Common Unix Printing System


Starting in Mac OS X 10.2, Apple has built the CUPS (Common Unix Printing System) into the operating system. CUPS uses the IPP (Internet Printing Protocol) to access and provide access to printers across TCP/IP networks. IPP uses HTTP 1.1 as its transport protocol (See RFC 2568 for details: and, in fact, is configured very much like the Apache server in Chapter 15, "Web Server Security." Basic printer management is handled either through the Mac OS X Print Center, or via the CUPS internal Web server, accessible by pointing your browser to

In Mac OS X, CUPS is simply referred to within Mac OS X as "Printer Sharing," and like the other services that we've seen, is activated by clicking the Printer Sharing button within the Sharing System Preferences panel, as shown in Figure 16.7.

Figure 16.7. Printer sharing ”sounds great. Now what did I just do?


As you've seen with other Mac OS X servers, clicking a little button sometimes has implications greater than what the user expects. Who, for example, are you sharing the printer to ? We'll get to this, and information on how you can fine-tune printer access, shortly. First, the dirt on CUPS.

CUPS Security History

Like any Internet-connected service, CUPS is prone to remote exploits. Because of its resource-sharing nature, denial of service attacks are what you are most likely to encounter if you use the service. The following five potential attack points are taken from the CUPS security reference (

  1. Establishing multiple connections to the server until the server will accept no more.

  2. Repeatedly opening and closing connections to the server as fast as possible.

  3. Flooding the network with broadcast packets on port 631.

  4. Sending partial IPP requests ; specifically , sending part of an attribute value and then stopping transmission.

  5. Sending large/long print jobs to printers, preventing other users from printing.

Unfortunately, no mechanisms in place within CUPS or IPP can stop these attacks. The MaxClients (and related ) directives can help stave off unreasonable numbers of connections, whereas MaxRequestSize can be used to keep abnormally large requests from being sent to the CUPS server.

Since the introduction of Mac OS X 10.2, there have been several vulnerabilities in the Apple CUPS distribution and a number of operating system updates to fix them.

In Mac OS X 10.2.2, a DoS attack via Web Administration (CVE: CAN-2002-1267) was corrected. The Apple-supplied version of CUPS shipped with port 631 open to machines other than localhost. This resulted in a potential for remote users to access the port and caused a denial of service condition.

The subsequent release of Mac OS X 10.2.3 included a patched version of CUPS that addressed a collection of vulnerabilities submitted as a collection in mid-October 2002.

  • Integer Overflows (CAN-2002-1383)

  • Race Condition (CAN-2002-1366)

  • Add Printers with UDP Packets (CAN-2002-1367)

  • Negative Length memcpy () calls (CAN-2002-1368)

  • Integer Overflows in pdftops and Xfilter (CAN-2002-1384)

  • Unsafe strncat () call (CAN-2002-1369)

  • Root Certificate Design Flaws (CAN-2002-1370)

  • Zero Width Images (CAN-2002-1371)

  • Unchecked File and Socket Operations (CAN-2002-1372)

These vulnerabilities enable an attacker to crash the CUPS daemon by providing a negative content length in the HTTP headers:

 %  telnet 631  POST /printers HTTP/1.1 Host: localhost Authorization: Basic AAA Content-Length: -1 

Other attacks allow remote users to add printers by sending properly formatted UDP packets, execute arbitrary code, and gain root privileges. These issues were promptly fixed in CUPS 1.1.18, and included in Apple's 10.2.3 distribution. Users of earlier versions were advised to update CUPS or disable it completely. The original report of these exploits, along with examples, is provided at

CUPS Configuration Files

Apple's Printer Sharing controls do nothing more than toggle a few directives within the CUPS settings and restart the server process. The Mac OS X CUPS configuration files are stored in the /etc/cups directory. You need to be concerned with three primary config files:

  • classes.conf . Contains settings and access information for "classes" of printers. A class can be considered a collection of multiple printers that will be managed as a unit. Imagine a class as a directory, whereas individual printers are like files. Like the directory and file controls in Apache, you can restrict access to classes and printers.

  • cupsd.conf . The main CUPS setting file. This file is modified by the Apple GUI to enable/disable printer sharing.

  • printers.conf . Settings for the individual printers ”connection information, limits, and so forth.

Printers and classes are defined virtually identically to Apache containers. Please refer to Chapter 15 if you find this confusing.

A printer, as defined in /etc/cups/printers.conf , for example, looks like this:

 <DefaultPrinter MyPrinter> Info DeviceURI lpd:// State Idle Accepting Yes JobSheets none none QuotaPeriod 0 PageLimit 0 KLimit 0 </Printer> 

MyPrinter is defined, along with attributes for quotas, active status, and so on.

The /etc/cups/classes.conf file is very similar:

 <Class OurPrinters> Info test State Idle Accepting Yes JobSheets none none Printer MyPrinter Printer YourPrinter QuotaPeriod 0 PageLimit 0 KLimit 0 </Class> 

The class OurPrinters looks exactly like a printer, with the addition of the Printer directives, which add the printers MyPrinter and YourPrinter to the class. Like a printer, a class of printers can also have access control mechanisms to limit usage.

Access Control Directives

Provide access control for a named printer or class by using a Location container (sounding more and more like Apache, isn't it?). Unlike Apache, Location containers are used to refer to a printer or class, not a URL. A Location is defined and configured within the /etc/cups/cupsd.conf file.

Table 16.8 lists the defined CUPS Location values.

Table 16.8. CUPS Location List




All operations on any resources.


Administrative operations.


All printer classes.

/classes/ <class name >

The named printer class.


All jobs.

/jobs/ <job id>

The named job ID.


All configured printers.

/printers/ <printer name>

The named printer.

/printers/ <printer name> .ppd

The PPD for the named printer.

For example, to set up a location that can be used to control access to the printer MyPrinter , one would use

 <Location /printers/MyPrinter> </Location> 

Within the location, use the directives in Table 16.9 to protect the printers, printer classes, or any of the CUPS locations. Some directives apply globally to the server, rather than a single location.

Table 16.9. Directives to Limit Access to the CUPS Locations



Allow from <source>

Allow access to the resource by the named source. The source may be expressed as All , None , a domain name, an IP address, an IP address/subnet mask, or @LOCAL for the local subnet.

Deny from <source>

The opposite of Allow from , this directive denies access to the source.

Order <allow,denydeny,allow>

The order in which Allow and Deny directives are processed ”whether browsing is assumed to be allowed or denied by default.

AuthClass anonymoususer system group

Sets the level of authentication required to access the location. Anonymous allows anyone to access the resource, user requires a valid username and password, system requires username and password of a member of the sys group, whereas group requires that authentication of a valid user of the group be set by AuthGroupName .

AuthGroupName <group>

The user group to use with AuthClass .

AuthType NoneBasicDigest BasicDigest

Choose the type of authentication required for the resource. These are identical to Apache directives, because IPP is based on HTTP.

Require usergroupvalid-user <users or groups>

Sets the required authentication. If user or group are specified, a list of space-separated users or groups must be provided to use for authentication. Alternatively, the valid-user option will authenticate against any valid user.

BrowseAllow from <source>

(Global) Like the Allow directive, this directive is used to determine what machines CUPS will respond to for printer browsing. The Mac OS X default (when print sharing is active) is @LOCAL .

BrowseDeny from <source>

(Global) The opposite of BrowseAllow , denies access to printer browsing for the named source(s).

BrowseOrder <allow,deny deny,allow>

(Global) The order in which BrowseAllow and BrowseDeny directives are processed ”whether browsing is allowed or denied by default.

Browsing OnOff

(Global) Turns printer browsing on and off.

AccessLog < path >

(Global) Path to store the CUPS access log.

ErrorLog <path>

(Global) Path to store the CUPS error log.

PageLog <path>

(Global) Path to store the CUPS page log.

LogLevel debug2debuginfo warnerrornone

(Global) Level of information stored in the error log, listed here from greatest detail to least.

MaxLogSize < bytes megabytes m>

The maximum size of a logfile before it is automatically rotated .

MaxClients <number>

(Global) Maximum number of clients allowed to connect to the server.

MaxClientsPerHost <number>

(Global) The maximum number of clients allowed to connect from a single host.

MaxJobs <number>

(Global) Maximum number of jobs to keep in memory at a given time. Jobs over this limit are rejected. 0 disables the setting.

MaxJobsPerPrinter <number>

(Global) Maximum number of jobs that can be allowed on a printer or class of printers at a time. 0 disables the setting.

MaxJobsPerUser <number>

(Global) Sets the limit on active jobs from a single user. 0 disables the setting.

MaxRequestSize < bytes megabytes m>

The maximum size of a request (print file) that can be sent to CUPS. 0 disables the setting.

Klimit <size in k>

(Printer/Class) Sets the job size (in k) for a specific printer or class.

PageLimit <number>

(Printer/Class) Sets the maximum number of job pages for a printer or class.

QuotaPeriod <time in seconds>

(Printer/Class) Amount of time before a quota resets.

Accepting <yesno>

(Printer/Class) Choose whether the printer or class is accepting jobs.

The complete list of CUPS security (and general) directives can be found at


The CUPS Web administrative interface ( can, by default, be accessed by any local user. Assuming there are multiple users on the CUPS machine, you should limit access to the /admin location to prevent undesired changes.

Digest Authentication and lppasswd

When using digest authentication, you must manually add users to the CUPS passwd.md5 file by using the command-line tool lppasswd . The lppasswd syntax is simply lppasswd [-a] [-g <groupname> ] [-x] [username] .

The most common use of the command for an administrator is lppasswd followed by -a and a username. Doing so adds a username to the MD5 password file. If the -g flag is used with a group name, the user is added as a member of the named group. If no group is specified, the default system group is used. For example:

 #  lppasswd -a jray  Enter password: Enter password again: 

If specified without a username, lppasswd changes the MD5 password of the user executing the command.

To delete an existing user from the file, use -x <username> as the arguments to lppasswd .


lppasswd does not have any effect on the Mac OS X users or passwords ”only the CUPS passwd.md5 file.


Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158 © 2008-2017.
If you may any questions please contact us: