

The Linux kernel has a "feature" that prevents a process from listening on the "any" address at the same time as a specific address for the same port. Thus, if systemd is listening on port 631 for connections to localhost, cupsd cannot also create a listener for the "any" address on port 631 when printer sharing is enabled.

Short of the Linux kernel being updated to support what *BSD has supported for years, I see two ways for us to "fix" this issue:

1. Remove the localhost listeners from the org.cups.cupsd.socket file and just run-on-demand based on local domain socket IO. When the web interface is enabled we can disable the on-demand mode, just as we do when printer sharing is enabled or when there are pending jobs.

2. Install two socket files (org.cups.cupsd-sharing.socket and org.cups.cupsd-no-sharing.socket) and enable/disable the correct file based on the current cupsd.conf configuration. An alternative would be to rewrite the socket file based on the cupsd.conf configuration, however there are already users that object to CUPS writing to /etc...

I'm leaning towards option #1.

Thoughts?

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair


[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4881 bytes --]

Re: [Printing-architecture] CUPS systemd issues

[Ira McDonald]

[-- Attachment #1: Type: text/plain, Size: 3573 bytes --]

Hi Mike,

OK - I'll start the chain of responses.

I also favor (strongly) your option 1 choice.

And I favor leaning on the Linux kernel developers to upgrade to use
security practices already in place in BSD and other POSIX-family
kernels for years now.  And Linux Foundation is probably the right
place to bring that pressure to bear.

Cheers,
- Ira (here wearing my Open Printing chair hat)




Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmusic@gmail.com
Winter  579 Park Place  Saline, MI  48176  734-944-0094
Summer  PO Box 221  Grand Marais, MI 49839  906-494-2434


On Wed, Oct 15, 2014 at 3:27 PM, Michael Sweet <msweet@apple.com> wrote:

> All,
>
> Posting here to get the widest possible audience, as systemd support in
> CUPS is relatively new (at least for upstream) and we have a few serious
> bugs reported against CUPS 2.0 on CUPS.org...
>
>
> STR #4491: CUPS mis-categorizes v1.::127.0.0.1 as not being localhost
>     http://www.cups.org/str.php?L4491
>
> Systemd is mapping IPv4 addresses to the 6to4 address space, so instead of
> getting separate v4 and v6 listeners we have two v6 listeners. This bug
> MUST be fixed in systemd - treating 6to4 addresses as equivalent to an IPv4
> address is a major security hole that we closed during the development of
> CUPS 1.2, and we will not be opening that hole just to support systemd.
> However, if we change the socket file to not list any IP socket listeners
> (option 1 below) that fix will no longer be required (at least not by CUPS
> - I still think you'll want to fix it for other IP services that have
> adopted systemd)
>
>
> STR #4497: "Port 631" binds to localhost only (systemd regression)
>     http://www.cups.org/str.php/L4497
>
> The Linux kernel has a "feature" that prevents a process from listening on
> the "any" address at the same time as a specific address for the same port.
> Thus, if systemd is listening on port 631 for connections to localhost,
> cupsd cannot also create a listener for the "any" address on port 631 when
> printer sharing is enabled.
>
> Short of the Linux kernel being updated to support what *BSD has supported
> for years, I see two ways for us to "fix" this issue:
>
> 1. Remove the localhost listeners from the org.cups.cupsd.socket file and
> just run-on-demand based on local domain socket IO. When the web interface
> is enabled we can disable the on-demand mode, just as we do when printer
> sharing is enabled or when there are pending jobs.
>
> 2. Install two socket files (org.cups.cupsd-sharing.socket and
> org.cups.cupsd-no-sharing.socket) and enable/disable the correct file based
> on the current cupsd.conf configuration. An alternative would be to rewrite
> the socket file based on the cupsd.conf configuration, however there are
> already users that object to CUPS writing to /etc...
>
> I'm leaning towards option #1.
>
> Thoughts?
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>
>
> _______________________________________________
> Printing-architecture mailing list
> Printing-architecture@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture
>
>

[-- Attachment #2: Type: text/html, Size: 5028 bytes --]

Re: [Printing-architecture] CUPS systemd issues

[Tim Waugh]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

On Wed, 2014-10-15 at 15:27 -0400, Michael Sweet wrote:
> 1. Remove the localhost listeners from the org.cups.cupsd.socket file
> and just run-on-demand based on local domain socket IO. When the web
> interface is enabled we can disable the on-demand mode, just as we do
> when printer sharing is enabled or when there are pending jobs.

I think this is the best approach.

Tim.
*/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 465 bytes --]