The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

lpd.perms (5)
  • >> lpd.perms (5) ( Linux man: Форматы файлов )
  •  

    NAME

    lpd.perms - permissions control file for the LPRng line printer spooler system
    
     

    DESCRIPTION

    The file lpd.perms is used to provide permission information for the LPRng Printer spooler system. Blank lines and all characters after a hash sign (``#'') to the end of line are ignored. If a hash sign is desired in the permission information, it should be escaped with a backslash (``\''). All other lines specify permissions entry and should be of the following form:
    ACCEPT [[not] key = value[,value]* ]*
    REJECT [[not] key = value[,value]* ]*
    DEFAULT ACCEPT
    DEFAULT REJECT

    Each LPD service request is checked against the entries in the permissions database or file. The following is a typical permissions file:

    # Set default permissions
    DEFAULT ACCEPT
    # Reject any connections from outside our subnet
    REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0
    # Only accept Printing (P) and spooling (LPR) from
    # Engineering Lab or the Dean's office
    REJECT SERVICE=P,R NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu
    # Do not accept forwarded jobs for printing
    REJECT SERVICE=P FORWARD
    # Allow only the administrators control access
    ACCEPT SERVICE=C,M REMOTEHOST=spooler.eng.sdsu.edu REMOTEUSER=root,papowell
    ACCEPT SERVICE=C,M SERVER REMOTEUSER=root,papowell
    # Allow only the user on the same host who spooled job to remove it
    ACCEPT SERVICE=M SAMEUSER SAMEHOST
    # Allow users to check status
    ACCEPT SERVICE=C LPC=status
    REJECT SERVICE=C
    

    Permission checking is done by using a set of keys (or fields) with associated values to check for permission. The SERVICE key has value P for printing (i.e.- unspooling), R for spooling (i.e.- LPR request), C printer control (i.e. - LPC), M for removal (i.e.- LPRM request), and Q for queue information (i.e.- LPQ request). The key is used when checking for connection information.

    Initially, all of the keys have undefined or NULL values, and are assigned values during the permissions checking process. When a connection is made to the server, it assigns The REMOTEHOST key the list of IP addresses and hostnames determined by doing a reverse Domain Name Service (DNS) lookup on the remote host's IP address. If the reverse DNS fails, then only the IP address will be used. The REMOTEIP is an alias for REMOTEHOST and is retained for backwards compatibility. The REMOTEPORT (PORT is an alias for REMOTEPORT) is assigned the port number of the connection origination. Finally, the SERVICE value is assigned X, and the lpd server will check the database to see if the connection is accepted or rejected.

    The server will then read the request information from the connection. If the request is for an authenticated data transfer, the server will invoke the appropriate authentication mechanism which will assign AUTH a true (or matching) value, AUTHTYPE the type of authentication, AUTHUSER the authenticated user id value, which may differ from the actual user name, and AUTHFROM the authenticated identification of the originator of the request, which may be a server if the request is forwarded.

    Next, the SERVICE value is set to R, C, M, or Q depending on whether it is an LPR, LPC, LPRM, or LPQ request, and the LPC value set to the requested LPC command if it was an LPC request. If the request contained a user name, then REMOTEUSER is set to this name. If the request contained a printer name, then PRINTER is set to the printer name. If the request is a print request, then the HOST value is set to the list of host names and IP addresses given by a DNS lookup of the value in the H field of the job. The database is scanned again to determine if the operation can be performed on the requested queue. To simplify the rule writing, if the operation requires modification or checking of individual jobs, such as the LPC, LPQ, or LPRM commands, then the various checks that depend on jobs will succeed in this step.

    Finally, if the operation requires modification or checking of individual jobs, such as the LPC, LPQ, or LPRM commands, then the specified print queue is scanned, and for each job in the print queue, the HOST and USER values are set to the host and user values in the control file for the job.

    The database is checked as follows. Each line of the permissions file is scanned for key names and values, and these are matched against the request keys information. When all matches on a line are made, then search terminates with the specified action (ACCEPT/REJECT). If no match is found the default permission value is used. The DEFAULT key is used to specify the current default permission to be used for successful matches or if there is no match after scanning the entire permissions database.

    The following keys provide some additional checking capabilties. The REMOTEGROUP entry checks that the REMOTEUSER value appears in a group or netgroup entry in the system database, and the GROUP entry for the USER value. For example, GROUP=student*,staff* would check to see if any of the group names matching student* or staff* have the specified user name in them. If a system has the netgroups capability, a printer, group, or remotegroup name starting with a @ will be treated as a netgroup name, and specified user name or printer will be checked to see if it is in the group.

    The SERVER entry will be true (match) if the request originated from the print server. The SAMEHOST is true (matches) if the REMOTEHOST and HOST values have a common entry, i.e. - are the same host. The SAMEUSER is true (matches) if the REMOTEUSER and USER values are identical. The AUTHSAMEUSER is true (matches) if the AUTHUSER value that orginated the request and the AUTHUSER which was used to transfer a job are identical. AUTHJOB is true (matches) if the job was transferred using authentication. The FORWARD value is an alias for NOT SAMEHOST.

    The CONTROLLINE value can be used to determine if there is a matching line in the control file. This facility has been used to ensure that jobs contain various information fields in order to be printed.

    
    Key          Match Connect Job   Job    LPQ  LPRM  LPC
                               Spool Print
    SERVICE      S     'X'     'R'   'P'    'Q'  'M'   'C,S'
    USER         S     -       JUSR  JUSR   JUSR JUSR  JUSR
    HOST         S     RH      JH    JH     JH   JH    JH
    GROUP        S     -       JUSR  JUSR   JUSR JUSR  JUSR
    REMOTEPORT   N     PORT    PORT  -      PORT PORT  PORT
    REMOTEUSER   S     -       JUSR  JUSR   JUSR CUSR  CUSR
    REMOTEHOST   S     RH      RH    JH     RH   RH    RH
    REMOTEGROUP  S     -       JUSR  JUSR   JUSR CUSR  CUSR
    CONTROLLINE  S     -       CL    CL     CL   CL    CL
    PRINTER      S     -       PR    PR     PR   PR    PR
    FORWARD      V     -       SA    -      -    SA    SA
    SAMEHOST     V     -       SA    -      SA   SA    SA
    SAMEUSER     V     -       -     -      SU   SU    SU
    SERVER       V     -       SV    -      SV   SV    SV
    AUTH         V     -       AU    -      AU   AU    AU
    AUTHTYPE     S     -       AU    -      AU   AU    AU
    AUTHUSER     S     -       AU    -      AU   AU    AU
    AUTHSAMEUSER S     -       AU    -      AU   AU    AU
    AUTHFROM     S     -       AU    -      AU   AU    AU
    AUTHJOB      V     -       AU    -      AU   AU    AU
    
    
    KEY:
       JH = HOST          host in control file
       RH = REMOTEHOST    connecting host name
       JUSR = USER        user in control file
       CUSR = REMOTEUSER  user from control request
       JIP= IP            IP address of host in control file
       RIP= REMOTEIP      IP address of requesting host
       PORT=              connecting host origination port
       CONTROLLINE=       pattern match of control line in control file
       FW= IP of source of request = IP of host in control file
       SA= IP of source of request = IP of host in control file
       SU= user from request = user in control file
       SA= IP of source of request = IP of server host
       SV= matches if from same address as server
       AU= value determined by server authentication operation
                          AUTH is true if authenticated transfer,
                          TYPE is set to the type of authentication (pgp, kerberos, etc)
                          AUTHUSER is user authentication id
                          AUTHFROM is sender authentication id (can be remote server)
                          AUTHSAMEUSER matches if remote user authentication id matches original
                          user authentication id
                          AUTHJOB it true if print job has authentication
    Match: S = string with wild card, IP = IPaddress[/netmask],
       N = low[-high] number range, V = exact value match
    SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
        'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
        'C' - lpc spool control request; 'S' - lpc spool status request
       'U' - administratively allowed user operation
    NOTE: when printing (P action), the remote and job check values
       (i.e. - RUSR, JUSR) are identical.
    

    The special key letter=patterns searches the control file line starting with the (upper case) letter, and is usually used with printing and spooling checks. For example, C=A*,B* would check that the class information (i.e.- line in the control file starting with C) had a value starting with A or B.

    A permission line consists of a list of tests and a result value. If all of the tests succeed, then a match has been found and the permission testing completes with the result value. You use the DEFAULT reserved word to set the default ACCEPT/DENY result. The NOT keyword will reverse the sense of a test.

    Each test can have one or more optional values separated by commas. For example USER=john,paul,mark has 3 test values. The Match value specifies how the matching is done.

    S = string type match - string match with glob.
    
        Format:  string with wildcards (*)
            * matches 0 or more chars
        Character comparison is case insensitive.
        For example - USER=th*s matches uTHS, This, This, Theses
    
    IP = IP address and submask.  IP address must be in dotted form.
        Format: x.x.x.x[/y.y.y.y or /z] 
            x.x.x.x is IP address
            y.y.y.y is optional submask, default is 255.255.255.255
            z is a netmask with most significant z bits set.
        Match is done by IP address to a 32 bit value and using:
            success = ((x ^ IP ) & y) == 0   (C language notation)
        i.e.- only bits where mask is non-zero are used in comparison.
        For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
        IP=130.191.0.0/16 has the same value.
    
    N = numerical range  -  low-high integer range.
        Format: low[-high]
        Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
    

    The authentication entries AUTH, AUTHTYPE, AUTHUSER, AUTHSAMEUSER and AUTHFROM can be used to check permissions for authenticated operations. AUTH is set (true) if authentication was done. We can use this to reject non-authenticated transfers:
    REJECT NOT AUTH
    The AUTHTYPE will match the authentication type being used or requested by the remote client or server. The AUTHUSER matches the original client authentication information used by the client to make a request to the server, and the AUTHFROM matches the sender authentication information. The AUTHSAMEUSER will match if the remote client or user authentication id is the same as that used for the job generation.  

    LPC=OP

    The LPC=op entry is useful to allow various users to perform administration operations. The following permissions entry would allows users to hold or release their own jobs:
    ACCEPT SERVICE=C SAMEUSER SAMEHOST LPC=release  

    DNS, IPV6, AND MULTIHOMED HOSTS

    There is a subtle problem with names and IP addresses which are obtained for 'multi-homed hosts', i.e. - those with multiple ethernet interfaces, and for IPV6 (IP Version 6), in which a host can have multiple addresses, and for the normal host which can have both a short name and a fully qualified domain name.

    When performing an IP address match, the entire list of IP addresses for a system will now be checked. If one of these matches, then success is reported. Similarly, the entire list of host names and aliases will be checked. If one of these matches, then success will be reported.
     

    FILES

    The files used by LPRng are set by values in the printer configuration file. The following are a commonly used set of default values.

    
    /etc/lpd.conf                                LPRng configuration file
    /etc/printcap                                printer description file
    /etc/lpd.perms                               printer permissions
    /var/spool/printer*                          spool directories
    /var/spool/printer*/printer                  lock file for queue control
    /var/spool/printer*/control.printer          queue control
    /var/spool/printer*/active.printer           active job
    /var/spool/printer*/log.printer              log file
    
     

    SEE ALSO

    lpd.conf(5), lpc(8), lpd(8), checkpc(8), lpr(1), lpq(1), lprm(1), printcap(5), pr(1).  

    HISTORY

    LPRng is a enhanced printer spooler system with functionality similar to the Berkeley LPR software. The LPRng mailing list is [email protected]; subscribe by sending mail to [email protected] with the word subscribe in the body. The software is available from ftp://ftp.astart.com/pub/LPRng.  

    AUTHOR

    Patrick Powell <[email protected]>.


     

    Index

    NAME
    DESCRIPTION
    LPC=OP
    DNS, IPV6, AND MULTIHOMED HOSTS
    FILES
    SEE ALSO
    HISTORY
    AUTHOR


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру