Given PrintNightmare, should spoolss go the way of SMB1: off by default?
Andrew Bartlett
abartlet at samba.org
Fri Jul 2 01:26:51 UTC 2021
On Wed, 2021-06-30 at 23:39 -0400, Andrew Walker wrote:
>
> We've had it disabled in FreeNAS for ages. I think it's an easy /
> quick win to reduce default exposed attack surface.
Any chance you could work on the patch to disable this for the next
release?
I can help advise, but just need to be careful what I promise to invest
my own time into.
We could add an alias with a easy to explain name, but I'll settle for
the default being changed, selftest still working and this all
documented etc.
We do need to double-check that it makes all printing code
inaccessible, via all methods. (The manpage is a lie these days, as
everything should go via spoolss under the hood, but do check).
I would love, later, if we could actually compile out the printing
code, like we can compile out the AD DC.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba-technical
mailing list