S 5.145 Secure use of CUPS

Initiation responsibility: Head of IT, Administrator

Implementation responsibility: Administrator

On Unix systems, the network-enabled Common Unix Printing System (CUPS) is often used. CUPS is compatible with many different printing systems that permit sharing of files and printers under Windows such as CIFS/SMB (Common Internet File System/Server Message Block).

The following aspects specified for the planning (see S 2.397 Planning of the use of printers, copiers, and all-in-one devices) or selection (see S 4.304 Administration of printers) must be taken into account for the secure use of CUPS:

General aspects

• Local operation or central print server
  
  CUPS can be operated locally or as a distributed application (client on a workstation PC with a remote server). Accordingly, configuration is different depending on whether the CUPS client and the CUPS server are on the same IT system or on different IT systems. If they are located on different IT systems, then the IP address or the host name of the particular server must be defined in the configuration file (client.conf) of the CUPS client. When used locally, on the other hand, the loopback address (127.0.0.1) or the "localhost" host name must be entered at the corresponding locations. The CUPS server must be bound to the loopback address when used locally with the help of the "lists" configuration parameter in the cupsd.conf file so that the service cannot be accessed from the network. CUPS can be administered centrally regardless of whether or not only local IT systems are permitted to access the printer. Services like SSH or the CUPS web server (see the section on administration) also allow you to change the settings over the network.
• Administration and status information
  
  The clients must be informed regularly of which printers are available and of their status. When broadcasting is used, the server sends unsolicited messages to all print clients at regular intervals, and when polling is used, the print client queries the server for the information.
  
  If the information on the available printers is not to be distributed via polling or broadcasting but is to be done using manual entries instead, then the corresponding function must be disabled by setting the "Browsing" entry in cupsd.conf to "off". If you want to use browsing, then access should be restricted to only those computers actually needed or, if necessary, restricted at the network level.
• Encryption
  
  If the print jobs or status queries are to be transmitted in encrypted form, then a protocol that supports encryption must be used. The Internet Printing Protocol (IPP) used by default in CUPS can be encrypted for communication using the TLS/SSL (Transport Layer Security / Secure Sockets Layer) option.
  
  The "Encryption" entry must be set in the configuration file of the CUPS client (client.conf), if necessary. It is recommended to set this value to "Always", if possible. In addition, TLS/SSL certificates and cryptographic keys must be provided by the CUPS server in this case as well.
• High-availability
  
  CUPS can be operated as part of a high availability printing system. A high availability printing system requires detailed planning of the organizational and technical aspects associated with high availability. In particular, you must specify which basic approach will be used to reach the desired availability level, i.e. if you want to use failover switching or load balancing.
  
  When failover switching is used, implicit print classes must be defined in the cupsd.conf configuration file ("ImplicitClasses On" configuration parameter). More detailed information on this technology can be found in the CUPS documentation.

Access to printers

• User administration
  
  Only authorised users should be permitted access to the print server. The rights required to do this can either be administered on the print server itself, or an existing authentication service can be integrated. Normal users should only be able to use the printing applications on a print server and should not have any access to the files and directories on this server.
  
  Since the users should generally only use the print server for printing purposes and should not be able to log in directly to this server, for example with SSH, the system user group should be separated from the printer user group. Printer users should be created so that they do not have any rights on the print server other than the right to print. A printer user can be created with the "lppasswd -a username" program call, for example.
  
  The assignments controlling which users have access to which printers can be specified in the cupsd.conf file. In this case as well, the principle of only granting users the access rights actually necessary should also be applied, as far as possible.
  
  Configurations allowing all users access to all printers should be avoided. One exception to this is the operation of local printers. If there are only a few printer users in an IT system and all printer users are already system users anyway, then you do not need to create a separate group of printer users.
• Authentication methods:
  
  CUPS supports various methods for authentication such as "HTTP Basic", "HTTP Digest", or authentication based on certificates. The authentication method can be specified in the "AuthType" parameter in the cupsd.conf configuration file. Since user names and passwords are transmitted in plain text over a network when "HTTP Basic" is used, this method should not be used without implementing additional security precautions. Certificates or "HTTP Digest" should be used instead as the authentication method.

Administration

CUPS may only be administered by persons authorized for administration. These persons can be specified in the "/admin" section of the cupsd.conf configuration file.

Numerous configuration settings can be specified over the web server supplied with CUPS. The access capabilities to the web server over the network should be restricted to the minimum required. The computers permitted access to the web server can be entered in the cupsd.conf configuration file in the "/admin" section. Alternatively, a local packet filter can be used to restrict access to the web server.

Logs

CUPS provides a wide variety of ways to log events. Many aspects explained in safeguard S 4.302 Logging for printers, copiers and all-in-one devices can be implemented by making the corresponding entries in the cupsd.conf configuration file. The level of detail of the logs can be specified using the "LogLevel" entry, for example.

Archiving

CUPS offers functions for the electronic archiving of printed documents in the file system of the print server. The "PreserveJobs" configuration entry in the cupsd.conf file can be used for this purpose. The maximum number of archived documents can also be specified as an option here. In this case, older entries are overwritten by new documents. If you want to create an archive, then the archived documents must be protected against unauthorised access and against data losses using appropriate mechanisms. You will find more information in module 1.12 Archiving.

Review questions:

• Does the CUPS configuration meet the requirements specified for printing and for all-in-one devices?
• Is administrative access to the CUPS server restricted?
• Is it ensured that only authorised persons can access the print server?