Given PrintNightmare, should spoolss go the way of SMB1: off by default?
Andrew Bartlett
abartlet at samba.org
Mon Jul 26 18:09:40 UTC 2021
I'm quite swamped right now, so could another team member please take
on the task of flipping this default for Samba 4.15 please?
Thanks!
Andrew Bartlett
On Fri, 2021-07-02 at 13:26 +1200, Andrew Bartlett via samba-technical
wrote:
> On Wed, 2021-06-30 at 23:39 -0400, Andrew Walker wrote:
> > We've had it disabled in FreeNAS for ages. I think it's an easy /
> > quick win to reduce default exposed attack surface.
>
> Any chance you could work on the patch to disable this for the next
> release?
>
> I can help advise, but just need to be careful what I promise to
> invest
> my own time into.
>
> We could add an alias with a easy to explain name, but I'll settle
> for
> the default being changed, selftest still working and this all
> documented etc.
>
> We do need to double-check that it makes all printing code
> inaccessible, via all methods. (The manpage is a lie these days, as
> everything should go via spoolss under the hood, but do check).
>
> I would love, later, if we could actually compile out the printing
> code, like we can compile out the AD DC.
>
> Andrew Bartlett
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba-technical
mailing list