5.5. Securing printing access (the lpd and lprng issue)
想象一下, 您刚开始工作, 打印机就开始无休止的往外吐纸, 这是因为某些人控制了打印守护进程. 很讨厌,不是吗?
In any UNIX printing architecture, there has to be a way to get the client’s data to the host’s print server. In traditional lpr
and lp
, the client command copies or symlinks the data into the spool directory (which is why these programs are usually SUID or SGID).
In order to avoid any issues you should keep your printer servers especially secure. This means you need to configure your printer service so it will only allow connections from a set of trusted servers. In order to do this, add the servers you want to allow printing to your /etc/hosts.lpd
.
但是, 即便如此, lpr
守护进程仍会接收任何对 515 端口的连接. 您应当考虑屏蔽来自 networks/hosts 的连接, 他们是不允许使用打印服务的(lpr
守护进程不能设定为只监听指定 IP 地址).
和lpr
相比, Lprng
应当是更好的选择,因为它可以配置为遵从IP存取控制. 并且可以指定绑定端口(虽然有些古怪).
If you are using a printer in your system, but only locally, you will not want to share this service over a network. You can consider using other printing systems, like the one provided by cups or http://pdq.sourceforge.net/ which is based on user permissions of the /dev/lp0
device.
In cups, the print data is transferred to the server via the HTTP protocol. This means the client program doesn’t need any special privileges, but does require that the server is listening on a port somewhere.
但是, 如果您仅希望在本地使用 cups
, 则可以通过修改/etc/cups/cupsd.conf
以将其绑定到回送端口:
- Listen 127.0.0.1:631
此配置文件有许多诸如允许或禁止网络和主机的其他安全选项. 然而, 如果您并不需要这些, 则仅需要限制监听端口即可. Cups
也是通过 HTTP 端口来传送文档数据, 如果您不想对外部攻击者透露潜在有用信息的话(端口是开放的), 可以增加如下行:
- <Location />
- Order Deny,Allow
- Deny From All
- Allow From 127.0.0.1
- </Location>
This configuration file can be modified to add some more features including SSL/TLS certificates and crypto. The manuals are available at http://localhost:631/ or at http://cups.org.
FIXME: Add more content (the article on http://www.rootprompt.org provides some very interesting views).
FIXME: 检查在 Debian 中 PDG 的可用性, 如果可以, 建议其做好更好的打印系统.
FIXME: 检查 Farmer/Wietse 是否可以作为打印守护进程的替代, 以及其是否在 Debian 系统中可用.