[FreeNX-kNX] printing under freenx/knx
Gian Filippo Pinzari
pinzari at nomachine.com
Wed Apr 13 21:57:36 UTC 2005
Kurt Pfeifle wrote:
>>> * the NX client's system cupsd may not be setup in a secure enough
>>> way. That could give any other NX session user of the same remote
>>> NX server access to that cupsd, just by accessing the forwarded
>>> port.
>>
>>Yes, this is a problem, but unless cups starts to support pipes
>
> CUPS 1.2 will start to support Unix domain sockets.
Remember that the security problem must be really solved on the client.
It's nearly useless to try to solve it on the server. As you should
never trust a Web server, you should never trust a NX server.
Unix pipes are good, but limiting NX to Unix pipes is not a good solution.
Preventing other users to get access to the network port on the server
should be really a function of the OS, a function that NX can and should
leverage. On the client this can be easily solved by the proxy. Look at
how personal firewalls are working on Windows. This is what I would like
to implement.
Some suggested using the SOCKS interface, but I don't think that this is
something we should struggle to implement. IMHO if you just want to
prevent applications trying to get access to your daemons, it's better to
try to leverage the facilities that the server OS offers to the user-space
applications. This has the advantage that it will work with any protocol
and with any application.
/Gian Filippo.
More information about the FreeNX-kNX
mailing list