Ticket #229 (closed defect: fixed)

Opened 13 years ago

Last modified 10 years ago

CUPS should not scan the local network for printers

Reported by: geofft Owned by: jdreed
Priority: low Milestone: Natty Release
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

CUPS by default scans the local network for printers. While this seems at first glance to be either good or neutral. it's the case that lots of users have their personal laptops configured (incorrectly, arguably, but it still happens) to print to Athena printers and then share their local configuration of that printer.

For example, next6.mit.edu is seeing both a "tree-eater" (which I've locally configured because it's Kerberized; see ATN-28) and a "tree_eater", which someone in the dorm has set up. Users should not click an Athena cluster printer's name in the GUI and get some random laptop as their print server.

Change History

comment:1 Changed 13 years ago by jdreed

Should we do this for -workstation and -cluster, or just -cluster?

comment:2 Changed 13 years ago by andersk

CUPS by default scans the local network for printers.

No, you need to take explicit action to enable this (System → Administration → Printing → Server → Settings… → Show printers shared by other systems).

debathena-cupsys-config, however, does enable this.

s/^\s*#?\s*Browsing.*$//m;
s/$/\nBrowsing On/ or die;

comment:3 Changed 13 years ago by broder

I think I thought at the time that you needed to turn on browsing for BrowsePoll? to work. Some quick empirical testing suggests that's not the case, so killing that line of the transform script is probably acceptable.

comment:4 Changed 13 years ago by broder

  • Status changed from new to proposed

Fix uploaded to -proposed. Someone should verify that cups.mit.edu queues still show up.

comment:5 Changed 13 years ago by broder

This change doesn't actually work. Removing the Browsing on line from the cupsd config results in CUPS not BrowsePolling? against cups.mit.edu. I haven't found any combination of settings that blocks browsing of network-local printers while still listing cups printers, so I'm kind of stuck. I'll plan to revert this change at the end of the week if nobody figures out how to make this work correctly.

comment:6 Changed 13 years ago by jdreed

Suck. I wonder if this means we should move forward on the add-athena-printer thing and just plain stop BrowsePolling?. That might not be feasible for the fall, though.

I suppose another terrible idea is that we could distribute an /etc/cups/printers.conf file to all the cluster machines that points at cups.mit.edu and has entries for every cluster and dorm printer in it, and then turn off browsing on cluster machines completely.

Geoff makes a good point though, I can easily see people getting confused by the existence of multiple queues. And there's all sorts of opportunities for bad things to happen. In N42, for example, there are a bunch of shared queues for things like AdobePDF7 and AdobePDF8, which, if printed to, would result in a PDF file ending up on the computer that's sharing them, which would be Bad(tm). It would also result in a bunch of support calls with people saying "I printed to tree_eater and nothing happened", and us wasting time debugging the problem when it turns out to be a queue on someone's laptop.

comment:7 Changed 13 years ago by broder

  • Status changed from proposed to closed
  • Resolution set to wontfix

Marking as WONTFIX since we can't punt browsing and not ?BrowsePolling?

comment:8 Changed 12 years ago by geofft

  • Status changed from closed to reopened
  • Resolution wontfix deleted
  • Milestone Fall Release deleted

WONTFIX is not CANTFIX. This is an actual problem in deployment, and the ticket should remain open even if we don't yet know how to fix it.

Does debathena-ldap-cups-config fix this issue, for instance?

(There's also always the add-athena-printer and upstream fix options.)

comment:9 Changed 12 years ago by jdreed

  • Milestone set to Upstream Utopia

comment:10 Changed 12 years ago by jdreed

  • Milestone changed from Upstream Utopia to Summer 2010 (Lucid Deploy)

-> debathena / trac-#229 / mmanley 14:06 (Do not taunt Happy Fun Ball)

That's fixed easily by setting BrowseLocalProtocols? to None.

comment:11 Changed 12 years ago by jdreed

debathena / trac-#229 / mmanley 14:12 (Do not taunt Happy Fun Ball)

You should also set the BrowseRemoteProtocols? to CUPS only. That way it
also try to scan for other printers that way.

comment:12 Changed 12 years ago by jdreed

This should only be for -cluster at this point. -workstation and lower should see useless local printers, just like OS X users do :-(

comment:13 Changed 11 years ago by jdreed

  • Milestone changed from Summer 2010 (Lucid Deploy) to Fall 2010

So, this is Hard(tm) for a couple of reasons:

  • CUPS is a piece of crap
  • we don't have a -cluster-printing-config and double diversions suck
  • the CUPS documentation is made of lies

BrowseLocalProtocols? is for advertising local printers served by the cupsd, so it doesn't help us.

Setting BrowseRemoteProtocols? to cups will in fact fix the problem and turn off mdns printing. This would break existing behavior on not-cluster if we turned this off. However, the current behavior is wrong, because we set "BrowseProtocols? cups", which should in fact already turn off mdns, but doesn't. So, *shrug*.

Possible solutions:

  • double divert the file anyway and hope for the best
  • debathena-cluster depends debathena-iptables-config, which drops all mdns packets.
  • hope that users are clever enough not to print to random printers whose names they don't recognize.

comment:14 Changed 11 years ago by jdreed

  • Priority changed from normal to low
  • Milestone changed from IAP 2011 to The Distant Future

We essentially "fixed" this in the field with cluster-cups-config. We vaguely still care about it, so I'll move it to distant future.

comment:15 Changed 11 years ago by jdreed

  • Status changed from reopened to committed
  • Milestone changed from The Distant Future to Natty Release

We're continuing to move forward with cluster-cups-config, so I'm going to claim that that's an actual fix.

comment:16 Changed 10 years ago by jdreed

  • Owner set to jdreed
  • Status changed from committed to accepted

Hrm, this ticket has ended up tracking a number of things over the years. We're still blocking on a full Pharos deploy, but at that point, the end state should be:

-cluster-cups-config goes away
-cups-config adds the "mitprint" queue (after checking for local name conflicts) and makes no changes to browsepolling settings.

This means every Debathena machine gets one print queue. Users who want to configure their local printers can do so through s-c-p or add-athena-printer (though I'd encourage s-c-p for the driver issue). We MIGHT consider automatically adding printers specified in Hesiod clusterinfo, but I don't really want to.

comment:17 Changed 10 years ago by jdreed

OK, I think we're on track for an almost-full Pharos deployment by August. I'd like to take the opportunity th to merge cluster-cups-config and cups-config (resulting in a single package which only adds the mitprint queue) and coordinate with the Natty release. That way I can send mail to release-announce.

Yes, this means that a few printers that aren't cluster printers will suddenly disappear from people's printer dropdowns.

comment:18 Changed 10 years ago by jdreed

  • Status changed from accepted to development

cupsys-config 1.15 is in -dev.

comment:19 Changed 10 years ago by jdreed

  • Status changed from development to closed
  • Resolution set to fixed

And 2 years after we started, we're finally done with BrowsePolling? against CUPS. And there was much rejoicing and the people did feast upon the lambs and sloths and carp and anchovies and orangutans and breakfast cereals...

Note: See TracTickets for help on using tickets.