Given PrintNightmare, should spoolss go the way of SMB1: off by default?
Jeremy Allison
jra at samba.org
Thu Jul 1 03:50:04 UTC 2021
On Thu, Jul 01, 2021 at 01:56:05PM +1200, Andrew Bartlett via samba-technical wrote:
>G'Day all,
>
>It seems the current keep-the-sysadmin-up-at-night is a thing called
>PrintNightmare (CVE-2021-1675):
>
>https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
>
>Hopefully this doesn't read on Samba, nobody really knows the details
>right now, and if you find out please mail the Samba security alias
>with the details of how and we will deal with that confidentially.
>
>But the public question I have is this: For Samba 4.15, can we set
>'disable spoolss = true' by default please?
>
>I love printing just as much as any other team member (joke!), but we
>have a lot of juicy code in printing that many use cases don't need.
>
>When the next printing exploit comes our way, it would be nice if like
>SMB1, many of our installs have it turned off already.
>
>What do folks think?
+1 on disabling printing by default for the next release.
It's a big chunk of horrid code.
More information about the samba-technical
mailing list