1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162
|
###########################################################################
# LPRng - An Extended Print Spooler System
#
# Copyright 1988-1995 Patrick Powell, San Diego, CA
# papowell@astart.com
# See LICENSE for conditions of use.
#
###########################################################################
# MODULE: TESTSUPPORT/lpd.perms.proto
# PURPOSE: prototype printer permissions file
# $Id: lpd.perms,v 3.6 1997/12/20 21:16:26 papowell Exp $
##########################################################################
# Printer permissions data base
## #
## LPRng - An Enhanced Printer Spooler
## lpd.perms file
## Patrick Powell <papowell@astart.com>
##
## Access control to the LPRng facilities is controlled by entries
## in a set of lpd.perms files. The common location for these files
## are: /etc/lpd.perms, /usr/etc/lpd.perms, and /var/spool/lpd/lpd.perms.
## The locations of these files are set by the perms_path entry
## in the lpd.conf file or by compile time defaults in the src/common/defaults.c
## file. In addition to the global permissions files, each spool queue
## can also have a permissions file. This file is searched when information
## or operations on a specific printer is requested.
##
## Each time the lpd server is given a user request or carries out an unspooling
## operation, it searches to the perms files to determine if the action
## is ACCEPT or REJECT. The first ACCEPT or REJECT found terminates the search.
## If none is found, then the last DEFAULT action is used.
##
## Permissions are checked by the use of 'keys' and matches. For each of
## the following LPR activities, the following keys have a value.
##
## Key Match Connect Job Job LPQ LPRM LPC
## Spool Print
## SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C,S'
## USER S - JUSR JUSR JUSR JUSR JUSR
## HOST S RH JH JH JH JH JH
## GROUP S - JUSR JUSR JUSR JUSR JUSR
## IP IP RIP JIP JIP RIP JIP JIP
## PORT N PORT PORT - PORT PORT PORT
## REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR
## REMOTEHOST S RH RH JH RH RH RH
## REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR
## REMOTEIP IP RIP RIP JIP RIP RIP RIP
## CONTROLLINE S - CL CL CL CL CL
## PRINTER S - PR PR PR PR PR
## FORWARD V - SA - - SA SA
## SAMEHOST V - SA - SA SA SA
## SAMEUSER V - - - SU SU SU
## SERVER V - SV - SV SV SV
##
## KEY:
## JH = HOST host in control file
## RH = REMOTEHOST connecting host name
## JUSR = USER user in control file
## CUSR = REMOTEUSER user from control request
## JIP= IP IP address of host in control file
## RIP= REMOTEIP IP address of requesting host
## PORT= connecting host origination port
## CONTROLLINE= pattern match of control line in control file
## FW= IP of source of request = IP of host in control file
## SA= IP of source of request = IP of host in control file
## SU= user from request = user in control file
## SA= IP of source of request = IP of server host
##
## Match: S = string with wild card, IP = IPaddress[/netmask],
## N = low[-high] number range, V = exact value match.
## SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
## 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
## 'C' - lpc spool control request; 'S' - lpc spool status request
## NOTE: when printing (P action), the remote and job check values
## (i.e. - RUSR, JUSR) are identical.
##
##
## The special key letter=patterns searches the control file
## line starting with the (upper case) letter, and is usually
## used with printing and spooling checks. For example,
## C=A*,B* would check that the class information (i.e.- line
## in the control file starting with C) had a value starting
## with A or B.
##
## A permission line consists of list of tests and an a result value
## If all of the tests succeed, then a match has been found and the
## permission testing completes with the result value. You use the
## DEFAULT reserved word to set the default ACCEPT/DENY result.
## The NOT keyword will reverse the sense of a test.
##
## Each test can have one or more optional values separated by
## commas. For example USER=john,paul,mark has 3 test values.
##
## The Match type specifies how the matching is done.
## S = string type match - string match with glob.
## Format: string with wildcards (*)
## * matches 0 or more chars
## Character comparison is case insensitive.
## For example - USER=th*s matches uTHS, This, This, Theses
##
## IP = IP address and submask. IP address must be in dotted form.
## Format: x.x.x.x[/y.y.y.y] x.x.x.x is IP address
## y.y.y.y is optional submask, default is 255.255.255.255
## Match is done by converting to 32 bit x, y, and IP value and using:
## success = ((x ^ IP ) & y) == 0 (C language notation)
## i.e.- only bits where mask is non-zero are used in comparison.
## For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
##
## N = numerical range - low-high integer range.
## Format: low[-high]
## Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
##
## The SAMEUSER and SAMEHOST are options that form values from information
## in control files or connections. The GROUP entry searches the user group
## database for group names matching the pattern, and then searches these
## for the user name. If the name is found, the search is successful.
## The SERVER entry is successful if the request originated from the current
## lpd server host.
##
## Note carefully that the USER, HOST, and IP values are based on values found
## in the control file currently being checked for permissions. The
## REMOTEUSER, REMOTEHOST, and REMOTEIP are based on values supplied as part
## of a connection to the LPD server, or on the actual TCP/IP connection.
##
## Example Permissions
##
## # All operations allowed except those specifically forbidden
## DEFAULT ACCEPT
##
## #Reject connections from hosts not on subnet 130.191.0.0
## # or Engineering pc's
## REJECT SERVICE=X NOT IP=130.191.0.0/255.255.0.0
## REJECT SERVICE=X NOT REMOTEHOST=engpc*
##
## #Do not allow anybody but root or papowell on
## #astart1.astart.com or the server to use control
## #facilities.
## ACCEPT SERVICE=C SERVER REMOTEUSER=root
## ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com REMOTEUSER=papowell
##
## #Allow root on talker.astart.com to control printer hpjet
## ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root
## #Reject all others
## REJECT SERVICE=C
##
## #Do not allow forwarded jobs or requests
## REJECT SERVICE=R,C,M FORWARD
##
# allow root on server to control jobs
ACCEPT SERVICE=C SERVER REMOTEUSER=root
# allow anybody to get status
ACCEPT SERVICE=S
# reject all others, including lpc commands permitted by user_lpc
REJECT SERVICE=CSU
#
# allow same user on originating host to remove a job
ACCEPT SERVICE=M SAMEHOST SAMEUSER
# allow root on server to remove a job
ACCEPT SERVICE=M SERVER REMOTEUSER=root
REJECT SERVICE=M
# all other operations allowed
DEFAULT ACCEPT
|