19

I often connect to a network, which has a lot of printers. When printer discovery is ongoing, a lot of distracting messages pop up in GNOME. I use printer only rarely, so I would prefer to keep CUPS disabled most of time. Stopping CUPS works and eliminates annoying notifications: 

systemctl stop cups

I would like to disable it on boot. Surprisingly, after disabling

systemctl disable cups

CUPS still runs after reboot. The status command

systemctl status cups

produces 

● cups.service - CUPS Scheduler
   Loaded: loaded (/lib/systemd/system/cups.service; disabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/cups.service.d
   Active: active (running) since Tue 2018-11-06 02:35:50 PST; 11s ago

I expected that disabling a service will prevent its running after reboot. Does activation happen because of preset? I was trying to preset "disabled" status with --preset-mode, but it did not work.

My OS is Debian Stretch. 

systemctl --version
systemd 232
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
filbranden
  • 21,113
  • 3
  • 58
  • 84
ancient_polaroid
  • 318
  • 1
  • 2
  • 7
  • did you check its modes in chkconfig? – BlackCrystal Nov 06 '18 at 10:49
  • 1
    Thanks for your reply! No, I have not. Bash does not find this command. I looked through packages - only Debian Jessie has it: https://packages.debian.org/search?keywords=chkconfig&searchon=names&suite=all&section=all – ancient_polaroid Nov 06 '18 at 11:24
  • maybe its in startups.see if https://askubuntu.com/questions/37957/how-do-i-manage-applications-on-startup-in-gnome-3 can help you. – BlackCrystal Nov 06 '18 at 12:05

3 Answers3

23

No, activation does not happen because of preset.

systemctl disable cups will only prevent it from auto-starting.

It's possible that it was started anyway because it was required for another service.

This would confirm;

systemctl --reverse list-dependencies cups.service

If that's the case then you should evaluate & disable those services as well.

Or, if you don't care about the repercussions and want to completely prevent it from being started, mask it.

systemctl mask cups

Joseph Tingiris
  • 1,706
  • 12
  • 20
  • 5
    Thanks! Indeed, cups.service was required for cups-browsed.service, and after disabling the latter, CUPS stopped starting on reboot. – ancient_polaroid Nov 09 '18 at 05:03
7

The cups package ships three systemd unit files: cups.service, cups.socket and cups.path.

The latter two are used for socket activation and path activation, which will end up triggering the service even if it's not enabled.

You should disable all three to make sure cups won't be brought up due to socket or path activation on reboot:

systemctl disable cups.service cups.socket cups.path
filbranden
  • 21,113
  • 3
  • 58
  • 84
  • 2
    On my system cups.service has `Also=cups.socket cups.path`. This means enabling cups.service will enable the others - and disabling cups.service will disable the others. – sourcejedi Aug 31 '19 at 15:34
2

Disable Unused Network Services as Security Vulnerabilities & Risks

In 6 steps, in the general case, disable rogue services or services that are active yet unused and the associated LISTENING ports are often a security risk! Note you can substitute "cups" service removal for most other systemd Linux services, for example ssh on vulnerable port 22. Even previously harmless dbus.service has been weaponized by data mining criminals grabbing users data.

I use the extra simple Linux firewall ufw, but advanced users can use SeLinux port and service security filters. You are advised to see the link Ports Risks List.

Cups and cupsd ports like 631 (and others) are associated with security risks. You can detect active Linux network connected services with netstat.

1) Detect the rogue or not needed services and their risky ports

  $ sudo netstat -utpln      #  Activity     PID/Service
  tcp   127.0.0.1:631           LISTEN      9132/cupsd

If you do not know what each service in the list is eg cupsd, look it up to see if it is needed. Port 631 is linked to a vulnerability.

2) Firewall Block High Risk Linux Ports and Services

Sure advanced users apply selinux rules, but simple firewalls do a great job.

 $ sudo apt install ufw  #  and **dnf** applies to Red-Hat/Fedora/Centos
 $ sudo ufw enable       #  ... Activate the ufw firewall.
 $ sudo ufw deny 631     #  ... block port using the ufw firewall.
 $ sudo ufw status numbered  # Show your ufw firewall rules.
 $ sudo ufw reload  # Reload the above rules that were changed.

Sadly printers are known for their deliberate ink ordering greedy embedded malware as well as hacker malware. Office and home devices that do not need to use a service (like printers) should have this 'deny' applied.

  • Selinux users can fine tune the risks, but still be able to use cupsd for printing (or indeed suppress all the _cups types). Follow this guide for cups with selinux.

3) Expose the Linux Service Sub-services to be Disabled

   $ systemctl --reverse list-dependencies cups.*  # Notice the .* is important.
    cups.service
    ● └─cups-browsed.service
    
    cups.socket
    ● ├─cups.service
    ● └─sockets.target
    ●   └─basic.target
    ●     └─multi-user.target
    ●       └─graphical.target
    
    cups.path
    ● ├─cups.service
    ● └─multi-user.target
    ●   └─graphical.target

4) Disable the service you exposed after stopping it first

$ sudo systemctl stop cups cups.service cups.socket cups.path  # 'stop' is NOT enduring!
$ systemctl --reverse list-dependencies cups.*  # What else hangs onto the service?
$ sudo systemctl disable cups cups.service cups.socket cups.path  # long term setting.

So by now the roach is "inactive, (dead)", right?
WRONG it has service buddies that cause it to go "active (running)" hours later when you are not looking! Its legs are still twitching and it will get up and run, so you have more killing to do! Normally systemd starts services and they run automatically, you can manually override them by >> appending the word manual once only.

$ sudo echo "manual" >> /etc/init/cups.override
$ sudo echo "manual" >> /etc/init/cups-browsed.override

5) Remove Rogue Malware Linux Service Packages

You will be shocked to find that cups even when set to "disable" in step 4 has other baddie services that automatically revive it especially on a HP Server with stock Debian installed. In this case "cups" has many hanging on services that can be removed. Note apt or apt-get applies to Debian/Mint/Ubuntu and dnf is for Fedora/Red-Hat/Centos.

$ dpkg -l | grep -i "cups\|print\|hp"   #  Shockingly lots.
$ sudo apt remove --auto-remove cups  # then repeat: dpkg -l as above
   OR purge the service package WITH all its config files:-
$ sudo apt-get purge --auto-remove cups

If you purge, you also lose that services non-default settings. Settings that indeed may have been hacked. Do so with caution. The advantage is that if your config was hacked then that hack is also 'purged'.

6) Test for More Rogue Linux Services after Reboot

"cups" is an example service, please look for others using the information below.

$ sudo shutdown -r now  # just reboot
$ systemctl --reverse list-dependencies cups.*  # Not there?
$ sudo netstat -utpln  # No sign of rogue service?
$ sudo ps aux | grep -i "cups"  # Nothing there running?
$ dpkg -l | grep -i "cups"  # Is the service running removed?
$ sudo systemctl status cups  # should say "inactive (dead)"
  Or not be present in any way.
$ pstree  # cups gone, but there is so much that can be removed.
$ systemctl list-units --type=service --state=running
$ systemctl --type=service --state=running

Desperado removal of services: systemd uses /etc/systemd/system/<service_name>, /etc/systemd/system/<some_directory>/<service_name> and /etc/init.d/<service_name> to set them going. Moving those files and links away from their directories is bruit force, but works.

If you used this for a non-cups vulnerability, please share how you stopped it below.

FragilityMatrix
  • 21
  • 2