1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org">
<title>Permissions and Authentication</title>
<meta name="GENERATOR" content=
"Modular DocBook HTML Stylesheet Version 1.71 ">
<link rel="HOME" title=" LPRng-HOWTO" href="index.htm">
<link rel="PREVIOUS" title="ifhp Filter " href="ifhp.htm">
<link rel="NEXT" title="Rule Matching Procedures" href=
"x8558.htm">
</head>
<body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link=
"#0000FF" vlink="#840084" alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border=
"0" cellpadding="0" cellspacing="0">
<tr>
<th colspan="3" align="center">LPRng-HOWTO: 1 Apr 2002
(For LPRng-3.8.10)</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href=
"ifhp.htm" accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">
</td>
<td width="10%" align="right" valign="bottom"><a href=
"x8558.htm" accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%">
</div>
<div class="CHAPTER">
<h1><a name="PERMSREF">Chapter 17. Permissions and
Authentication</a></h1>
<div class="TOC">
<dl>
<dt><b>Table of Contents</b></dt>
<dt>17.1. <a href=
"permsref.htm#DEFAULTPERMISSION">Permission Checking
Algorithm</a></dt>
<dt>17.2. <a href="x8558.htm">Rule Matching
Procedures</a></dt>
<dt>17.3. <a href="permspath.htm">Permission File
Location</a></dt>
<dt>17.4. <a href="x8797.htm">Example Permission
File</a></dt>
<dt>17.5. <a href="x8810.htm">Complex Permission
Checking</a></dt>
<dt>17.6. <a href="x8825.htm">More Examples</a></dt>
<dt>17.7. <a href="authref.htm">Authentication</a></dt>
<dt>17.8. <a href="x8840.htm">Authentication</a></dt>
<dt>17.9. <a href="x8852.htm">Identifiers</a></dt>
<dt>17.10. <a href="x8858.htm">RFC1179 Protocol
Extensions</a></dt>
<dt>17.11. <a href="auth.htm">Authentication
Operations</a></dt>
<dt>17.12. <a href="x8961.htm">Permission
Checking</a></dt>
<dt>17.13. <a href="x8993.htm">PGP Authentication
Support</a></dt>
<dt>17.14. <a href="kerberos.htm">Using Kerberos 5 for
Authentication</a></dt>
<dt>17.15. <a href="x9264.htm">Using Kerberos 4 for
Authentication</a></dt>
<dt>17.16. <a href="x9290.htm">Using MD5 for
Authentication</a></dt>
<dt>17.17. <a href="x9357.htm">Adding Authentication
Support</a></dt>
</dl>
</div>
<p>The contents of the <tt class=
"FILENAME">/etc/lpd.perms</tt> file are used to control
access to the <b class="APPLICATION">lpd</b> server
facilities. The model used for permission granting is similar
to packet filters. An incoming request is tested against a
list of rules, and the first match found determines the
action to be taken. The action is either <span class=
"ACRONYM">ACCEPT</span> or the request is granted, or <span
class="ACRONYM">REJECT</span> and the request is denied. You
can also establish a default action.</p>
<p>The following is a sample <tt class=
"FILENAME">lpd.perms</tt> file.</p>
<div class="INFORMALEXAMPLE">
<a name="AEN8341"></a>
<pre class="SCREEN">
# allow root on server to control jobs
ACCEPT SERVICE=C SERVER REMOTEUSER=root
REJECT SERVICE=C
#
# allow same user on originating host to remove a job
ACCEPT SERVICE=M SAMEHOST SAMEUSER
# allow root on server to remove a job
ACCEPT SERVICE=M SERVER REMOTEUSER=root
REJECT SERVICE=M
# all other operations allowed
DEFAULT ACCEPT
</pre>
</div>
<br>
<br>
<p>Each line of the permissions file is a rule. A rule will
ACCEPT or REJECT a request if all of the patterns specified
in the rule match. If there is a match failure, the next rule
in sequence will be applied. If all of the rules are
exhausted, then the last specified default authorization will
be used.</p>
<p>The sense of a pattern match can be inverted using the NOT
keyword. For example, the rules with <tt class=
"LITERAL">ACCEPT NOT REMOTEUSER=john,bill</tt> succeeds only
if the REMOTEUSER value is defined and is not <tt class=
"LITERAL">john</tt> or <tt class="LITERAL">bill</tt>.</p>
<p>Each entry in a rule is a keyword which has is assigned a
value or list of values followed by an optional set of
patterns that are matched against these values. The following
table is a summary of the available keywords.</p>
<div class="TABLE">
<a name="PERMSKEYWORDS"></a>
<p><b>Table 17-1. Permission Keywords and Purpose</b></p>
<table border="1" class="CALSTABLE">
<thead>
<tr>
<th align="LEFT" valign="TOP">Keyword</th>
<th align="LEFT" valign="TOP">Match</th>
</tr>
</thead>
<tbody>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">DEFAULT</span></td>
<td align="LEFT" valign="TOP">default result</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">SERVICE</span></td>
<td align="LEFT" valign="TOP">Checking lpC, lpR,
lprM, lpQ, and Printing</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">USER</span></td>
<td align="LEFT" valign="TOP">P (logname) field name
in print job control file.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">REMOTEUSER</span></td>
<td align="LEFT" valign="TOP">user name in request
from remote host.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">HOST</span></td>
<td align="LEFT" valign="TOP">DNS and IP address
information for the H (host) field name in print job
control file</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">REMOTEHOST</span></td>
<td align="LEFT" valign="TOP">DNS and IP address
information for the connection from the remote host
making the request</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">IP</span></td>
<td align="LEFT" valign="TOP">Alias for HOST</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">REMOTEIP</span></td>
<td align="LEFT" valign="TOP">Alias for
REMOTEHOST</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">REMOTEPORT</span></td>
<td align="LEFT" valign="TOP">Originating TCP/IP port
for the connection from the remote host making the
request</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">PORT</span></td>
<td align="LEFT" valign="TOP">Alias for PORT</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">UNIXSOCKET</span></td>
<td align="LEFT" valign="TOP">Connection is on a UNIX
socket, i.e. from localhost</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">SAMEUSER</span></td>
<td align="LEFT" valign="TOP">USER and REMOTEUSER
matches</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">SAMEHOST</span></td>
<td align="LEFT" valign="TOP">HOST and REMOTEHOST
matches</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">SERVER</span></td>
<td align="LEFT" valign="TOP">request originates on
lpd server</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">FORWARD</span></td>
<td align="LEFT" valign="TOP">destination of job is
not host</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">REMOTEGROUP</span></td>
<td align="LEFT" valign="TOP">REMOTEUSER is in the
specified group or netgroup in the <b class=
"APPLICATION">lpd</b> server group database.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">GROUP</span></td>
<td align="LEFT" valign="TOP">USER is in the
specified group or netgroup in the <b class=
"APPLICATION">lpd</b> server group database.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">LPC</span></td>
<td align="LEFT" valign="TOP">LPC command in the LPC
request.</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">CONTROLLINE</span></td>
<td align="LEFT" valign="TOP">match a line in control
file</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">AUTH</span></td>
<td align="LEFT" valign="TOP">authentication
type</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">AUTHUSER</span></td>
<td align="LEFT" valign="TOP">authenticated user</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">AUTHFROM</span></td>
<td align="LEFT" valign="TOP">authenticated
forwarder</td>
</tr>
<tr>
<td align="LEFT" valign="TOP"><span class=
"ACRONYM">AUTHJOB</span></td>
<td align="LEFT" valign="TOP">authenticated job in
queue</td>
</tr>
</tbody>
</table>
</div>
<div class="SECT1">
<h1 class="SECT1"><a name="DEFAULTPERMISSION">17.1.
Permission Checking Algorithm</a></h1>
<p>Options used:</p>
<ul>
<li>
<p><tt class="LITERAL">default_permission=</tt><i
class="EMPHASIS">Default Permission (accept)</i></p>
</li>
</ul>
<br>
<br>
<p>The <b class="APPLICATION">lpd</b> server uses the
following algorithm to do permission checks.</p>
<ol type="1">
<li>
<p>The configuration information initially establishes
a default permission using the <tt class=
"LITERAL">default_permission</tt> configuration value.
This is used if an explicit permission is not
determined by the other steps in this algorithm.</p>
</li>
<li>
<p>Each line of the permissions file is a lists of
tests (patterns) and a permission value that is used if
all of the tests (patterns) on the line are successful.
A DEFAULT line sets the default result if all lines
fail.</p>
</li>
<li>
<p>Each line is executed in sequence until a match is
found. The first matching line terminates the
permission checking and the corresponding permission
value is used.</p>
</li>
<li>
<p>Each keyword has a value (or set of values) that are
matched against a set of patterns. If the keyword does
not have a value (or the <i class="EMPHASIS">null</i>
value) then the match will fail. Initially, all the
keywords have a <tt class="LITERAL">null</tt>
value.</p>
</li>
<li>
<p>When a connection is received by the <b class=
"APPLICATION">lpd</b> server, REMOTEHOST and REMOTEPORT
are set to the the IP addresses and hostnames, and the
TCP/IP port of the host originating the IP address
respectively. REMOTEIP and IFHP are aliases for
REMOTEPORT and PORT is an alias for REMOTEPORT and are
provided for backwards compatibility with older
versions of <b class="APPLICATION">LPRng</b>. If the
connection was on a UNIX socket, then the UNIXSOCKET
flag is set. For example, a request originating from
<tt class="LITERAL">10.0.0.2</tt>, port 1011 would set
REMOTEIP to 10.0.0.2 and PORT to 1011.</p>
</li>
<li>
<p>The REMOTEHOST value is set to the result of doing a
reverse DNS lookup on the REMOTEIP address. This value
is the list of names <i class="EMPHASIS">and</i> ip
addresses in standard IP notation (nnn.nnn.nnn.nnn)
that are returned by the lookup. If the DNS lookup
fails then the REMOTEHOST value is set to the REMOTEIP
value. For example, lookup of 10.0.0.2 would result in
the names <tt class="FILENAME">h2.private</tt> and <tt
class="FILENAME">patrick.private</tt>, and the only IP
address assigned to it was <tt class=
"LITERAL">10.0.0.2</tt>. The REMOTEHOST value would
then be the list <tt class=
"LITERAL">h2.private,patrick.private,10.0.0.2</tt>.</p>
</li>
<li>
<p>The SERVICE value is set to <tt class=
"LITERAL">X</tt> and then the permissions database is
scanned for a matching entry. The result is the
permission value of the first matching line or the
default permission. If the result is REJECT then the
connection is closed.</p>
</li>
<li>
<p>Next, a single line is read from the connection.
This line contains the request type, the print queue
name, and depending on the request type an optional
user name and options. The SERVICE value is set to <tt
class="LITERAL">R,</tt> <tt class="LITERAL">Q,</tt> <tt
class="LITERAL">M,</tt> and <tt class="LITERAL">C,</tt>
for a <tt class="LITERAL">lpR</tt>, <tt class=
"LITERAL">lpQ</tt>, <tt class="LITERAL">lprM</tt>, and
<b class="APPLICATION">lpc</b> request respectively and
PRINTER to the print queue name.</p>
</li>
<li>
<p>If the request is for an <b class=
"APPLICATION">lpc</b> operation, the LPC value is set
to the name of the operation. For example, and <tt
class="COMMAND">lpc lpd</tt> operation</p>
</li>
<li>
<p>If the request contains a user name then REMOTEUSER
is assigned the user name.</p>
</li>
<li>
<p>If the request originates from the <b class=
"APPLICATION">lpd</b> server as determined by the
connection arriving from the <tt class=
"LITERAL">localhost</tt> address or an address assigned
to one of the network interfaces for this host then the
SERVER value is set to true (or matches).</p>
</li>
<li>
<p>If the request is for an authenticated transfer,
(see <a href="authref.htm">Authentication and
Encryption</a> ), then the authentication procedures
are carried out. After they have been performed, the
AUTH value is set to true, AUTHTYPE is set to the name
of the authentication method, AUTHUSER to the
authenticated identifier of the originator of the
request, and AUTHFROM to the authenticated identifier
of the originator of the connection.</p>
</li>
<li>
<p>Other matching keywords such as REMOTEGROUP use
values set at this time. These are discussed in the
next section.</p>
</li>
<li>
<p>The permission database is rescanned, this time to
see if there is permission to operate on the specified
spool queue. The permission database is first checked
to see if the requesting user has control (SERVICE=C)
permission. If they do, then they can perform any
operation on the spool queue. The scan is then repeated
for the actual request.</p>
</li>
<li>
<p>If there is no permission to perform the operation
then an error code and messages is returned on the
requesting connection.</p>
</li>
<li>
<p>If the operation is for a spool queue or server, no
other permissions checking is done. This includes the
<b class="APPLICATION">lpq</b> command, and most of the
<b class="APPLICATION">lpc</b> commands control queue
operations.</p>
</li>
<li>
<p>If the operation is for for individual jobs in a
spool queue, then the queue is scanned and job
information is extracted for each job in the queue. The
USER value is set to the job control file <tt class=
"LITERAL">P</tt> line. The value of the <tt class=
"LITERAL">H</tt> line in the control file is used to
perform a DNS lookup, and the HOST value is set to the
results of this lookup. IP is an alias for HOST, and is
retained for backwards compatibility.</p>
</li>
<li>
<p>The SAMEUSER value is set to true (or match) if the
REMOTEUSER value is identical to the USER value.
Similarly, SAMEHOST is set to true if the REMOTEHOST
value matches the HOST value. See the following
sections for other keywords such as GROUP.</p>
</li>
<li>
<p>The permission checking is done for each individual
job in a spool queue, and if it succeeds the action is
carried out on the job.</p>
</li>
</ol>
<br>
<br>
<p>These checks are applied on the arrival of a job from an
external connection. Unfortunately, there are a set of
print spooler implementations that do not handle job
rejection due to lack of permissions. These printers will
continually and repeatedly attempt to send a job for which
there is no printing permission until the job is removed by
administrative action. To accommodate these printers, we
must accept jobs for printing and then dispose of them.
This is done by using the SERVICE=P (printing) checks.
These checks are performed <i class="EMPHASIS">after</i>
the job has been accepted.</p>
<ol type="1">
<li>
<p>When a print spool is active and is printing or
forwarding jobs, before it processes a job it will read
the job control file and set the <span class=
"ACRONYM">USER</span> and <span class=
"ACRONYM">HOST</span> values as discussed in the
previous sections. It will also set the <span class=
"ACRONYM">AUTH</span>, <span class=
"ACRONYM">AUTHUSER</span>, and <span class=
"ACRONYM">AUTHJOB</span> values as well, if the job was
spooled by using an authenticated method.</p>
</li>
<li>
<p>The permissions database will be scanned and the
resulting permission determined. Note that the values
of the REMOTE keys are undefined, and tests using them
will have unpredictable effects.</p>
</li>
<li>
<p>If the job does not have permission to be printed,
it will normally be removed from the spool queue.</p>
</li>
</ol>
<br>
<br>
<p>While this model is very simple it can handle a wide
range of situations. However, it is really based on the
simple <i class="EMPHASIS">trust</i> that users will not <i
class="EMPHASIS">impersonate</i> other users or hosts. If
this is not the case, then more elaborate procedures based
on encryption and authentication are called for.</p>
<p>There is a problem with permissions checking for <b
class="APPLICATION">lpq</b> (SERVICE=Q) requests. Since the
user name is not passed as part of the request, it is
impossible to use the REMOTEUSER clause to restrict <b
class="APPLICATION">lpq</b> operations.</p>
<p>The <tt class="LITERAL">SERVICE=R</tt> and <tt class=
"LITERAL">SERVICE=P</tt> facilities are provided to handle
problems with print spoolers that do not recognize a <i
class="EMPHASIS">lack of permission</i> error code, and
will indefinitely retry sending a job to the <b class=
"APPLICATION">lpd</b> server. If this is the case, then the
<tt class="LITERAL">SERVICE=R</tt> clause can be used to
accept jobs, and then the <tt class=
"LITERAL">SERVICE=P</tt> clause will cause the <b class=
"APPLICATION">lpd</b> server to remove of the job when it
is scheduled for printing.</p>
</div>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%">
<table summary="Footer navigation table" width="100%" border=
"0" cellpadding="0" cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href=
"ifhp.htm" accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href=
"index.htm" accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href=
"x8558.htm" accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top"><b class=
"APPLICATION">ifhp</b> Filter</td>
<td width="34%" align="center" valign="top"> </td>
<td width="33%" align="right" valign="top">Rule Matching
Procedures</td>
</tr>
</table>
</div>
</body>
</html>
|
