source: trunk/third/lprng/doc/LPRng-HOWTO-14.html @ 14517

Revision 14517, 20.5 KB checked in by mwhitson, 25 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r14516, which included commits to RCS files with non-trunk default branches.
Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2<HTML>
3<HEAD>
4 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
5 <TITLE> LPRng-HOWTO: Permissions and Authentication</TITLE>
6 <LINK HREF="LPRng-HOWTO-15.html" REL=next>
7 <LINK HREF="LPRng-HOWTO-13.html" REL=previous>
8 <LINK HREF="LPRng-HOWTO.html#toc14" REL=contents>
9</HEAD>
10<BODY>
11<A HREF="LPRng-HOWTO-15.html">Next</A>
12<A HREF="LPRng-HOWTO-13.html">Previous</A>
13<A HREF="LPRng-HOWTO.html#toc14">Contents</A>
14<HR>
15<H2><A NAME="lpdpermsref"></A> <A NAME="s14">14. Permissions and Authentication</A></H2>
16
17<P>The contents of the <CODE>/etc/lpd.perms</CODE> file
18is used to specify the restrictions on the use
19of the LPRng software,
20printers,
21and other facilities.
22The model used for permission granting is similar to packet filters.
23An incoming request is tested against a list of rules,
24and the first match found determines the action to be taken.
25The action is either <CODE>ACCEPT</CODE> or the request is granted,
26or <CODE>REJECT</CODE> and the request is denied.
27You can also establish a default action.
28<P>The following is a sample <CODE>lpd.perms</CODE> file.
29<P>
30<BLOCKQUOTE><CODE>
31<PRE>
32# allow root on server to control jobs
33ACCEPT SERVICE=C SERVER REMOTEUSER=root
34REJECT SERVICE=C
35#
36# allow same user on originating host to remove a job
37ACCEPT SERVICE=M SAMEHOST SAMEUSER
38# allow root on server to remove a job
39ACCEPT SERVICE=M SERVER REMOTEUSER=root
40REJECT SERVICE=M
41# all other operations allowed
42DEFAULT ACCEPT
43</PRE>
44</CODE></BLOCKQUOTE>
45<P>A rule will ACCEPT or REJECT a request
46if all of the patterns specified in the rule match.
47If there is a match failure,
48the next rule in sequence will be applied.
49If all of the rules are exhausted,
50then the last specified default authorization will be used.
51<P>The sense of a pattern match can be inverted using the NOT keyword.
52For example,
53the rules with
54<CODE>ACCEPT NOT REMOTEUSER=john,bill</CODE>
55succeeds only if the REMOTEUSER value is defined and
56is not <CODE>john</CODE> or <CODE>bill</CODE>.
57<P>The following patterns and matching are applied.
58<P>
59<CENTER><TABLE BORDER><TR><TD>
60<BR>
61Keyword</TD><TD>Match</TD></TR><TR><TD>
62<CODE>DEFAULT</CODE></TD><TD>default result</TD></TR><TR><TD>
63<CODE>SERVICE</CODE></TD><TD>lpC, lpR, lprM, lpQ requests, and Printing jobs</TD></TR><TR><TD>
64<CODE>USER</CODE></TD><TD>user name in print job.This check will always succeed when checking for spool queue permissions,and only be done when checking for job permissions.</TD></TR><TR><TD>
65<CODE>REMOTEUSER</CODE></TD><TD>user making request</TD></TR><TR><TD>
66<CODE>HOST</CODE></TD><TD>host name in print job.This check will always succeed when checking for spool queue permissions,and only be done when checking for job permissions.</TD></TR><TR><TD>
67<CODE>REMOTEHOST</CODE></TD><TD>host making request</TD></TR><TR><TD>
68<CODE>IP</CODE></TD><TD>IP address and mask of host in print jobThis check will always succeed when checking for spool queue permissions,and only be done when checking for job permissions.</TD></TR><TR><TD>
69<CODE>REMOTEIP</CODE></TD><TD>IP address and mask of host making request</TD></TR><TR><TD>
70<CODE>PORT</CODE></TD><TD>TCP/IP port of host making request</TD></TR><TR><TD>
71<CODE>SAMEUSER</CODE></TD><TD>USER and REMOTEUSER same</TD></TR><TR><TD>
72<CODE>SAMEHOST</CODE></TD><TD>HOST and REMOTEHOST same</TD></TR><TR><TD>
73<CODE>SERVER</CODE></TD><TD>request originates on lpd server</TD></TR><TR><TD>
74<CODE>FORWARD</CODE></TD><TD>destination of job is not host</TD></TR><TR><TD>
75<CODE>GROUP</CODE></TD><TD>USER is in the specified group</TD></TR><TR><TD>
76<CODE>LPC</CODE></TD><TD>LPC command in the LPC request.This must be preceeded by SERVICE=C clause.</TD></TR><TR><TD>
77<CODE>REMOTEGROUP</CODE></TD><TD>REMOTEUSER is in the specified group</TD></TR><TR><TD>
78<CODE>CONTROLLINE</CODE></TD><TD>match a line in control file</TD></TR><TR><TD>
79<CODE>AUTH</CODE></TD><TD>authentication type</TD></TR><TR><TD>
80<CODE>AUTHUSER</CODE></TD><TD>authenticated user</TD></TR><TR><TD>
81<CODE>AUTHFROM</CODE></TD><TD>authenticated forwarder</TD></TR><TR><TD>
82<CODE>AUTHJOB</CODE></TD><TD>authenticated job in queue</TD></TR><TR><TD>
83
84</TD></TR></TABLE></CENTER>
85<P>Most of the patterns can be lists of alternative values to match,
86and can even contain wild cards.
87The full details of the rules and keywords are detailed in
88the <CODE>lpd.conf(5)</CODE> man page.
89<H2><A NAME="ss14.1">14.1 Information for matching</A>
90</H2>
91
92<P>In order to do matching,
93the <CODE>lpd</CODE> server obtains and sets up the following information:
94<OL>
95<LI>If the request is coming over a network connection,
96then the IP address (REMOTEIP)
97port (PORT) of the source of the connection and
98FQDN of the remote host (REMOTEHOST) are obtained
99and the indicated values are set.
100To be specific,
101the IP address of the remote host is obtained using
102<CODE>getpeername()</CODE>.
103The <CODE>gethostbyaddr()</CODE> is used to look up the
104host's fully qualified domain name,
105which is then assigned to the REMOTEHOST value.
106The REMOTEIP value is the
107<EM>set</EM> or <EM>list</EM> of IP addresses that could be
108used by this host.
109This is possible in the IPV6 environment.</LI>
110<LI>If the request contains the name of the user,
111then REMOTEUSER is assigned the name.</LI>
112<LI>If the request contains the name of the printer,
113then PRINTER is assigned the name.</LI>
114<LI>If permissions checking is to be done for a particular
115job in a spool queue,
116then the USER, HOST, IP, and PRINTER are set to the
117user name, host, and printer information in the control file for the
118print job.
119The HOST entry in the control file is used by
120<CODE>gethostbyname()</CODE> to get the fully qualified domain name of the host.
121The IP value is assigned a
122<EM>set</EM> or <EM>list</EM> of IP addresses that could be
123used by this host.</LI>
124<LI>If one of the optional authentication methods is being used,
125(see
126<A HREF="LPRng-HOWTO-16.html#authref">Authentication and Encryption</A>),
127then AUTH is true and
128AUTHTYPE is set to the type of authentication used.
129AUTHUSER to the authenticated originating user of the request
130and AUTHFROM is when the originating program is a server.
131The AUTHSAMEUSER will be true when the remote client authentication information
132matches the authentication information used to create the job on the server.
133The AUTHJOB will be true when checking for job permissions and the job
134has been authenticated.</LI>
135</OL>
136<H2><A NAME="ss14.2">14.2 Permission Checks</A>
137</H2>
138
139<P>When a connection is made to the <CODE>lpd</CODE> server,
140the originating site's IP address and hostname are determined,
141and a check with <CODE>SERVICE=X</CODE>
142and valid REMOTEHOST,
143REMOTEIP,
144and PORT information is done.
145<P>If the connection was not rejected,
146then the request information is read
147and the
148SERVICE,
149REMOTEUSER,
150REMOTEHOST,
151REMOTEIP,
152PORT,
153PRINTER,
154and other authentication values will be defined.
155The SERVICE value will be Q, R, M, or C for
156<CODE>lpq</CODE>,
157<CODE>lpr</CODE>,
158<CODE>lprm</CODE>,
159or
160<CODE>lpc</CODE> respectively.
161The permissions file will be scanned to determine if the
162request should be immediately discarded based on the print queue
163it is for.
164During this stage of processing,
165permissions checks which require information from jobs in spool queues
166will be ignored and treated as though a match had succeeded.
167<P>If the request is not rejected,
168then it will be processed or carried out.
169If the request is for an operation on one or more user jobs in
170a spool queue,
171then the spool queue for the jobs are scanned and permissions are
172again checked against individual jobs.
173At this stage in the processing,
174the
175USER and
176HOST
177information obtained from the job file will be used in permissions checking.
178This two levels of checks are necessary in order to allow
179find control over individual jobs and users.
180<P>There is a problem with permissions checking for <CODE>lpq</CODE> (SERVICE=Q)
181requests.
182Since the user name is not passed as part of the request,
183it is impossible to use the REMOTEUSER clause to restrict <CODE>lpq</CODE>
184operations.
185<P>The <CODE>SERVICE=R</CODE> and <CODE>SERVICE=P</CODE>
186facilities are provided to handle problems with print spoolers that
187do not recognize a <I>lack of permission</I> error code,
188and will indefinately retry sending a job to the <CODE>lpd</CODE> server.
189If this is the case,
190then the <CODE>SERVICE=R</CODE> clause can be used to accept jobs,
191and then the <CODE>SERVICE=P</CODE> clause will cause the <CODE>lpd</CODE>
192server to remove of the job when it is scheduled for printing.
193<H2><A NAME="ss14.3">14.3 Match Procedure</A>
194</H2>
195
196<P>
197<BLOCKQUOTE><CODE>
198<PRE>
199key=pattern                         substring match
200key=pattern1,pattern2,pattern3,...  glob and exact
201key=IP1/mask1,IP2/mask2,...         IP address
202</PRE>
203</CODE></BLOCKQUOTE>
204<P>Each of the indicated values is matched against a list of patterns.
205The following types of matches are used:
206<OL>
207<LI>substring match.
208The indicated entry is present as a substring in the pattern.</LI>
209<LI>GLOB matches.
210The pattern is interpreted as a GLOB style pattern,
211where * matches 0 or more characters,
212and ? matches a single character,
213and
214<CODE>[L-H]</CODE>
215specifies a range of characters from
216<CODE>L</CODE> to <CODE>H</CODE>,
217in ASCII order.</LI>
218<LI>IP address match.  The address must be specified in the
219standard <CODE>nn.nn.nn.nn</CODE> format.
220The mask must be either an integer number
221corresponding to the number of significant bits,
222or in the standard <CODE>nn.nn.nn.nn</CODE> format.
223Addresses are compared by doing
224<BLOCKQUOTE><CODE>
225<PRE>
226( IPaddr XOR IP ) AND mask
227</PRE>
228</CODE></BLOCKQUOTE>
229
230<P>If the result is 0, then a match results.
231Note that there may be one or more addresses being checked for;
232this can occur when a host may have multiple IP addresses assigned to it.
233</LI>
234<LI>integer range match.
235The pattern has the form <CODE>low-high</CODE>,
236where low and high are integer numbers.
237The match succeeds if the value is in the specified range.</LI>
238<LI>Same IP Address Match.
239This compares two lists of IP addresses;
240a match is found when there is one or more common addresses.</LI>
241</OL>
242<H3>DEFAULT</H3>
243
244<P>
245<BLOCKQUOTE><CODE>
246<PRE>
247DEFAULT ACCEPT
248DEFAULT REJECT
249</PRE>
250</CODE></BLOCKQUOTE>
251<P>The DEFAULT rule specifies the default if no rule matches.
252Normally,
253there is one DEFAULT entry in a permissions file.
254<H3>SERVICE</H3>
255
256<P>Match type: substring
257<P>The SERVICE key is based on the type of request.
258<CENTER><TABLE BORDER><TR><TD>
259<BR>
260Key</TD><TD>Request</TD></TR><TR><TD>
261<CODE>C</CODE></TD><TD>LPC Control Request</TD></TR><TR><TD>
262<CODE>M</CODE></TD><TD>LPRM Removal Request</TD></TR><TR><TD>
263<CODE>P</CODE></TD><TD>Job Printing</TD></TR><TR><TD>
264<CODE>Q</CODE></TD><TD>LPQ Status Request</TD></TR><TR><TD>
265<CODE>R</CODE></TD><TD>LPR Job Transfer</TD></TR><TR><TD>
266<CODE>X</CODE></TD><TD>Connection Request</TD></TR><TR><TD>
267
268</TD></TR></TABLE></CENTER>
269<P>Each of the above codes corresponds either directly to the user command,
270or a set of subcommands.
271<P>If you have an LPC request,
272you can add an <CODE>LPC=xxx</CODE> clause to refine the
273permissions checking to allow or disallow
274<CODE>lpc</CODE> commands such as <CODE>lpc status, printcap, active, </CODE>.
275<H3>USER</H3>
276
277<P>Match type: GLOB
278<P>The USER information is taken from the <CODE>P</CODE> (person or logname)
279information in the print job control file.
280<H3>REMOTEUSER</H3>
281
282<P>Match type: GLOB
283<P>The REMOTEUSER information is taken from the user information sent
284with a service request.
285<P>Note that one of the flaws of
286<A HREF="LPRng-HOWTO-6.html#rfc1179">RFC1179</A>
287is that an LPQ (print status)
288request does not provide a REMOTEUSER name.
289<H3>HOST</H3>
290
291<P>Match type: GLOB
292<P>The HOST information is taken from the <CODE>H</CODE> (host)
293information in the print job control file.
294<H3>REMOTEHOST</H3>
295
296<P>Match type: GLOB
297<P>The REMOTEHOST information is obtained by doing a reverse IP name lookup
298on the remote host address.
299If there is no FQDN available,
300then the IP address in text form will be used.
301<H3>PORT</H3>
302
303<P>Match type: integer range
304<P>The PORT value is obtained from the originating port of the TCP/IP
305connection.
306The match succeeds if it is in the specified range.
307<H3>IP</H3>
308
309<P>Match type: IPaddr
310<P>The IP information is obtained by doing a DNS lookup on the
311H (host) information in the control file.
312If there is no host information, the IP address is undefined.
313Note that for a single host name there may be multiple IP addresses;
314address matches are performed against the list of addresses and succeeds
315if there is one or more individual address matches.
316<H3>REMOTEIP</H3>
317
318<P>Match type: IPaddr
319<P>The REMOTEIP information is the IP address of the host making the
320service request.
321Note that the REMOTEIP value is obtained by using the
322<CODE>gethostbyaddr</CODE> lookup to obtain the DNS information for the
323remote host.  This information may include multiple IP addresses;
324address matches are performed against the list of addresses and succeeds
325if there is one or more individual address matches.
326<H3>LPC</H3>
327
328<P>Match type: GLOB
329<P>If you are doing an LPC command,
330this matches the command.
331This allows the following permissions line to be used:
332<BLOCKQUOTE><CODE>
333<PRE>
334#allow remoteuser admin on server to use LPC topq and hold
335ACCEPT LPC=topq,hold SERVER REMOTEUSER=x
336</PRE>
337</CODE></BLOCKQUOTE>
338<P>
339<H3>SAMEUSER</H3>
340
341<P>Match type: exact string match
342<P>Both the REMOTEUSER and USER information must be present and identical.
343<H3>SAMEHOST</H3>
344
345<P>Match type: Same IP Address
346<P>The REMOTEHOST and HOST address lists are checked;
347if there is a common value the match succeeds.
348<H3>SERVER</H3>
349
350<P>Match type: Same IP Address
351<P>One of the REMOTEHOST addresses
352must be the same as one of the addresses of the <CODE>lpd</CODE> server host,
353or must be one of the addresses found by looking up the <CODE>localhost</CODE>
354name using <CODE>gethostbyname()</CODE>.
355<H3>FORWARD</H3>
356
357<P>Match type: Address Match
358<P>The list of REMOTEHOST and HOST addresses must not have a common entry.
359This is identical to NOT SAMEHOST.
360This is usually the case when a remote <CODE>lpd</CODE> server is forwarding
361jobs to the <CODE>lpd</CODE> server.
362<H3>GROUP</H3>
363
364<P>Match type: modified GLOB
365<P>If the pattern does not start with a <CODE>@</CODE> character,
366then the USER information must be present
367and the USER must be present in
368one of the groups in <CODE>/etc/group</CODE> or whatever permissions mechanism is used
369to determine group ownership
370which matches the GLOB pattern.
371<P>If the pattern starts with a <CODE>@</CODE> character,
372then the USER information must be present
373and the user must be in the specified <CODE>netgroup</CODE>.
374This match will be performed only if the <CODE>netgroup</CODE>
375mechanism is supported on the system and the specified netgroup
376exists.
377No wildcard match will be done for netgroups.
378<H3>REMOTEGROUP</H3>
379
380<P>The same rules as for GROUP,
381but using the REMOTEUSER value.
382<H3>CONTROLLINE</H3>
383
384<P>Match type: GLOB
385<P>A <CODE>CONTROLLINE</CODE> pattern has the form
386<BLOCKQUOTE><CODE>
387<PRE>
388X=pattern1,pattern2,...
389</PRE>
390</CODE></BLOCKQUOTE>
391<P>X is a single upper case letter.
392The corresponding line must be present in a control file,
393and the pattern is applied to the line contents.
394<P>This pattern can be used to select only files with specific control
395file information for printing.
396<H3>AUTH</H3>
397
398<P>Match type: GLOB
399<P>The AUTH value can be NONE,
400indicating that no authentication was done.
401If authentication was done,
402then AUTH=USER checks to see if there was user information,
403and AUTH=FWD checks to see if there was forwarding system identification.
404<H3>AUTHUSER</H3>
405
406<P>Match type: GLOB
407<P>If AUTH=USER check succeeds,
408the AUTHUSER rule will check to see if the user identification
409matches the pattern.
410<H3>FWDUSER</H3>
411
412<P>Match type: GLOB
413<P>If AUTH=FWD check succeeds,
414the FWDUSER rule will check to see if the forwarding system identification
415matches the pattern.
416<H3>IFIP</H3>
417
418<P>Match type: IPmatch, but for IPV6 as well as IPV4
419<P>There is a subtle problem with names and IP addresses which are
420obtained for 'multi-homed hosts', i.e. - those with multiple
421ethernet interfaces,  and for IPV6 (IP Version 6),  in which a host
422can have multiple addresses,  and for the normal host which can have
423both a short name and a fully qualified domain name.
424<P>The IFIP (interface IP) field can be used to check the IP address
425of the origination of the request,  as reported by the information
426returned by the accept() system call.  Note that this information may
427be IPV4 or IPV6 information,  depending on the origination of the
428system.  This information is used by gethostbyaddr() to obtain the
429originating host fully qualified domain name (FQDN) and set of IP addresses.
430Note that this FQDN will be for the originating interface,  and may
431not be the canonical host name.  Some systems which use the Domain Name Server
432(DNS) system may add the canonical system name as an alias.
433<H2><A NAME="permspath"></A> <A NAME="ss14.4">14.4 Permission File Location</A>
434</H2>
435
436<P>Options used:
437<UL>
438<LI> <CODE>perms_path=</CODE><EM> directory path list</EM></LI>
439</UL>
440<P>The <CODE>perms_path=</CODE> configuration variable specifies the
441location of the default permissions file.
442The default value is:
443<BLOCKQUOTE><CODE>
444<PRE>
445perms_path=/etc/lpd.perms:/usr/etc/lpd.perms
446</PRE>
447</CODE></BLOCKQUOTE>
448<P>The <CODE>lpd.perms</CODE> file can be obtained by running a program,
449in a similar manner to the <CODE>/etc/printcap</CODE> file.
450See
451<A HREF="LPRng-HOWTO-13.html#secfilter">Filters</A> for details on how
452the program would be invoked.
453For example, assume the configuration information specified:
454<BLOCKQUOTE><CODE>
455<PRE>
456perms_path=|/usr/local/libexec/get_perms
457</PRE>
458</CODE></BLOCKQUOTE>
459<P>Then the <CODE>get_perms</CODE> program would be invoked with STDIN attached
460to <CODE>/dev/null</CODE> and the complete set of permission information
461would be read from its STDOUT.
462<H2><A NAME="ss14.5">14.5 Example Permission File</A>
463</H2>
464
465<P>
466<BLOCKQUOTE><CODE>
467<PRE>
468# allow root on server to control jobs
469ACCEPT SERVICE=C SERVER REMOTEUSER=root
470REJECT SERVICE=C
471#
472# allow same user on originating host to remove a job
473ACCEPT SERVICE=M SAMEHOST SAMEUSER
474# allow root on server to remove a job
475ACCEPT SERVICE=M SERVER REMOTEUSER=root
476REJECT SERVICE=M
477# all other operations allowed
478DEFAULT ACCEPT
479</PRE>
480</CODE></BLOCKQUOTE>
481<P>In the above sample, we first specify that
482lp<CODE>C</CODE>
483commands from user <CODE>root</CODE> on the lpd server will be accepted.
484This is traditionally the way that most lpc commands operate.
485<P>Next,  we reject any other lpc requests.
486<P>We accept
487lpr<CODE>M</CODE>
488requests from the host and user that submitted the job,
489as well as from root on the server,
490and reject any others.
491<P>Finally,
492all other types of commands (lpq, lpr) are allowed by default.
493<H2><A NAME="ss14.6">14.6 Complex Permission Checking</A>
494</H2>
495
496<P>One of the more useful types of permission checking is to
497restrict access to your printers from users outside your
498networks.
499The IP pattern can specify a list of IP addresses and netmasks
500to apply to them.
501<P>For example
502<CODE>IP=10.3.4.0/24</CODE> would match all hosts with the IP
503addresses
504<CODE>IP=10.3.4.0</CODE> to
505<CODE>IP=10.3.4.255</CODE>.
506<P>Similarly, the HOST pattern can specify a set of hostnames
507or patterns to match against based on the GLOB notation.
508<P>For example
509<CODE>REMOTEHOST=*.astart.com</CODE>
510would match all hosts with a DNS entry which ended with
511<CODE>astart.com</CODE>.
512<P>The NOT keyword reverses the match sense.  For example
513<CODE>REJECT NOT REMOTEHOST=*.astart.com,*.murphy.com</CODE>
514would reject all requests from hosts which did not have a DNS entry
515ending in
516<CODE>astart.com</CODE>
517or
518<CODE>murphy.com</CODE>.
519<H2><A NAME="ss14.7">14.7 More Examples</A>
520</H2>
521
522<P>The following is a more complex lpd.perms file.
523<BLOCKQUOTE><CODE>
524<PRE>
525# All operations allowed except those specifically forbidden
526DEFAULT ACCEPT
527#Reject connections which do not originate from hosts with an
528# address on 130.191.0.0 or from localhost,
529# or name is not assigned to Engineering pc's
530REJECT SERVICE=X NOT IFIP=130.191.0.0/16,127.0.0.1/32
531REJECT SERVICE=X NOT REMOTEHOST=engpc*
532#Do not allow anybody but root or papowell on
533#astart1.astart.com or the server to use control
534#facilities.
535ACCEPT SERVICE=C SERVER REMOTEUSER=root
536ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com REMOTEUSER=papowell
537#Allow root on talker.astart.com to control printer hpjet
538ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root
539#Reject all others
540REJECT SERVICE=C
541#Do not allow forwarded jobs or requests
542REJECT SERVICE=R,C,M FORWARD
543# allow same user on originating host to remove a job
544ACCEPT SERVICE=M SAMEHOST SAMEUSER
545# allow root on server to remove a job
546ACCEPT SERVICE=M SERVER REMOTEUSER=root
547</PRE>
548</CODE></BLOCKQUOTE>
549<HR>
550<A HREF="LPRng-HOWTO-15.html">Next</A>
551<A HREF="LPRng-HOWTO-13.html">Previous</A>
552<A HREF="LPRng-HOWTO.html#toc14">Contents</A>
553</BODY>
554</HTML>
Note: See TracBrowser for help on using the repository browser.