Given PrintNightmare, should spoolss go the way of SMB1: off by default?
Andrew Walker
awalker at ixsystems.com
Thu Jul 1 03:39:46 UTC 2021
On Wed, Jun 30, 2021 at 10:06 PM ronnie sahlberg via samba-technical <
samba-technical at lists.samba.org> wrote:
> On Thu, Jul 1, 2021 at 11:58 AM Andrew Bartlett via samba-technical
> <samba-technical at lists.samba.org> wrote:
> >
> > G'Day all,
> >
> > It seems the current keep-the-sysadmin-up-at-night is a thing called
> > PrintNightmare (CVE-2021-1675):
> >
> >
> https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/
> >
> > Hopefully this doesn't read on Samba, nobody really knows the details
> > right now, and if you find out please mail the Samba security alias
> > with the details of how and we will deal with that confidentially.
> >
> > But the public question I have is this: For Samba 4.15, can we set
> > 'disable spoolss = true' by default please?
> >
> > I love printing just as much as any other team member (joke!), but we
> > have a lot of juicy code in printing that many use cases don't need.
> >
> > When the next printing exploit comes our way, it would be nice if like
> > SMB1, many of our installs have it turned off already.
> >
> > What do folks think?
>
> +1
>
> I don't work on that codebase so take my input for what it is or ignore it.
> Do people still need/use smb/dcerpc based printers in 2021?
>
> Since it is a huge codebase, that runs as root, where I assume there
> is no one actively working on,
> and where for end-users there are much better solutions in the last 20
> years anyway;
>
> I suggest : disabling it by default sounds like the right thing to do.
> And maybe deleting it at a later stage.
>
> regards
> ronnie sahlberg
>
> >
> > Andrew Bartlett
> > --
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
> >
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> >
> >
>
> We've had it disabled in FreeNAS for ages. I think it's an easy / quick
win to reduce default exposed attack surface.
More information about the samba-technical
mailing list