OpenPrinting
RFE: Support discovery of printer applications on domain sockets
Using TCP sockets on localhost raises concerns about local privilege escalation attacks. AF_UNIX sockets are more efficient and more secure.
Advertising AF_UNIX sockets over DNS-SD makes little sense, and accepting such an advertisement has its own security concerns. Specifying the AF_UNIX socket in a configuration file is more logical, IMO.
I updated the title of the bug to reflect what is being asked for. In short, @DemiMarie mentioned this on the Apple CUPS issue tracker and I asked her to submit an issue here so we can track support for printer applications that are accessible via domain sockets.
Ideally we should be able to publish (somewhere) a list of domain sockets representing local printer applications that are running, and then the CUPS dests API will be able to use Get-Printers requests to include all of the printers in the list of destinations, as if they were discovered via DNS-SD.
There could be to ways to handle it. Since we are localhost so we could do this via other protocols or via directory structure. I think the best way to have directory that dropins either the sockets itself or a config for the socket.
This is also necessary to support IPP-USB on AF_UNIX without firewall hacks.
@DemiMarie I don't see how we can support an IPP-USB proxy/gateway over domain sockets and still support access to the printer's web page to configure things, clean print heads, etc.
@DemiMarie I don't see how we can support an IPP-USB proxy/gateway over domain sockets and still support access to the printer's web page to configure things, clean print heads, etc.
A browser in a separate network namespace with a TCP ⇔ AF_UNIX proxy in the network namespace is one approach. A program that embeds WebKitGTK and overrides its URL handling is another.