# NAME # lpd.perms - permissions control file for the LPRng line printer spooler system # # Set default permissions DEFAULT ACCEPT ##### BUG ALERT # This file is checked several times for the one job. If we REJECT first # (every?) time, then the connecting lpr gets a 'no permission' message; if # we ACCEPT every time, then the job gets printed. But if we ACCEPT first # time but REJECT others, then the job may fail silently. For example, for a # SUHRF job for djlw coming from prospero.ucc.usyd.edu.au (which is rejected # by the hostname or subnet checks except for the one line shown), if we use # ACCEPT PRINTER=djlw HOST=prospero # then we get in /usr/spool/LPRng/djlw/log something like # job 'daemon@prospero+001' transfer to qdjlw@rome failed # Much less reasonable is that if we use # ACCEPT PRINTER=djlw,qdjlw REMOTEHOST=siv,rome HOST=prospero # then we get nothing at all in /usr/spool/LPRng/djlw/log, and even in # /usr/spool/LPRng/djlw/status.djlw only get the one line # removing job 'daemon@prospero+002' at 10:57:20 # instead of the usual chatter of "server starting", "start job", ... , # "server finished". For some odd reason we need # ACCEPT PRINTER=djlw,qdjlw REMOTEHOST=siv,rome,prospero HOST=prospero # to succeed printing. (How could prospero ever be the REMOTEHOST???) ##### BUG ALERT # NOTE: SUHRF prints to salw which is aliased to djlw # SUHRF report servers, for Julie (not even in our subnet) # Could not (should not) lpproxd fix the user and hostnames for these? #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,crescent.ucc.usyd.edu.au HOST=crescent.ucc.usyd.edu.au #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,oberon.ucc.usyd.edu.au HOST=oberon.ucc.usyd.edu.au #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,orlando.ucc.usyd.edu.au HOST=orlando.ucc.usyd.edu.au #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,othello.ucc.usyd.edu.au HOST=othello.ucc.usyd.edu.au #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,prospero.ucc.usyd.edu.au HOST=prospero.ucc.usyd.edu.au #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,tamora.ucc.usyd.edu.au HOST=tamora.ucc.usyd.edu.au #ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,trigg.ucc.usyd.edu.au HOST=trigg.ucc.usyd.edu.au ACCEPT SERVICE=X,R,P,Q,M PRINTER=djlw,qdjlw REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,gaius.ucc.usyd.edu.au HOST=gaius.ucc.usyd.edu.au # We do not accept many exceptions: "funny" machines (with broken lpr # implementations, non-School usernames etc) should print via siv # (lpproxd fixes user- and hostnames in cf files). # Only accept requests from hosts which have a DNS entry in maths.usyd.edu.au # (so the subnet numbers checks below are superfluous). Also check the # hostname as specified by the host (though this causes rejection from # mis-configured hosts). # Note: white.admin pretends to be admin1, we have DNS alias. # Note: Later we also check FORWARD and SAMEHOST. # Note: Should not we accept all jobs from siv? Let it alone handle the allowed # external host, otherwise we end up with two such lists (as above for SUHRF). # Note: Macintosh lpr (e.g. Michael Kelly's mkmac.pc) says its IP address # 129.78.94.245, not its hostname; accept that "name" also, both as # HOST and REMOTEHOST. (Why? So, can hosts lie about their name???) REJECT NOT REMOTEHOST=*.maths.usyd.edu.au REJECT NOT HOST=*.maths.usyd.edu.au # Reject any connections from outside our subnets. # Note: Make sure this matches the DNS name checks above. ## REJECT SERVICE=X,R,P,Q,M,C,S,U ... REJECT NOT REMOTEIP=127.0.0.1,129.78.68.0/255.255.255.0,129.78.69.0/255.255.255.0,129.78.94.0/255.255.255.0,129.78.95.0/255.255.255.0,129.78.223.0/255.255.255.0 REJECT NOT IP=127.0.0.1,129.78.68.0/255.255.255.0,129.78.69.0/255.255.255.0,129.78.94.0/255.255.255.0,129.78.95.0/255.255.255.0,129.78.223.0/255.255.255.0 # Seems IFIP check fails for services other than X REJECT SERVICE=X NOT IFIP=127.0.0.1,129.78.68.0/255.255.255.0,129.78.69.0/255.255.255.0,129.78.94.0/255.255.255.0,129.78.95.0/255.255.255.0,129.78.223.0/255.255.255.0 # Only accept jobs from narrow range of ports # Note: MacOSX 10.3 uses non-privileged port (up to 10.2 uses privileged) # Note: SuSE may use non-privileged port (and sends 'plain' hostname, needs CNAME record in DNS) REJECT NOT PORT=0-1023 # Allow anything (control access) to the administrators only ## ACCEPT SERVICE=M,C,S ... ACCEPT REMOTEHOST=rome.maths.usyd.edu.au,pisa.maths.usyd.edu.au,asti.maths.usyd.edu.au,bari.maths.usyd.edu.au REMOTEUSER=root,psz,mike,robertp ACCEPT SERVER REMOTEUSER=root,psz,mike,robertp # Allow people to hold, release and remove their own jobs (check allow_lpc), even from another host ACCEPT SERVICE=M,U SAMEUSER # ACCEPT SERVICE=U SAMEUSER SAMEHOST # Reject bogus control or remove requests REJECT SERVICE=M,C,S,U # Do not accept forwarded jobs to ensure people do not lie about the hostname. # Must accept forwarded jobs from siv (for outside machines). # Must accept forwarded jobs from rome and pisa for q* printers (for hosts that # do not know about q-queues), to transfer the job from the aolw to the qaolw # queue. # (Does SERVER mean REMOTEHOST=rome or HOST=rome?) ### Thus only external hosts can lie about their hostname. Though siv knows who ### has connected, it does not check that the H line says the same. Maybe we ### could get lpproxd to put the real hostname in any 'Hhost' line? (That would ### also fix the TRIGG problem!) At least we could check that the hostname is ### external (so they could lie among themselves only), but we do not. #REJECT REMOTEHOST=siv.maths.usyd.edu.au IP=127.0.0.1,129.78.69.0/255.255.255.0,129.78.94.0/255.255.255.0,129.78.95.0/255.255.255.0,129.78.223.0/255.255.255.0 REJECT FORWARD NOT REMOTEHOST=siv.maths.usyd.edu.au NOT PRINTER=q* REJECT FORWARD NOT REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,pisa.maths.usyd.edu.au # Seems that FORWARD is pretty much the same as NOT SAMEHOST. Use it too... REJECT NOT SAMEHOST NOT REMOTEHOST=siv.maths.usyd.edu.au NOT PRINTER=q* REJECT NOT SAMEHOST NOT REMOTEHOST=siv.maths.usyd.edu.au,rome.maths.usyd.edu.au,pisa.maths.usyd.edu.au ## We could also use #REJECT NOT SAMEUSER ## to ensure people do not lie about the username. ## But SAMEUSER is not effective for this. Our Alphas cannot lie about the ## username (lpr only allows root to use '-U', which we want to allow anyway). ## Non-Alpha machines (PCs or externals) could lie about both usernames. ## Maybe we should have 'matching' tables, e.g. #REJECT HOST=p624.pc.maths.usyd.edu NOT USER=ronj ## While we can maintain such tables (even for Magma group hosts: we have the ## usernames in sendmail/aliases) we have decided not to do this. (Such checks ## were built into page-cnt instead, but we do not use that after printquota.) # User and group checks do not work well with lpq: # the RFC1179 protocol does not send user name with the requests. # Have to accept all requests. (I wonder how do the HOST or SAMEHOST checks # work with lpq, as it seems that the hostname is not sent either.) ACCEPT SERVICE=Q # Probably overkill: we should not be here any other way REJECT NOT SERVICE=X,R,P # In the following checks, using USER/GROUP seems to have the # same effect as REMOTEUSER/REMOTEGROUP. ### BUG ALERT ### Need C=Cstring, not C=string as documented ### BUG ALERT # Check who is allowed to use '-C unchecked' (though we already accepted anything from psz and mike) REJECT C=Cunchecked NOT USER=psz # Check who is allowed to use '-C unlimited' (or used to be '-C unrestricted') REJECT C=Cu* NOT USER=billg,bobh,charlie,claus,dave,david,denisw,gottwald,gregw,jimr,john,johnr,jont,kflai,kohel,mathas,mike,nalini,nigel,peterb,peterw,psz,robertp,roger,ronj,roset,rzhang,sandrab,tschaerf,vanhamel # Colour printer users: now controlled with printquota #REJECT PRINTER=colw,qcolw NOT USER=psz,alisonp,billg,ziadj # Special printers ### sandrab is special while r5lw is out of action REJECT PRINTER=djlw,qdjlw NOT USER=nalini NOT HOST=bianco.admin.maths.usyd.edu.au REJECT PRINTER=solw,qsolw NOT USER=nalini,sandrab,jennyh,shermann NOT HOST=bianco.admin.maths.usyd.edu.au REJECT PRINTER=otlw,qotlw NOT USER=nalini,sandrab NOT HOST=bianco.admin.maths.usyd.edu.au REJECT PRINTER=fylw,qfylw NOT USER=nalini,ccheen NOT HOST=bianco.admin.maths.usyd.edu.au REJECT PRINTER=lklw,qlklw NOT USER=nalini,ccheen,sandrab NOT HOST=bianco.admin.maths.usyd.edu.au REJECT PRINTER=gllw,qgllw NOT USER=gusl REJECT PRINTER=rzlw,qrzlw NOT USER=rzhang REJECT PRINTER=njlw,qnjlw NOT USER=nalini REJECT PRINTER=dclw,qdclw NOT USER=donaldc # NOTE: Users must be known to the LPD host (rome) so we can # look up their groups. Otherwise add their name/host here. # (Here we must use USER, not REMOTEUSER; wonder why.) #ACCEPT USER=flora,jan,janet,sonia HOST=bianco.admin.maths.usyd.edu.au ### known on rome # Internal Mac laptops should print through lpproxd on siv, then do not need exceptions: #ACCEPT USER=ms HOST=pmichaels.pc.maths.usyd.edu.au # Accept any users at each Magma host # Could try to list each separately... or accept by IP ACCEPT IP=129.78.68.0/255.255.255.0 # Check that students have '-C student' REJECT NOT C=Cstudent NOT GROUP=amstaff,amvisitor,amodd,ampgrad,amfour,pmstaff,pmtsd,pmvisitor,pmother,pmgrad,pmfour,ststaff,stvisitor,stother,stgrad,stfour,vacsch ### BUG ALERT ### Need C=Cstudent, not C=student as documented ### BUG ALERT # Printers banned to undergrads: REJECT PRINTER=aolw,qaolw,r7lw,qr7lw,p6lw,qp6lw,fylw,qfylw,lklw,qlklw,mslw,qmslw,djlw,qdjlw,solw,qsolw,otlw,qotlw,f5lw,qf5lw,pglw,qpglw,r5lw,qr5lw,gllw,qgllw,rzlw,qrzlw,njlw,qnjlw,dclw,qdclw,colw,qcolw NOT GROUP=amstaff,amvisitor,amodd,ampgrad,amfour,pmstaff,pmtsd,pmvisitor,pmother,pmgrad,pmfour,ststaff,stvisitor,stother,stgrad,stfour,vacsch # And again, printers allowed to undergrads: REJECT NOT PRINTER=stlw,qstlw NOT GROUP=amstaff,amvisitor,amodd,ampgrad,amfour,pmstaff,pmtsd,pmvisitor,pmother,pmgrad,pmfour,ststaff,stvisitor,stother,stgrad,stfour,vacsch ###TEMPORARY FOR TESTING SICK AOLW ###REJECT PRINTER=aolw,qaolw NOT USER=psz ##### Comments (man page) only below ##### # DESCRIPTION # The file lpd.perms is used to provide permission information for the LPRng # Printer spooler system. Blank lines and all characters after a hash sign # (``#'') to the end of line are ignored. If a hash sign is desired in the # permission information, it should be escaped with a backslash (``\''). All # other lines specify permissions entry and should be of the following form: # ACCEPT [ key = value[,value]* ]* # REJECT [ key = value[,value]* ]* # DEFAULT ACCEPT # DEFAULT REJECT # # LPD access control is provided by two means: the pathnames or programs # specified by the perms_path configuration information and the printcap XU # (check user) entry. These entries consist of a list of files separated by # colons and/or a set of filters. For example: # /etc/lpd.perms:|/usr/local/lib/perms # # would specify a file and a filter. The filter program is invoked with the # filter_options specified in the configuration information, and is sent the # name of the printer on the filter standard input. The filter should # respond by writing a list of permissions entries on its standard output. # # Each LPD service request is check against the entries in the permissions # file and/or filter response. The following is a typical permissions file: # # Set default permissions # DEFAULT ACCEPT # # Reject any connections from outside our subnet # REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0 # # Only accept Printing (P) and spooling (LPR) from # # Engineering Lab or the Dean's office # REJECT SERVICE=P,R NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu # # Do not accept forwarded jobs for printing # REJECT SERVICE=P FORWARD # # Allow only the administrators control access # ACCEPT SERVICE=C,M REMOTEHOST=spooler.eng.sdsu.edu REMOTEUSER=root,papowell # ACCEPT SERVICE=C,M SERVER REMOTEUSER=root,papowell # # Allow only the user on the same host who spooled job to remove it # ACCEPT SERVICE=M,U SAMEUSER SAMEHOST # REJECT SERVICE=M,C,U # # # Permission checking is done by using a set of keys (or fields) with associ- # ated values to check for permission. The SERVICE key has value P for # printing (i.e.- unspooling), R for spooling (i.e.- LPR request), C, S, and # U for printer control, status, and user allowed operation respectively # (i.e.- LPC request), M for removal (i.e.- LPRM request), Q for queue infor- # mation (i.e.- LPRM request), and so forth. The key indicates the initial # connection to the LPD spooler, and can be used to control connections from # remote systems. The values of the USER, HOST, and IP keys taken from the # control file which is being received or checked for permissions. The # REMOTEUSER, REMOTEHOST and REMOTEIP keys are those either sent as part of a # command, or derived from information about the current network connection. # (See below for details involving Domain Name Service lookups and other # information.) Each line of the permissions file is scanned for key names # and values, and these are matched against the request keys information. # When all matches on a line are made, then search terminates with the # specified action (ACCEPT/REJECT). If no match is found the default permis- # sion value is used. The DEFAULT key is used to specify the current default # permission to be used for successful matches or if there is no match after # scanning the entire permissions database. # # The PRINTER entry is used to specify the printer to be checked. The GROUP # entry is used to check that the USER name appears in a group entry in the # system user group database. For example, GROUP=student*,staff* would check # to see if any of the group name matching student* or staff* have the speci- # fied user name in them. If a system has the netgroups capability, a # printer, group, or remotegroup name starting with a @ will be treated as a # netgroup name, and specified user name or printer will be checked to see if # it is in the group. Note that wildcard matches are not performed on net- # groups. Similarly, the REMOTEGROUP entry will check a remote user name. # # The PORT entry can be used to ensure that a connection to the server orig- # nates from a specified range of ports. # # The permissions database is scanned in order of the fixed file entries and # then by invoking the specified filters for each of the permissions lists. # It is recommended that the filters be placed at the end of the permissions # lists. The user name is one of the parameters passed to the filter, and # can be used to determine if a user has permissions to print a file. # # Key Match Connect Job Job LPQ LPRM LPC # Spool Print # SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C,S' # USER S - JUSR JUSR JUSR JUSR JUSR # HOST S RH JH JH JH JH JH # GROUP S - JUSR JUSR JUSR JUSR JUSR # IFIP IP IFIP IFIP - IFIP IFIP IFIP # IP IP RIP JIP JIP RIP JIP JIP # PORT N PORT PORT - PORT PORT PORT # REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR # REMOTEHOST S RH RH JH RH RH RH # REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR # REMOTEIP IP RIP RIP JIP RIP RIP RIP # CONTROLLINE S - CL CL CL CL CL # PRINTER S - PR PR PR PR PR # FORWARD V - SA - - SA SA # SAMEHOST V - SA - SA SA SA # SAMEUSER V - - - SU SU SU # SERVER V - SV - SV SV SV # AUTH V - AU - AU AU AU # AUTHTYPE S - AU - AU AU AU # AUTHUSER S - AU - AU AU AU # FWDUSER S - AU - AU AU AU # # # KEY: # JH = HOST host in control file # RH = REMOTEHOST connecting host name # JUSR = USER user in control file # CUSR = REMOTEUSER user from control request # JIP= IP IP address of host in control file # RIP= REMOTEIP IP address of requesting host # PORT= connecting host origination port # CONTROLLINE= pattern match of control line in control file # FW= IP of source of request = IP of host in control file # SA= IP of source of request = IP of host in control file # SU= user from request = user in control file # SA= IP of source of request = IP of server host # SV= matches if from same address as server # AU= value determined by server authentication operation # NONE - no authentication, USER - user sending authentication # FWD - server forwarding authentication # IFIP= matches the remote IP address of the connection # Match: S = string with wild card, IP = IPaddress[/netmask], # N = low[-high] number range, V = exact value match # SERVICE: 'X' - Connection request; 'R' - lpr request from remote host; # 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request; # 'C' - lpc spool control request; 'S' - lpc spool status request # 'U' - administratively allowed user operation # NOTE: when printing (P action), the remote and job check values # (i.e. - RUSR, JUSR) are identical. # # # The special key letter=patterns searches the control file line starting # with the (upper case) letter, and is usually used with printing and spool- # ing checks. For example, C=A*,B* would check that the class information # (i.e.- line in the control file starting with C) had a value starting with # A or B. # # A permission line consists of a list of tests and a result value. If all # of the tests succeed, then a match has been found and the permission test- # ing completes with the result value. You use the DEFAULT reserved word to # set the default ACCEPT/DENY result. The NOT keyword will reverse the sense # of a test. # # Each test can have one or more optional values separated by commas. For # example USER=john,paul,mark has 3 test values. The Match value specifies # how the matching is done. # # S = string type match - string match with glob. # Format: string with wildcards (*) # * matches 0 or more chars # Character comparison is case insensitive. # For example - USER=th*s matches uTHS, This, This, Theses # # IP = IP address and submask. IP address must be in dotted form. # Format: x.x.x.x[/y.y.y.y or /z] # x.x.x.x is IP address # y.y.y.y is optional submask, default is 255.255.255.255 # z is a netmask with most significant z bits set. # Match is done by IP address to a 32 bit value and using: # success = ((x ^ IP ) & y) == 0 (C language notation) # i.e.- only bits where mask is non-zero are used in comparison. # For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X # IP=130.191.0.0/16 has the same value. # # N = numerical range - low-high integer range. # Format: low[-high] # Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged) # # The authentication entries AUTH, AUTHTYPE, AUTHUSER, and FWDUSER can be # used to check permissions for authenticated operations. AUTH can have the # values NONE (no authentication), USER (user authenticated), or FWD (for- # warded authentication from a server). For example, to reject non- # authenticated operations, we can use: # REJECT AUTH=NONE # To accept only authenticated jobs directly from users use REJECT # AUTH=NONE,FWD in the permissions file. The AUTHTYPE can be used to match # the authentication type being used or requested by the remote client or # server. The AUTHUSER matches the authentication information originated by # the client to user transfer; These may be identical to the user name, but # also may be different values. The FWDUSER matches the authentication # information originated by the server to server forwarding operation, and # can be used to restrict these operations. # # SERVER=U AND ALLOW_LPC CONFIGURATION VARIABLE # # The allow_lpc configuration variable can be used to specify a subset of the # standard lpc operations will be classified as U operations. The candidates # for selection include hold, release, move, and topq. For example, if the # allow_lpc variable had the value: # allow_lpc=hold,release # # Then the following permissions entry would allows users to hold or release # their own jobs: # ACCEPT SERVICE=U SAMEUSER SAMEHOST REJECT SERVICE=U # # When checking permissions, if permission is explicitly granted for # SERVICE=C operations, it must be done before the checks for U or S ser- # vices. # # DNS, IPV6, AND MULTIHOMED HOSTS # # There is a subtle problem with names and IP addresses which are obtained # for 'multi-homed hosts', i.e. - those with multiple ethernet interfaces, # and for IPV6 (IP Version 6), in which a host can have multiple addresses, # and for the normal host which can have both a short name and a fully quali- # fied domain name. # # The IFIP (interface IP) field can be used to check the IP address of the # origination of the request, as reported by the information returned by the # accept() system call. Note that this information may be IPV4 or IPV6 # information, depending on the origination of the system. This information # is used by gethostbyaddr() to obtain the orginating host fully qualified # domain name (FQDN) and set of IP addresses. Note that this FQDN will be # for the originating interface, and may not be the cannonical host name. # Some systems which use the Domain Name Server (DNS) system may add the can- # nonical system name as an alias. # # When performing an IP address match, the entire list of IP addresses for a # system will now be checked. If one of these matches, then success is # reported. Similarly, the entire list of host names and aliases will be # checked. If one of these matches, then success will be reported. # # In addition, when checking for printing, if the name lookup for the host # reported in the control file fails, then we assume that the host is unk- # nown and all match checks for names or IP addresses will fail. You can # determine if a host has an entry by using the following check, which will # reject all requests from a remotehost which does not have a DNS entry. # REJECT NOT REMOTEHOST=*