source: trunk/packs/config/lpd.perms @ 13335

Revision 13335, 9.1 KB checked in by mwhitson, 25 years ago (diff)
Install a default lpd.perms file.
Line 
1###########################################################################
2# LPRng - An Extended Print Spooler System
3#
4# Copyright 1988-1995 Patrick Powell, San Diego, CA
5#     papowell@astart.com
6# See LICENSE for conditions of use.
7#
8##########################################################################
9
10# MIT Athena default lpd.perms file
11# $Id: lpd.perms,v 1.1 1999-07-06 16:44:29 mwhitson Exp $
12
13# Printer permissions data base
14## #
15##                  LPRng - An Enhanced Printer Spooler
16##                     lpd.perms file
17##                   Patrick Powell <papowell@astart.com>
18##
19## Access control to the LPRng facilities is controlled by entries
20## in a set of lpd.perms files.  The common location for these files
21## are: /etc/lpd.perms,  /usr/etc/lpd.perms, and  /var/spool/lpd/lpd.perms.
22## The locations of these files are set by the perms_path entry
23## in the lpd.conf file or by compile time defaults in the src/common/defaults.c
24## file.  In addition to the global permissions files,  each spool queue
25## can also have a permissions file.  This file is searched when information
26## or operations on a specific printer is requested.
27##
28## Each time the lpd server is given a user request or carries out an unspooling
29## operation,  it searches to the perms files to determine if the action
30## is ACCEPT or REJECT.  The first ACCEPT or REJECT found terminates the search.
31## If none is found,  then the last DEFAULT action is used.
32##
33## Permissions are checked by the use of 'keys' and matches.  For each of
34## the following LPR activities,  the following keys have a value.
35##
36## Key          Match Connect Job   Job    LPQ  LPRM  LPC
37##                            Spool Print
38## SERVICE      S     'X'     'R'   'P'    'Q'  'M'   'C'
39## USER         S     -       JUSR  JUSR   JUSR JUSR  JUSR
40## HOST         S     RH      JH    JH     JH   JH    JH
41## GROUP        S     -       JUSR  JUSR   JUSR JUSR  JUSR
42## IP           IP    RIP     JIP   JIP    RIP  JIP   JIP
43## PORT         N     PORT    PORT  -      PORT PORT  PORT
44## REMOTEUSER   S     -       JUSR  JUSR   JUSR CUSR  CUSR
45## REMOTEHOST   S     RH      RH    JH     RH   RH    RH
46## REMOTEGROUP  S     -       JUSR  JUSR   JUSR CUSR  CUSR
47## REMOTEIP     IP    RIP     RIP   JIP    RIP  RIP   RIP
48## CONTROLLINE  S     -       CL    CL     CL   CL    CL
49## PRINTER      S     -       PR    PR     PR   PR    PR
50## FORWARD      V     -       SA    -      -    SA    SA
51## SAMEHOST     V     -       SA    -      SA   SA    SA
52## SAMEUSER     V     -       -     -      SU   SU    SU
53## SERVER       V     -       SV    -      SV   SV    SV
54## LPC          S     -       -     -      -    -     LPC
55## AUTH         V     -       AU    AU     AU   AU    AU
56## AUTHTYPE     S     -       AU    AU     AU   AU    AU
57## AUTHUSER     S     -       AU    AU     AU   AU    AU
58## AUTHFROM     S     -       AU    AU     AU   AU    AU
59## AUTHSAMEUSER S     -       AU    AU     AU   AU    AU
60##
61## KEY:
62##   JH = HOST          host in control file
63##   RH = REMOTEHOST    connecting host name
64##   JUSR = USER        user in control file
65##   CUSR = REMOTEUSER  user from control request
66##   JIP= IP            IP address of host in control file
67##   RIP= REMOTEIP      IP address of requesting host
68##   PORT=              connecting host origination port
69##   CONTROLLINE=       pattern match of control line in control file
70##   FW= IP of source of request = IP of host in control file
71##   SA= IP of source of request = IP of host in control file
72##   SU= user from request = user in control file
73##   SA= IP of source of request = IP of host in control file FROM info
74##   SV= IP of source of request = IP of server host or server Localhost
75##   LPC= lpc command globmatched against values
76##   AU= Authorization check on transfer
77##       AUTH will match (true) if authenticated transfer
78##       AUTHTYPE will match authentication type
79##       AUTHUSER will match client authentication type
80##       AUTHFROM will match server authentication type and is NULL if not from server
81##       AUTHSAMEUSER will match client authentication to save authentication in job
82##
83## Match: S = globmatch, IP = IPaddress[/netmask],
84##   N = low[-high] number range, V= matching or compatible values
85## SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
86##    'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
87##    'C' - lpc spool control request;
88## NOTE: when printing (P action), the remote and job check values
89##   (i.e. - RUSR, JUSR) are identical.
90##
91##
92## The SAMEHOST match checks to see that one (or more) of the
93##  IP addresses of the host originating the request are the
94##  same as one or more of the IP addresses of the host whose
95##  hostname appears in the control file.
96## The SERVER match checks to see if one (or more) of the
97##  IP addresses of the host originating the request are the
98##  same as one or more of the IP addresses of the server or
99##  match the localhost's  IP address.  Note that in IPV6, there may
100##  be multiple IP addresses for a single host.
101## The FORWARD checks to see that all of the IP addresses of the
102##  IP addresses of the host originating the request are not the
103##  same as one or more of the IP addresses of the host whose
104##  hostname appears in the control file.  This is equivalent to
105##  NOT SAMEHOST
106##
107## The  special key letter=patterns searches the control file
108## line starting with the (upper case) letter, and is usually
109## used  with  printing  and  spooling  checks.  For example,
110## C=A*,B* would check that the class information (i.e.- line
111## in  the control file starting with C) had a value starting
112## with A or B.
113##
114## A permission line consists of list of tests and an a result value
115## If all of the tests succeed,  then a match has been found and the
116## permission testing completes with the result value.  You use the
117## DEFAULT reserved word to set the default ACCEPT/DENY result.
118## The NOT keyword will reverse the sense of a test.
119##
120## Each test can have one or more optional values separated by
121## commas. For example USER=john,paul,mark has 3 test values.
122##
123## The Match type specifies how the matching is done.
124## S = glob type string match
125##     Format:  string with wildcards (*) and ranges
126##              * matches 0 or more chars
127##              [a-d] matches a or b or c or d
128##     Character comparison is case insensitive.
129##     For example - USER=th*s matches uTHS, This, This, Theses
130##                   USER=[d-f]x matches dx, ex, fx
131##
132## IP = IP address and submask.  IP address must be in dotted form.
133##      Format: x.x.x.x[/y.y.y.y]  x.x.x.x is IP address
134##              y.y.y.y is optional submask, default is 255.255.255.255
135##      Match is done by converting to 32 bit x, y, and IP value and using:
136##         success = ((x ^ IP ) & y) == 0   (C language notation)
137##     i.e.- only bits where mask is non-zero are used in comparison.
138##     For example - REMOTEIP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
139##         
140## N = numerical range  -  low-high integer range.
141##      Format: low[-high]
142##      Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
143##
144## The SAMEUSER and SAMEHOST are options that form values from information
145## in control files or connections.  The GROUP entry searches the user group
146## database for group names matching the pattern,  and then searches these
147## for the user name.  If the name is found,  the search is successful.
148## The SERVER entry is successful if the request originated from the current
149## lpd server host.
150##
151## Note carefully that the USER, HOST, and IP values are based on values found
152## in the control file currently being checked for permissions.  The
153## REMOTEUSER, REMOTEHOST, and REMOTEIP are based on values supplied as part
154## of a connection to the LPD server,  or on the actual TCP/IP connection.
155##
156## The LPC entry matches an LPC command.  For example LPC=topq would match
157## when an lpc topq command is being executed.
158##
159## Example Permissions
160##
161## # All operations allowed except those specifically forbidden
162## DEFAULT ACCEPT
163##
164## #Reject connections from hosts not on subnet 130.191.0.0
165## # or Engineering pc's
166##   REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0
167##   REJECT SERVICE=X NOT REMOTEHOST=engpc*
168##
169## #Do not allow anybody but root or papowell on
170## #astart1.astart.com or the server to use control
171## #facilities.
172##   ACCEPT SERVICE=C SERVER REMOTEUSER=root
173##   ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com REMOTEUSER=papowell
174##
175## #Allow root on talker.astart.com to control printer hpjet
176##   ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root
177## #Reject all others
178##   REJECT SERVICE=C
179##
180## #Do not allow forwarded jobs or requests
181##   REJECT SERVICE=R,C,M FORWARD
182##
183# allow root on server to control jobs
184ACCEPT SERVICE=C SERVER REMOTEUSER=root PORT=0-1023
185# allow anybody to get server, status, and printcap
186ACCEPT LPC=lpd,status,printcap
187# reject all others
188REJECT LPC=*
189#
190# allow same user on originating host to remove a job
191ACCEPT SERVICE=M SAMEHOST SAMEUSER
192# allow root on server to remove a job
193REJECT SERVICE=M
194# all other operations allowed
195DEFAULT ACCEPT
Note: See TracBrowser for help on using the repository browser.