Given PrintNightmare, should spoolss go the way of SMB1: off by default?
abartlet at samba.org
Mon Jul 26 18:09:40 UTC 2021
I'm quite swamped right now, so could another team member please take
on the task of flipping this default for Samba 4.15 please?
On Fri, 2021-07-02 at 13:26 +1200, Andrew Bartlett via samba-technical
> On Wed, 2021-06-30 at 23:39 -0400, Andrew Walker wrote:
> > We've had it disabled in FreeNAS for ages. I think it's an easy /
> > quick win to reduce default exposed attack surface.
> Any chance you could work on the patch to disable this for the next
> I can help advise, but just need to be careful what I promise to
> my own time into.
> We could add an alias with a easy to explain name, but I'll settle
> the default being changed, selftest still working and this all
> documented etc.
> We do need to double-check that it makes all printing code
> inaccessible, via all methods. (The manpage is a lie these days, as
> everything should go via spoolss under the hood, but do check).
> I would love, later, if we could actually compile out the printing
> code, like we can compile out the AD DC.
> Andrew Bartlett
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the samba-technical