Given PrintNightmare, should spoolss go the way of SMB1: off by default?
ronnie sahlberg
ronniesahlberg at gmail.com
Thu Jul 1 02:06:07 UTC 2021
On Thu, Jul 1, 2021 at 11:58 AM Andrew Bartlett via samba-technical
<samba-technical at lists.samba.org> wrote:
>
> G'Day all,
>
> It seems the current keep-the-sysadmin-up-at-night is a thing called
> PrintNightmare (CVE-2021-1675):
>
> https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
>
> Hopefully this doesn't read on Samba, nobody really knows the details
> right now, and if you find out please mail the Samba security alias
> with the details of how and we will deal with that confidentially.
>
> But the public question I have is this: For Samba 4.15, can we set
> 'disable spoolss = true' by default please?
>
> I love printing just as much as any other team member (joke!), but we
> have a lot of juicy code in printing that many use cases don't need.
>
> When the next printing exploit comes our way, it would be nice if like
> SMB1, many of our installs have it turned off already.
>
> What do folks think?
+1
I don't work on that codebase so take my input for what it is or ignore it.
Do people still need/use smb/dcerpc based printers in 2021?
Since it is a huge codebase, that runs as root, where I assume there
is no one actively working on,
and where for end-users there are much better solutions in the last 20
years anyway;
I suggest : disabling it by default sounds like the right thing to do.
And maybe deleting it at a later stage.
regards
ronnie sahlberg
>
> Andrew Bartlett
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>
More information about the samba-technical
mailing list