10

I want to buy new a printer because my old one refuses to print unless I give it access to the internet outside the LAN. I can't really control what it is saying about my print jobs to other organizations and I don't like that. This motivates the question below.

I will connect to the new printer using a USB connection from a machine with GNU/Linux. The driver is proprietary and comes in deb-file

$ dpkg --contents /path/to/hll2350dwpdrv-4.0.0-1.i386.deb
drwxr-xr-x root/root         0 2017-07-18 03:36 ./
drwxr-xr-x root/root         0 2017-07-18 03:36 ./usr/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./usr/share/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./usr/share/doc/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./etc/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./etc/opt/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./etc/opt/brother/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./etc/opt/brother/Printers/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./etc/opt/brother/Printers/HLL2350DW/
drwxr-xr-x root/root         0 2017-07-18 03:34 ./etc/opt/brother/Printers/HLL2350DW/inf/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/
-rw-r--r-- root/root     20486 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/LICENSE_ENG.txt
-rw-r--r-- root/root     20799 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/LICENSE_JPN.txt
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/cupswrapper/
-rw-r--r-- root/root     18351 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/cupswrapper/Copying
-rw-r--r-- root/root     17840 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/cupswrapper/brother-HLL2350DW-cups-en.ppd
-rwxr-xr-x root/root     26369 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/cupswrapper/lpdwrapper
-rwxr--r-- root/root      7606 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/cupswrapper/paperconfigml2
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/inf/
-rw-r--r-- root/root       891 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/inf/brHLL2350DWfunc
-rw-r--r-- root/root       168 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/inf/brHLL2350DWrc
-rwxr-xr-x root/root       863 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/inf/setupPrintcap
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/lpd/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/lpd/armv7l/
-rwxr-xr-x root/root     31460 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/armv7l/brprintconflsr3
-rwxr-xr-x root/root     65940 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/armv7l/rawtobr3
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/lpd/i686/
-rwxr-xr-x root/root     28281 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/i686/brprintconflsr3
-rwxr-xr-x root/root     59014 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/i686/rawtobr3
-rwxr-xr-x root/root      6698 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/lpdfilter
drwxr-xr-x root/root         0 2017-07-18 03:36 ./opt/brother/Printers/HLL2350DW/lpd/x86_64/
-rwxr-xr-x root/root     35591 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/x86_64/brprintconflsr3
-rwxr-xr-x root/root     67752 2017-07-18 03:34 ./opt/brother/Printers/HLL2350DW/lpd/x86_64/rawtobr3
drwxr-xr-x root/root         0 2017-07-18 03:36 ./var/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./var/spool/
drwxr-xr-x root/root         0 2017-07-18 03:36 ./var/spool/lpd/
drw-r--r-- root/root         0 2017-07-18 03:34 ./var/spool/lpd/HLL2350DW/
  • I want to find out if it is possible for the driver or printer to send messages to third parties using the internet connection (via the GNU/Linux-machine it is connected to by USB). I assume it is possible for someone that knows more about the operating system and CUPS than I do to determine the answer to that question. Could you please explain how the driver interacts with the machine, such that I can understand whether it might send messages to the internet?
  • If it is possible, in theory, that the driver or printer can send messages to third parties using the internet connection, what are my options for blocking access its access to the internet?
Mikkel Rev
  • 189

2 Answers2

14

CUPS drivers often include a filter (converter) that is an actual Linux program running under a limited user account. In this example, rawtobr3 seems to be the filter that the PPD file specifies to use (for converting CUPS provided print data into Brother "BR-Script3" format). Since it's a full executable, it can do anything that the OS allows its user account to do, including network access.

You can use various methods such as AppArmor, nft/iptables (with UID-based rules), policy routing (again with UID-based matching), or eBPF (systemd's "IPAddressDeny=" in cups.service) to block network access for CUPS and the helper processes that it runs.

(Be careful to not disallow localhost network access, as CUPS is architectured as an IPP server – it receives even local print jobs via "localhost:631".)

Most modern printers support IPP Everywhere (as part of various certifications like AirPrint or Mopria); this includes IPP-over-USB which can be used through the ipp-usb daemon. Printers that support IPP Everywhere are required to be "driverless", i.e. they must accept jobs in a standard format (such as PDF or PCLm), meaning the Brother CUPS driver is not required to print. See the Debian Wiki article for more information.

grawity
  • 501,077
6

Sure it could. This driver ships with filter programs and scripts that are called as part of the printing process. They can do whatever in addition to their original job. Will they? Probably not.

You could use a security module like SELinux to restrict what programs can do. This can prevent executables from accessing arbitrary files and doing arbitrary things (like connecting to the internet or deleting your stuff or whatever). SELinux is not easy to set up (and maintain, as you change the system).

An easier-to-setup but equally clunky solution would be to just containerize the printing process, disallowing any and all network access for the container.

Your best bet might be to get a printer that understands PostScript directly. Generic drivers exist for these. They would not contain any malware. You may not be able to use all advanced features of the printer though.

user219095
  • 65,551