1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
###########################################################################
# LPRng - An Extended Print Spooler System
#
# Copyright 1988-1995 Patrick Powell, San Diego, CA
# papowell@astart.com
# See LICENSE for conditions of use.
#
###########################################################################
# MODULE: TESTSUPPORT/lpd.perms.proto
# PURPOSE: prototype printer permissions file
# $Id: lpd.perms,v 3.6 1997/12/20 21:16:26 papowell Exp $
##########################################################################
# Printer permissions data base
## #
## LPRng - An Enhanced Printer Spooler
## lpd.perms file
## Patrick Powell <papowell@astart.com>
##
## Access control to the LPRng facilities is controlled by entries
## in a set of lpd.perms files. The common location for these files
## are: /etc/lpd.perms, /usr/etc/lpd.perms, and /var/spool/lpd/lpd.perms.
## The locations of these files are set by the perms_path entry
## in the lpd.conf file or by compile time defaults in the src/common/defaults.c
## file. In addition to the global permissions files, each spool queue
## can also have a permissions file. This file is searched when information
## or operations on a specific printer is requested.
##
## Each time the lpd server is given a user request or carries out an unspooling
## operation, it searches to the perms files to determine if the action
## is ACCEPT or REJECT. The first ACCEPT or REJECT found terminates the search.
## If none is found, then the last DEFAULT action is used.
##
## Permissions are checked by the use of 'keys' and matches. For each of
## the following LPR activities, the following keys have a value.
##
## Key Match Connect Job Job LPQ LPRM LPC
## Spool Print
## SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C,S'
## USER S - JUSR JUSR JUSR JUSR JUSR
## HOST S RH JH JH JH JH JH
## GROUP S - JUSR JUSR JUSR JUSR JUSR
## IP IP RIP JIP JIP RIP JIP JIP
## PORT N PORT PORT - PORT PORT PORT
## REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR
## REMOTEHOST S RH RH JH RH RH RH
## REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR
## REMOTEIP IP RIP RIP JIP RIP RIP RIP
## CONTROLLINE S - CL CL CL CL CL
## PRINTER S - PR PR PR PR PR
## FORWARD V - SA - - SA SA
## SAMEHOST V - SA - SA SA SA
## SAMEUSER V - - - SU SU SU
## SERVER V - SV - SV SV SV
##
## KEY:
## JH = HOST host in control file
## RH = REMOTEHOST connecting host name
## JUSR = USER user in control file
## CUSR = REMOTEUSER user from control request
## JIP= IP IP address of host in control file
## RIP= REMOTEIP IP address of requesting host
## PORT= connecting host origination port
## CONTROLLINE= pattern match of control line in control file
## FW= IP of source of request = IP of host in control file
## SA= IP of source of request = IP of host in control file
## SU= user from request = user in control file
## SA= IP of source of request = IP of server host
##
## Match: S = string with wild card, IP = IPaddress[/netmask],
## N = low[-high] number range, V = exact value match.
## SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
## 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
## 'C' - lpc spool control request; 'S' - lpc spool status request
## NOTE: when printing (P action), the remote and job check values
## (i.e. - RUSR, JUSR) are identical.
##
##
## The special key letter=patterns searches the control file
## line starting with the (upper case) letter, and is usually
## used with printing and spooling checks. For example,
## C=A*,B* would check that the class information (i.e.- line
## in the control file starting with C) had a value starting
## with A or B.
##
## A permission line consists of list of tests and an a result value
## If all of the tests succeed, then a match has been found and the
## permission testing completes with the result value. You use the
## DEFAULT reserved word to set the default ACCEPT/DENY result.
## The NOT keyword will reverse the sense of a test.
##
## Each test can have one or more optional values separated by
## commas. For example USER=john,paul,mark has 3 test values.
##
## The Match type specifies how the matching is done.
## S = string type match - string match with glob.
## Format: string with wildcards (*)
## * matches 0 or more chars
## Character comparison is case insensitive.
## For example - USER=th*s matches uTHS, This, This, Theses
##
## IP = IP address and submask. IP address must be in dotted form.
## Format: x.x.x.x[/y.y.y.y] x.x.x.x is IP address
## y.y.y.y is optional submask, default is 255.255.255.255
## Match is done by converting to 32 bit x, y, and IP value and using:
## success = ((x ^ IP ) & y) == 0 (C language notation)
## i.e.- only bits where mask is non-zero are used in comparison.
## For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
##
## N = numerical range - low-high integer range.
## Format: low[-high]
## Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
##
## The SAMEUSER and SAMEHOST are options that form values from information
## in control files or connections. The GROUP entry searches the user group
## database for group names matching the pattern, and then searches these
## for the user name. If the name is found, the search is successful.
## The SERVER entry is successful if the request originated from the current
## lpd server host.
##
## Note carefully that the USER, HOST, and IP values are based on values found
## in the control file currently being checked for permissions. The
## REMOTEUSER, REMOTEHOST, and REMOTEIP are based on values supplied as part
## of a connection to the LPD server, or on the actual TCP/IP connection.
##
## Example Permissions
##
## # All operations allowed except those specifically forbidden
## DEFAULT ACCEPT
##
## #Reject connections from hosts not on subnet 130.191.0.0
## # or Engineering pc's
## REJECT SERVICE=X NOT IP=130.191.0.0/255.255.0.0
## REJECT SERVICE=X NOT REMOTEHOST=engpc*
##
## #Do not allow anybody but root or papowell on
## #astart1.astart.com or the server to use control
## #facilities.
## ACCEPT SERVICE=C SERVER REMOTEUSER=root
## ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com REMOTEUSER=papowell
##
## #Allow root on talker.astart.com to control printer hpjet
## ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root
## #Reject all others
## REJECT SERVICE=C
##
## #Do not allow forwarded jobs or requests
## REJECT SERVICE=R,C,M FORWARD
##
# allow root on server to control jobs
ACCEPT SERVICE=C SERVER REMOTEUSER=root
# allow anybody to get status
ACCEPT SERVICE=S
# reject all others, including lpc commands permitted by user_lpc
REJECT SERVICE=CSU
#
# allow same user on originating host to remove a job
ACCEPT SERVICE=M SAMEHOST SAMEUSER
# allow root on server to remove a job
ACCEPT SERVICE=M SERVER REMOTEUSER=root
REJECT SERVICE=M
# all other operations allowed
DEFAULT ACCEPT
|
