NAME
lpd.perms - permissions control file for the LPRng line printer spooler systemDESCRIPTION
The file lpd.perms is used to provide permission information for the LPRng Printer spooler system. Blank lines and all characters after a hash sign (``#'') to the end of line are ignored. If a hash sign is desired in the permission information, it should be escaped with a backslash (``\''). All other lines specify permissions entry and should be of the following form:ACCEPT [[not] key = value[,value]* ]*
REJECT [[not] key = value[,value]* ]*
DEFAULT ACCEPT
DEFAULT REJECT
Each LPD service request is checked against the entries in the permissions
database or file. The following is a typical permissions file:
# Set default permissions DEFAULT ACCEPT # Reject any connections from outside our subnet REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0 # Only accept spooling (LPR) from # Engineering Lab or the Dean's office REJECT SERVICE=R NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu # Do not accept forwarded jobs for printing REJECT SERVICE=R FORWARD # Allow only the administrators control access ACCEPT SERVICE=C,M REMOTEHOST=spooler.eng.sdsu.edu REMOTEUSER=root,papowell ACCEPT SERVICE=C,M SERVER REMOTEUSER=root,papowell # Allow only the user on the same host who spooled job to remove it ACCEPT SERVICE=M SAMEUSER SAMEHOST # Allow users to check status ACCEPT SERVICE=C LPC=status # Require connection for other operations over UNIX socket # not TCP/IP port. Effectively requiring them to be made from the # localhost ACCEPT SERVICE=C UNIXSOCKET REJECT SERVICE=C # Variation - accept all spooled jobs, but then apply # permissions checking when job is printed. Allows # prevents remote spoolers from locking up trying resend # same request ACCEPT SERVICE=R REJECT SERVICE=P NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu
Key Match Connect Job Job LPQ LPRM LPC Spool Print SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C,S' USER S - JUSR JUSR JUSR JUSR JUSR HOST S RH JH JH JH JH JH GROUP S - JUSR JUSR JUSR JUSR JUSR REMOTEPORT N PORT PORT - PORT PORT PORT REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR REMOTEHOST S RH RH JH RH RH RH UNIXSOCKET V SK SK SK SK SK SK REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR CONTROLLINE S - CL CL CL CL CL PRINTER S - PR PR PR PR PR FORWARD V - SA - - SA SA SAMEHOST V - SA - SA SA SA SAMEUSER V - - - SU SU SU SERVER V - SV - SV SV SV AUTH V - AU - AU AU AU AUTHTYPE S - AU - AU AU AU AUTHUSER S - AU - AU AU AU AUTHSAMEUSER S - AU - AU AU AU AUTHFROM S - AU - AU AU AU AUTHJOB V - AU - AU AU AU PORT is alias for REMOTEPORT REMOTEIP is alias for REMOTEHOST IP is alias for HOST KEY: JH = HOST host in control file RH = REMOTEHOST connecting host name/IP JUSR = USER user in control file CUSR = REMOTEUSER user from control request JIP= IP host/IP addr of host in control file RIP= REMOTEIP host/IP addr of requesting host PORT= connecting host origination port SK= match if connection over a UNIX socket CONTROLLINE= pattern match of control line in control file FW= IP of source of request == IP of host in control file SA= IP of source of request == IP of host in control file SU= user from request == user in control file SA= IP of source of request == IP of server host SV= matches if from same address as server AU= value determined by server authentication operation AUTH is true if authenticated transfer, TYPE is set to the type of authentication (kerberos, etc) AUTHUSER is user authentication id AUTHFROM is sender authentication id (can be remote server) AUTHSAMEUSER matches if remote user authentication id matches original user authentication id AUTHJOB it true if print job has authentication Match: S = string with wild card, IP = IP address[/netmask], N = low[-high] number range, V = exact value match SERVICE: 'X' - Connection request; 'R' - lpr request from remote host; 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request; 'C' - lpc spool control request; 'S' - lpc spool status request 'U' - administratively allowed user operation NOTE: when printing (P action), the remote and job check values (i.e. - RUSR, JUSR) are identical.
S = string type match - string match with glob. Format: string with wildcards (*) * matches 0 or more chars Character comparison is case insensitive. For example - USER=th*s matches uTHS, This, This, ThesesThe authentication entries AUTH, AUTHTYPE, AUTHUSER, AUTHSAMEUSER and AUTHFROM can be used to check permissions for authenticated operations. AUTH is set (true) if authentication was done. We can use this to reject non-authenticated transfers:IP = IP address and submask. IP address must be in dotted form. Format: x.x.x.x[/y.y.y.y or /z] x.x.x.x is IP address y.y.y.y is optional submask, default is 255.255.255.255 z is a netmask with most significant z bits set. Match is done by IP address to a 32 bit value and using: success = ((x ^ IP ) & y) == 0 (C language notation) i.e.- only bits where mask is non-zero are used in comparison. For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X IP=130.191.0.0/16 has the same value.N = numerical range - low-high integer range. Format: low[-high] Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
LPC=OP
The LPC=op entry is useful to allow various users to perform administration operations. The following permissions entry would allows users to hold or release their own jobs:DNS, IPV6, AND MULTIHOMED HOSTS
There is a subtle problem with names and IP addresses which are obtained for 'multi-homed hosts', i.e. - those with multiple Ethernet interfaces, and for IPV6 (IP Version 6), in which a host can have multiple addresses, and for the normal host which can have both a short name and a fully qualified domain name. When performing an IP address match, the entire list of IP addresses for a system will now be checked. If one of these matches, then success is reported. Similarly, the entire list of host names and aliases will be checked. If one of these matches, then success will be reported.FILES
The files used by LPRng are set by values in the printer configuration file. The following are a commonly used set of default values./etc/lprng/lpd.conf LPRng configuration file ${HOME}/.printcap user printer description file /etc/printcap printer description file /etc/lprng/lpd.perms permissions /var/run/lprng/lpd lock file for queue control /var/spool/lpd spool directories /var/spool/lpd/QUEUE/control queue control /var/spool/lpd/QUEUE/log trace or debug log file /var/spool/lpd/QUEUE/acct accounting file /var/spool/lpd/QUEUE/status status file
SEE ALSO
lpd.conf(5), lpc(8), lpd(8), checkpc(8), lpr(1), lpq(1), lprm(1), printcap(5), pr(1), lprng_certs(1), lprng_index_certs(1).AUTHOR
Patrick Powell <[email protected]>.HISTORY
LPRng is a enhanced printer spooler system with functionality similar to the Berkeley LPR software. The LPRng developer mailing list is [email protected]; subscribe by visiting https://lists.sourceforge.net/lists/listinfo/lprng-devel or sending mail to [email protected] with the word subscribe in the body.2006-12-09 | LPRng |