https://bugzilla.novell.com/show_bug.cgi?id=857372
https://bugzilla.novell.com/show_bug.cgi?id=857372#c66
Johannes Meixner changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|VUL-0: cups: cups.socket is |systemd socket activation
|listening on 0.0.0.0 |by default either works
| |insecure (VUL-0: listening
| |everywhere) or it does not
| |work
--- Comment #66 from Johannes Meixner 2014-01-29 09:50:12 CET ---
According to how I meanwhile understand the root cause
(but again and again: I am not at all a systemd expert)
I change the bug's subject from
"VUL-0: cups: cups.socket is listening on 0.0.0.0"
to
"systemd socket activation by default either works insecure
(VUL-0: listening everywhere) or it does not work"
Reasoning (as far as I understand it):
First and foremost it is a crucial security setting
to not expose services that are designed for use
in a LAN (like CUPS) to arbitrary (non trusted) networks
(like the Internet) which means by default the cupsd must
not be accessible via arbitrary interfaces, for details see
http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
systemd unit files for socket activation have hardcoded
default values where systemd would listen.
Those hardcoded default values can either be secure
(i.e. listen only on localhost) but then it does not work
in a real network or those default values would have to be
insecure (i.e. listen everywhere) to make it "just work"
in a real network.
This matches what I wrote in comment#19 above:
---------------------------------------------------------------------
In particular - as far as I see - it seems practically impossible
to maintain such a policy in a hardcoded way at package build-time
via the RPM spec file (various 'suse_version' conditions that need
to be continuously updated are no practically possible way).
---------------------------------------------------------------------
Now it even seems it is completely impossible to provide
systemd unit files for socket activation with default values
that are secure and "just work" in a real network.
Note the distinction:
There is nothing wrong with the socket activation functionality
in systemd (there is no bug in systemd). Socket activation is
useful functionality for admins who can make unit files with
values that match their particular settings in cupsd.conf
for their particular network environment.
What is not possible (as far as I understand it currently) is
to provide ready-made systemd unit files for socket activation
with default values that are secure and work in a real network.
Now I am waiting for the first one who demands "YaST" to "fix" it...
;-)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.