[redhat-lspp] CUPS configuration: Get-Notifications

Matt Anderson mra at hp.com
Fri Apr 13 20:14:47 UTC 2007


Tim Waugh wrote:
> Something that occurred to me today is that for LSPP, CUPS should be
> configured to restrict the IPP notification operations:
> 
> Create-Subscription
> Renew-Subscription
> Get-Notifications
> 
> Otherwise, information about jobs and printers can be discovered.  The
> way subscriptions work is that I make an IPP connection to the local
> CUPS server is made, and a 'Create-Subscription' operation sets up the
> list of events to notify me of.  Then, later, a 'Get-Notifications'
> operation retrieves a list of events such as job-created, printer-added.
> These events carry information such as job IDs, job names etc.

Thanks for bringing this up Tim.

Is this the config file lines you were thinking we needed?

<Limit Create-Subscription Renew-Subscription Get-Notifications>
  AuthType Basic
  Require user @SYSTEM
  Order deny,allow
</Limit>


I added that to my system and the server parsed the config file,
accepted the options and was able to start, but I'm not sure how to test
the attack you are describing.  I get the feeling this would require a
custom client.

-matt




More information about the redhat-lspp mailing list