Given PrintNightmare, should spoolss go the way of SMB1: off by default?

Andrew Bartlett abartlet at
Fri Jul 2 01:26:51 UTC 2021

On Wed, 2021-06-30 at 23:39 -0400, Andrew Walker wrote:
> We've had it disabled in FreeNAS for ages. I think it's an easy /
> quick win to reduce default exposed attack surface. 

Any chance you could work on the patch to disable this for the next

I can help advise, but just need to be careful what I promise to invest
my own time into.

We could add an alias with a easy to explain name, but I'll settle for
the default being changed, selftest still working and this all
documented etc.

We do need to double-check that it makes all printing code
inaccessible, via all methods.  (The manpage is a lie these days, as
everything should go via spoolss under the hood, but do check). 

I would love, later, if we could actually compile out the printing
code, like we can compile out the AD DC. 

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list