Unix/Linux Go Back    

RedHat 9 (Linux i386) - man page for lpd.perms (redhat section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

LPD.PERMS(5)									     LPD.PERMS(5)

       lpd.perms - permissions control file for the LPRng line printer spooler system

       The file lpd.perms is used to provide permission information for the LPRng Printer spooler
       system.	Blank lines and all characters after a hash sign (``#'') to the end of	line  are
       ignored.   If  a  hash sign is desired in the permission information, it should be escaped
       with a backslash (``\'').  All other lines specify permissions entry and should be of  the
       following form:
	      ACCEPT [[not] key = value[,value]* ]*
	      REJECT [[not] key = value[,value]* ]*

       Each  LPD  service  request  is checked against the entries in the permissions database or
       file.  The following is a typical permissions file:
	      # Set default permissions
	      # Reject any connections from outside our subnet
	      # Only accept spooling (LPR) from
	      # Engineering Lab or the Dean's office
	      REJECT SERVICE=R NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu
	      # Do not accept forwarded jobs for printing
	      # Allow only the administrators control access
	      ACCEPT SERVICE=C,M REMOTEHOST=spooler.eng.sdsu.edu REMOTEUSER=root,papowell
	      # Allow only the user on the same host who spooled job to remove it
	      # Allow users to check status
	      ACCEPT SERVICE=C LPC=status
	      # Require connection for other operations over UNIX socket
	      # not TCP/IP port.  Effectively requiring them to be made from the
	      # localhost

	      # Variation - accept all spooled jobs,  but then apply
	      #  permissions checking when job is printed.  Allows
	      #  prevents remote spoolers from locking up trying resend
	      #  same request
	      REJECT SERVICE=P NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu

       Permission checking is done by using a set of keys (or fields) with associated  values  to
       check  for permission.  The SERVICE key has value P for printing (i.e.- unspooling), R for
       spooling (i.e.- LPR request), P for printing (i.e., after job has been spooled), C printer
       control	(i.e.  -  LPC),  M  for removal (i.e.- LPRM request), and Q for queue information
       (i.e.- LPQ request).  The key is used when checking for connection information.

       Initially, all of the keys have undefined or NULL values, and are assigned  values  during
       the permissions checking process.  When a connection is made to the server, it assigns The
       REMOTEHOST (alias REMOTEIP) key the list of IP addresses and hostnames determined by doing
       a  reverse  Domain  Name  Service  (DNS)  lookup  on the remote host's IP address.  If the
       reverse DNS fails, then only the IP address will be used.   The	REMOTEPORT  (PORT  is  an
       alias  for  REMOTEPORT)	is  assigned  the port number of the connection origination.  The
       UNIXSOCKET key will match (be true) if the connection is over a UNIX socket.   By  conven-
       tion,  this  is from the localhost.  Finally, the SERVICE value is assigned X, and the lpd
       server will check the database to see if the connection is accepted or rejected.

       The server will then read the request information from the connection.  If the request  is
       for  an authenticated data transfer, the server will invoke the appropriate authentication
       mechanism which will assign AUTH a true (or matching) value, AUTHTYPE the type of  authen-
       tication,  AUTHUSER the authenticated user id value, which may differ from the actual user
       name, and AUTHFROM the authenticated identification of  the  originator	of  the  request,
       which may be a server if the request is forwarded.

       Next,  the  SERVICE  value is set to R, C, M, or Q depending on whether it is an LPR, LPC,
       LPRM, or LPQ request, and the LPC value set to the requested LPC command if it was an  LPC
       request.   If  the request contained a user name, then REMOTEUSER is set to this name.  If
       the request contained a printer name, then PRINTER is set to the  printer  name.   If  the
       request	is  a  print request, then the HOST value is set to the list of host names and IP
       addresses given by a DNS lookup of the value in the H field of the job.	The  database  is
       scanned	again  to determine if the operation can be performed on the requested queue.  To
       simplify the rule writing, if the operation requires modification or checking of  individ-
       ual  jobs,  such as the LPC, LPQ, or LPRM commands, then the various checks that depend on
       jobs will succeed in this step.

       Finally, if the operation requires modification or checking of individual  jobs,  such  as
       the  LPC,  LPQ,	or LPRM commands, then the specified print queue is scanned, and for each
       job in the print queue, the HOST and USER values are set to the host and  user  values  in
       the control file for the job.

       The  database is checked as follows.  Each line of the permissions file is scanned for key
       names and values, and these are matched against the request keys  information.	When  all
       matches	 on   a  line  are  made,  then  search  terminates  with  the	specified  action
       (ACCEPT/REJECT).  If no match is found the default permission value is used.  The  DEFAULT
       key is used to specify the current default permission to be used for successful matches or
       if there is no match after scanning the entire permissions database.

       The following keys provide some additional checking capabilties.   The  REMOTEGROUP  entry
       checks  that the REMOTEUSER value appears in a group or netgroup entry in the system data-
       base, and the GROUP entry for the USER value.  For  example,  GROUP=student*,staff*  would
       check to see if any of the group names matching student* or staff* have the specified user
       name in them.  If a system has the netgroups capability, a printer, group, or  remotegroup
       name  starting  with  a	@  will be treated as a netgroup name, and specified user name or
       printer will be checked to see if it is in the group.

       The SERVER entry will be true (match) if the request originated	from  the  print  server.
       The SAMEHOST is true (matches) if the REMOTEHOST and HOST values have a common entry, i.e.
       - are the same host.  The SAMEUSER is true (matches) if the REMOTEUSER and USER values are
       identical.   The  AUTHSAMEUSER  is true (matches) if the AUTHUSER value that orginated the
       request and the AUTHUSER which was used to transfer a job are identical.  AUTHJOB is  true
       (matches)  if the job was transferred using authentication.  The FORWARD value is an alias
       for NOT SAMEHOST.

       The CONTROLLINE value can be used to determine if there is a matching line in the  control
       file.   This facility has been used to ensure that jobs contain various information fields
       in order to be printed.

       Key	    Match Connect Job	Job    LPQ  LPRM  LPC
				  Spool Print
       SERVICE	    S	  'X'	  'R'	'P'    'Q'  'M'   'C,S'
       USER	    S	  -	  JUSR	JUSR   JUSR JUSR  JUSR
       HOST	    S	  RH	  JH	JH     JH   JH	  JH
       GROUP	    S	  -	  JUSR	JUSR   JUSR JUSR  JUSR
       REMOTEHOST   S	  RH	  RH	JH     RH   RH	  RH
       UNIXSOCKET   V	  SK	  SK	SK     SK   SK	  SK
       CONTROLLINE  S	  -	  CL	CL     CL   CL	  CL
       PRINTER	    S	  -	  PR	PR     PR   PR	  PR
       FORWARD	    V	  -	  SA	-      -    SA	  SA
       SAMEHOST     V	  -	  SA	-      SA   SA	  SA
       SAMEUSER     V	  -	  -	-      SU   SU	  SU
       SERVER	    V	  -	  SV	-      SV   SV	  SV
       AUTH	    V	  -	  AU	-      AU   AU	  AU
       AUTHTYPE     S	  -	  AU	-      AU   AU	  AU
       AUTHUSER     S	  -	  AU	-      AU   AU	  AU
       AUTHSAMEUSER S	  -	  AU	-      AU   AU	  AU
       AUTHFROM     S	  -	  AU	-      AU   AU	  AU
       AUTHJOB	    V	  -	  AU	-      AU   AU	  AU
	 PORT is alias for REMOTEPORT
	 IP is alias for HOST

	  JH = HOST	     host in control file
	  RH = REMOTEHOST    connecting host name/IP
	  JUSR = USER	     user in control file
	  CUSR = REMOTEUSER  user from control request
	  JIP= IP	     host/IP addr of host in control file
	  RIP= REMOTEIP      host/IP addr of requesting host
	  PORT= 	     connecting host origination port
	   SK=	match if connection over a UNIX socket
	  CONTROLLINE=	     pattern match of control line in control file
	  FW= IP of source of request == IP of host in control file
	  SA= IP of source of request == IP of host in control file
	  SU= user from request == user in control file
	  SA= IP of source of request == IP of server host
	  SV= matches if from same address as server
	  AU= value determined by server authentication operation
			     AUTH is true if authenticated transfer,
			     TYPE is set to the type of authentication (pgp, kerberos, etc)
			     AUTHUSER is user authentication id
			     AUTHFROM is sender authentication id (can be remote server)
			     AUTHSAMEUSER matches if remote user authentication id matches original
			     user authentication id
			     AUTHJOB it true if print job has authentication
       Match: S = string with wild card, IP = IPaddress[/netmask],
	  N = low[-high] number range, V = exact value match
       SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
	   'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
	   'C' - lpc spool control request; 'S' - lpc spool status request
	  'U' - administratively allowed user operation
       NOTE: when printing (P action), the remote and job check values
	  (i.e. - RUSR, JUSR) are identical.

       The special key letter=patterns searches the control file line starting	with  the  (upper
       case) letter, and is usually used with printing and spooling checks.  For example, C=A*,B*
       would check that the class information (i.e.- line in the control file  starting  with  C)
       had a value starting with A or B.

       A  permission  line  consists  of a list of tests and a result value.  If all of the tests
       succeed, then a match has been found and the permission testing completes with the  result
       value.	You use the DEFAULT reserved word to set the default ACCEPT/DENY result.  The NOT
       keyword will reverse the sense of a test.

       Each test can  have  one  or  more  optional  values  separated	by  commas.  For  example
       USER=john,paul,mark  has  3  test  values.   The Match value specifies how the matching is

       S = string type match - string match with glob.
	   Format:  string with wildcards (*)
	       * matches 0 or more chars
	   Character comparison is case insensitive.
	   For example - USER=th*s matches uTHS, This, This, Theses

       IP = IP address and submask.  IP address must be in dotted form.
	   Format: x.x.x.x[/y.y.y.y or /z]
	       x.x.x.x is IP address
	       y.y.y.y is optional submask, default is
	       z is a netmask with most significant z bits set.
	   Match is done by IP address to a 32 bit value and using:
	       success = ((x ^ IP ) & y) == 0	(C language notation)
	   i.e.- only bits where mask is non-zero are used in comparison.
	   For example - IP= matches all address 130.191.X.X
	   IP= has the same value.

       N = numerical range  -  low-high integer range.
	   Format: low[-high]
	   Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)

       The authentication entries AUTH, AUTHTYPE, AUTHUSER, AUTHSAMEUSER and AUTHFROM can be used
       to  check  permissions for authenticated operations.  AUTH is set (true) if authentication
       was done.  We can use this to reject non-authenticated transfers:
       The AUTHTYPE will match the authentication type being used  or  requested  by  the  remote
       client  or  server.   The  AUTHUSER matches the original client authentication information
       used by the client to make a request to the server, and the AUTHFROM  matches  the  sender
       authentication  information.   The  AUTHSAMEUSER  will  match if the remote client or user
       authentication id is the same as that used for the job generation.

       The LPC=op entry is useful to allow various users to  perform  administration  operations.
       The following permissions entry would allows users to hold or release their own jobs:

       There  is a subtle problem with names and IP addresses which are obtained for 'multi-homed
       hosts', i.e. - those with multiple ethernet interfaces,	and for IPV6 (IP Version 6),   in
       which  a  host can have multiple addresses,  and for the normal host which can have both a
       short name and a fully qualified domain name.

       When performing an IP address match,  the entire list of IP addresses for  a  system  will
       now  be	checked.   If  one  of	these matches, then success is reported.  Similarly,  the
       entire list of host names and aliases will be checked.  If one  of  these  matches,   then
       success will be reported.

       The  files used by LPRng are set by values in the printer configuration file.  The follow-
       ing are a commonly used set of default values.
       /etc/lpd.conf				    LPRng configuration file
       ${HOME}/.printcap			    user printer description file
       /etc/printcap				    printer description file
       /etc/lpd.perms				    permissions
       /var/run/lpd				    lock file for queue control
       /var/spool/lpd				    spool directories
       /var/spool/lpd/QUEUE/control		    queue control
       /var/spool/lpd/QUEUE/log 		    trace or debug log file
       /var/spool/lpd/QUEUE/acct		    accounting file
       /var/spool/lpd/QUEUE/status		    status file

       lpd.conf(5), lpc(8), lpd(8), checkpc(8),  lpr(1),  lpq(1),  lprm(1),  printcap(5),  pr(1),
       lprng_certs(1), lprng_index_certs(1).

       LPRng  is a enhanced printer spooler system with functionality similar to the Berkeley LPR
       software.  The LPRng mailing list is lprng@lprng.com; subscribe by sending mail to  lprng-
       request@lprng.com  with	the  word  subscribe in the body.  The software is available from

       Patrick Powell <papowell@lprng.com>.

LPRng					   LPRng-3.9.0				     LPD.PERMS(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 06:18 PM.