Penguin
Recent Changes
Blame: lpd.perms(5)
EditPageHistoryDiffInfoLikePages
Annotated edit history of lpd.perms(5) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 LPD.PERMS
2 !!!LPD.PERMS
3 NAME
4 DESCRIPTION
5 LPC=OP
6 DNS, IPV6, AND MULTIHOMED HOSTS
7 FILES
8 SEE ALSO
9 HISTORY
10 AUTHOR
11 ----
12 !!NAME
13
14
15 lpd.perms - permissions control file for the LPRng line printer spooler system
16 !!DESCRIPTION
17
18
19 The file __lpd.perms__ is used to provide permission
20 information for the LPRng Printer spooler system. Blank
21 lines and all characters after a hash sign (``#'') to the
22 end of line are ignored. If a hash sign is desired in the
23 permission information, it should be escaped with a
24 backslash (``''). All other lines specify permissions entry
25 and should be of the following form:
26
27
28 ACCEPT [[[[not] key = value[[,value]* ]*
29 REJECT [[[[not] key = value[[,value]* ]*
30 DEFAULT ACCEPT
31 DEFAULT REJECT
32
33
34 Each LPD service request is checked against the entries in
35 the permissions database or file. The following is a typical
36 permissions file:
37
38
39 # Set default permissions
40 DEFAULT ACCEPT
41 # Reject any connections from outside our subnet
42 REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0
43 # Only accept spooling (LPR) from
44 # Engineering Lab or the Dean's office
45 REJECT SERVICE=R NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu
46 # Do not accept forwarded jobs for printing
47 REJECT SERVICE=R FORWARD
48 # Allow only the administrators control access
49 ACCEPT SERVICE=C,M REMOTEHOST=spooler.eng.sdsu.edu REMOTEUSER=root,papowell
50 ACCEPT SERVICE=C,M SERVER REMOTEUSER=root,papowell
51 # Allow only the user on the same host who spooled job to remove it
52 ACCEPT SERVICE=M SAMEUSER SAMEHOST
53 # Allow users to check status
54 ACCEPT SERVICE=C LPC=status
55 # Require connection for other operations over UNIX socket
56 # not TCP/IP port. Effectively requiring them to be made from the
57 # localhost
58 ACCEPT SERVICE=C UNIXSOCKET
59 REJECT SERVICE=C
60 # Variation - accept all spooled jobs, but then apply
61 # permissions checking when job is printed. Allows
62 # prevents remote spoolers from locking up trying resend
63 # same request
64 ACCEPT SERVICE=R
65 REJECT SERVICE=P NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu
66
67
68 Permission checking is done by using a set of keys (or
69 fields) with associated values to check for permission. The
70 SERVICE key has value P for printing (i.e.- unspooling), R
71 for spooling (i.e.- LPR request), P for printing (i.e.,
72 after job has been spooled), C printer control (i.e. - LPC),
73 M for removal (i.e.- LPRM request), and Q for queue
74 information (i.e.- LPQ request). The key is used when
75 checking for connection information.
76
77
78 Initially, all of the keys have undefined or NULL values,
79 and are assigned values during the permissions checking
80 process. When a connection is made to the server, it assigns
81 The REMOTEHOST (alias REMOTEIP) key the list of IP addresses
82 and hostnames determined by doing a reverse Domain Name
83 Service (DNS) lookup on the remote host's IP address. If the
84 reverse DNS fails, then only the IP address will be used.
85 The REMOTEPORT (PORT is an alias for REMOTEPORT) is assigned
86 the port number of the connection origination. The
87 UNIXSOCKET key will match (be true) if the connection is
88 over a UNIX socket. By convention, this is from the
89 localhost. Finally, the SERVICE value is assigned X, and the
90 lpd server will check the database to see if the connection
91 is accepted or rejected.
92
93
94 The server will then read the request information from the
95 connection. If the request is for an authenticated data
96 transfer, the server will invoke the appropriate
97 authentication mechanism which will assign AUTH a true (or
98 matching) value, AUTHTYPE the type of authentication,
99 AUTHUSER the authenticated user id value, which may differ
100 from the actual user name, and AUTHFROM the authenticated
101 identification of the originator of the request, which may
102 be a server if the request is forwarded.
103
104
105 Next, the SERVICE value is set to R, C, M, or Q depending on
106 whether it is an LPR, LPC, LPRM, or LPQ request, and the LPC
107 value set to the requested LPC command if it was an LPC
108 request. If the request contained a user name, then
109 REMOTEUSER is set to this name. If the request contained a
110 printer name, then PRINTER is set to the printer name. If
111 the request is a print request, then the HOST value is set
112 to the list of host names and IP addresses given by a DNS
113 lookup of the value in the H field of the job. The database
114 is scanned again to determine if the operation can be
115 performed on the requested queue. To simplify the rule
116 writing, if the operation requires modification or checking
117 of individual jobs, such as the LPC, LPQ, or LPRM commands,
118 then the various checks that depend on jobs will succeed in
119 this step.
120
121
122 Finally, if the operation requires modification or checking
123 of individual jobs, such as the LPC, LPQ, or LPRM commands,
124 then the specified print queue is scanned, and for each job
125 in the print queue, the HOST and USER values are set to the
126 host and user values in the control file for the
127 job.
128
129
130 The database is checked as follows. Each line of the
131 permissions file is scanned for key names and values, and
132 these are matched against the request keys information. When
133 all matches on a line are made, then search terminates with
134 the specified action (ACCEPT/REJECT). If no match is found
135 the default permission value is used. The DEFAULT key is
136 used to specify the current default permission to be used
137 for successful matches or if there is no match after
138 scanning the entire permissions database.
139
140
141 The following keys provide some additional checking
142 capabilties. The REMOTEGROUP entry checks that the
143 REMOTEUSER value appears in a group or netgroup entry in the
144 system database, and the GROUP entry for the USER value. For
145 example, GROUP=student*,staff* would check to see if any of
146 the group names matching student* or staff* have the
147 specified user name in them. If a system has the
148 ''netgroups'' capability, a printer, group, or
149 remotegroup name starting with a @ will be treated
150 as a netgroup name, and specified user name or printer will
151 be checked to see if it is in the group.
152
153
154 The SERVER entry will be true (match) if the request
155 originated from the print server. The SAMEHOST is true
156 (matches) if the REMOTEHOST and HOST values have a common
157 entry, i.e. - are the same host. The SAMEUSER is true
158 (matches) if the REMOTEUSER and USER values are identical.
159 The AUTHSAMEUSER is true (matches) if the AUTHUSER value
160 that orginated the request and the AUTHUSER which was used
161 to transfer a job are identical. AUTHJOB is true (matches)
162 if the job was transferred using authentication. The FORWARD
163 value is an alias for NOT SAMEHOST.
164
165
166 The CONTROLLINE value can be used to determine if there is a
167 matching line in the control file. This facility has been
168 used to ensure that jobs contain various information fields
169 in order to be printed.
170
171
172 Key Match Connect Job Job LPQ LPRM LPC
173 Spool Print
174 SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C,S'
175 USER S - JUSR JUSR JUSR JUSR JUSR
176 HOST S RH JH JH JH JH JH
177 GROUP S - JUSR JUSR JUSR JUSR JUSR
178 REMOTEPORT N PORT PORT - PORT PORT PORT
179 REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR
180 REMOTEHOST S RH RH JH RH RH RH
181 UNIXSOCKET V SK SK SK SK SK SK
182 REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR
183 CONTROLLINE S - CL CL CL CL CL
184 PRINTER S - PR PR PR PR PR
185 FORWARD V - SA - - SA SA
186 SAMEHOST V - SA - SA SA SA
187 SAMEUSER V - - - SU SU SU
188 SERVER V - SV - SV SV SV
189 AUTH V - AU - AU AU AU
190 AUTHTYPE S - AU - AU AU AU
191 AUTHUSER S - AU - AU AU AU
192 AUTHSAMEUSER S - AU - AU AU AU
193 AUTHFROM S - AU - AU AU AU
194 AUTHJOB V - AU - AU AU AU
195 PORT is alias for REMOTEPORT
196 REMOTEIP is alias for REMOTEHOST
197 IP is alias for HOST
198 KEY:
199 JH = HOST host in control file
200 RH = REMOTEHOST connecting host name/IP
201 JUSR = USER user in control file
202 CUSR = REMOTEUSER user from control request
203 JIP= IP host/IP addr of host in control file
204 RIP= REMOTEIP host/IP addr of requesting host
205 PORT= connecting host origination port
206 SK= match if connection over a UNIX socket
207 CONTROLLINE= pattern match of control line in control file
208 FW= IP of source of request == IP of host in control file
209 SA= IP of source of request == IP of host in control file
210 SU= user from request == user in control file
211 SA= IP of source of request == IP of server host
212 SV= matches if from same address as server
213 AU= value determined by server authentication operation
214 AUTH is true if authenticated transfer,
215 TYPE is set to the type of authentication (pgp, kerberos, etc)
216 AUTHUSER is user authentication id
217 AUTHFROM is sender authentication id (can be remote server)
218 AUTHSAMEUSER matches if remote user authentication id matches original
219 user authentication id
220 AUTHJOB it true if print job has authentication
221 Match: S = string with wild card, IP = IPaddress[[/netmask],
222 N = low[[-high] number range, V = exact value match
223 SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
224 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
225 'C' - lpc spool control request; 'S' - lpc spool status request
226 'U' - administratively allowed user operation
227 NOTE: when printing (P action), the remote and job check values
228 (i.e. - RUSR, JUSR) are identical.
229
230
231 The special key ''letter=patterns'' searches the control
232 file line starting with the (upper case) letter, and is
233 usually used with printing and spooling checks. For example,
234 C=A*,B* would check that the class information (i.e.- line
235 in the control file starting with C) had a value starting
236 with A or B.
237
238
239 A permission line consists of a list of tests and a result
240 value. If all of the tests succeed, then a match has been
241 found and the permission testing completes with the result
242 value. You use the DEFAULT reserved word to set the default
243 ACCEPT/DENY result. The NOT keyword will reverse the sense
244 of a test.
245
246
247 Each test can have one or more optional values separated by
248 commas. For example USER=john,paul,mark has 3 test values.
249 The Match value specifies how the matching is
250 done.
251
252
253 S = string type match - string match with glob.
254 Format: string with wildcards (*)
255 * matches 0 or more chars
256 Character comparison is case insensitive.
257 For example - USER=th*s matches uTHS, This, This, Theses
258 IP = IP address and submask. IP address must be in dotted form.
259 Format: x.x.x.x[[/y.y.y.y or /z]
260 x.x.x.x is IP address
261 y.y.y.y is optional submask, default is 255.255.255.255
262 z is a netmask with most significant z bits set.
263 Match is done by IP address to a 32 bit value and using:
264 success = ((x ^ IP )
265 The authentication entries AUTH, AUTHTYPE, AUTHUSER, AUTHSAMEUSER and AUTHFROM can be used to check permissions for authenticated operations. AUTH is set (true) if authentication was done. We can use this to reject non-authenticated transfers:
266 REJECT NOT AUTH
267 The AUTHTYPE will match the authentication type being used or requested by the remote client or server. The AUTHUSER matches the original client authentication information used by the client to make a request to the server, and the AUTHFROM matches the sender authentication information. The AUTHSAMEUSER will match if the remote client or user authentication id is the same as that used for the job generation.
268 !!LPC=OP
269
270
271 The LPC=op entry is useful to allow various users to perform
272 administration operations. The following permissions entry
273 would allows users to hold or release their own jobs:
274 ACCEPT SERVICE=C SAMEUSER SAMEHOST LPC=release
275 !!DNS, IPV6, AND MULTIHOMED HOSTS
276
277
278 There is a subtle problem with names and IP addresses which
279 are obtained for 'multi-homed hosts', i.e. - those with
280 multiple ethernet interfaces, and for IPV6 (IP Version 6),
281 in which a host can have multiple addresses, and for the
282 normal host which can have both a short name and a fully
283 qualified domain name.
284
285
286 When performing an IP address match, the entire list of IP
287 addresses for a system will now be checked. If one of these
288 matches, then success is reported. Similarly, the entire
289 list of host names and aliases will be checked. If one of
290 these matches, then success will be reported.
291 !!FILES
292
293
294 The files used by LPRng are set by values in the printer
295 configuration file. The following are a commonly used set of
296 default values.
297
298
299 /etc/lprng/lpd.conf LPRng configuration file
300 ${HOME}/.printcap user printer description file
301 /etc/lprng/printcap printer description file
302 /etc/lprng/lpd.perms permissions
303 /var/run/lprng/lpd lock file for queue control
304 /var/spool/lpd spool directories
305 /var/spool/lpd/QUEUE/control queue control
306 /var/spool/lpd/QUEUE/log trace or debug log file
307 /var/spool/lpd/QUEUE/acct accounting file
308 /var/spool/lpd/QUEUE/status status file
309 !!SEE ALSO
310
311
312 lpd.conf(5), lpc(8), lpd(8), checkpc(8), lpr(1), lpq(1),
313 lprm(1), printcap(5), pr(1).
314 !!HISTORY
315
316
317 LPRng is a enhanced printer spooler system with
318 functionality similar to the Berkeley LPR software. The
319 LPRng mailing list is lprng@lprng.com; subscribe by sending
320 mail to lprng-request@lprng.com with the word subscribe in
321 the body. The software is available from
322 ftp://ftp.lprng.com/pub/LPRng.
323 !!AUTHOR
324
325
326 Patrick Powell
327 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.