1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2 3<html> 4 <head> 5 <meta name="generator" content="HTML Tidy, see www.w3.org"> 6 <title>Permissions and Authentication</title> 7 <meta name="GENERATOR" content= 8 "Modular DocBook HTML Stylesheet Version 1.7"> 9 <link rel="HOME" title=" LPRng Reference Manual" href= 10 "index.htm"> 11 <link rel="PREVIOUS" title="ifhp Filter " href="ifhp.htm"> 12 <link rel="NEXT" title="Rule Matching Procedures" href= 13 "x8680.htm"> 14 </head> 15 16 <body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link= 17 "#0000FF" vlink="#840084" alink="#0000FF"> 18 <div class="NAVHEADER"> 19 <table summary="Header navigation table" width="100%" border= 20 "0" cellpadding="0" cellspacing="0"> 21 <tr> 22 <th colspan="3" align="center">LPRng Reference Manual: 5 23 Sep 2003 (For LPRng-3.8.22)</th> 24 </tr> 25 26 <tr> 27 <td width="10%" align="left" valign="bottom"><a href= 28 "ifhp.htm" accesskey="P">Prev</a></td> 29 30 <td width="80%" align="center" valign="bottom"> 31 </td> 32 33 <td width="10%" align="right" valign="bottom"><a href= 34 "x8680.htm" accesskey="N">Next</a></td> 35 </tr> 36 </table> 37 <hr align="LEFT" width="100%"> 38 </div> 39 40 <div class="CHAPTER"> 41 <h1><a name="PERMSREF"></a>Chapter 17. Permissions and 42 Authentication</h1> 43 44 <div class="TOC"> 45 <dl> 46 <dt><b>Table of Contents</b></dt> 47 48 <dt>17.1. <a href= 49 "permsref.htm#DEFAULTPERMISSION">Permission Checking 50 Algorithm</a></dt> 51 52 <dt>17.2. <a href="x8680.htm">Rule Matching 53 Procedures</a></dt> 54 55 <dt>17.3. <a href="permspath.htm">Permission File 56 Location</a></dt> 57 58 <dt>17.4. <a href="x8919.htm">Example Permission 59 File</a></dt> 60 61 <dt>17.5. <a href="x8932.htm">Complex Permission 62 Checking</a></dt> 63 64 <dt>17.6. <a href="x8947.htm">More Examples</a></dt> 65 66 <dt>17.7. <a href="authref.htm">Authentication</a></dt> 67 68 <dt>17.8. <a href="x8974.htm">User 69 Identification</a></dt> 70 71 <dt>17.9. <a href="x8980.htm">RFC1179 Protocol 72 Extensions</a></dt> 73 74 <dt>17.10. <a href="auth.htm">Authentication 75 Operations</a></dt> 76 77 <dt>17.11. <a href="x9083.htm">Permission 78 Checking</a></dt> 79 80 <dt>17.12. <a href="x9115.htm">PGP Authentication 81 Support</a></dt> 82 83 <dt>17.13. <a href="kerberos.htm">Using Kerberos 5 for 84 Authentication</a></dt> 85 86 <dt>17.14. <a href="x9386.htm">Using Kerberos 4 for 87 Authentication</a></dt> 88 89 <dt>17.15. <a href="x9412.htm">Using SSL for 90 Authentication</a></dt> 91 92 <dt>17.16. <a href="x9489.htm">Using MD5 for 93 Authentication</a></dt> 94 95 <dt>17.17. <a href="x9556.htm">Adding Authentication 96 Support</a></dt> 97 </dl> 98 </div> 99 100 <p>The contents of the <tt class= 101 "FILENAME">/etc/lpd.perms</tt> file are used to control 102 access to the <b class="APPLICATION">lpd</b> server 103 facilities. The model used for permission granting is similar 104 to packet filters. An incoming request is tested against a 105 list of rules, and the first match found determines the 106 action to be taken. The action is either <acronym class= 107 "ACRONYM">ACCEPT</acronym> or the request is granted, or 108 <acronym class="ACRONYM">REJECT</acronym> and the request is 109 denied. You can also establish a default action.</p> 110 111 <p>The following is a sample <tt class= 112 "FILENAME">lpd.perms</tt> file.</p> 113 114 <div class="INFORMALEXAMPLE"> 115 <a name="AEN8459"></a> 116<pre class="SCREEN"> 117 # allow root on server to control jobs 118 ACCEPT SERVICE=C SERVER REMOTEUSER=root 119 REJECT SERVICE=C 120 # 121 # allow same user on originating host to remove a job 122 ACCEPT SERVICE=M SAMEHOST SAMEUSER 123 # allow root on server to remove a job 124 ACCEPT SERVICE=M SERVER REMOTEUSER=root 125 REJECT SERVICE=M 126 # all other operations allowed 127 DEFAULT ACCEPT 128</pre> 129 </div> 130 <br> 131 <br> 132 133 <p>Each line of the permissions file is a rule. A rule will 134 ACCEPT or REJECT a request if all of the patterns specified 135 in the rule match. If there is a match failure, the next rule 136 in sequence will be applied. If all of the rules are 137 exhausted, then the last specified default authorization will 138 be used.</p> 139 140 <p>The sense of a pattern match can be inverted using the NOT 141 keyword. For example, the rules with <var class= 142 "LITERAL">ACCEPT NOT REMOTEUSER=john,bill</var> succeeds only 143 if the REMOTEUSER value is defined and is not <var class= 144 "LITERAL">john</var> or <var class="LITERAL">bill</var>.</p> 145 146 <p>Each entry in a rule is a keyword which has is assigned a 147 value or list of values followed by an optional set of 148 patterns that are matched against these values. The following 149 table is a summary of the available keywords.</p> 150 151 <div class="TABLE"> 152 <a name="PERMSKEYWORDS"></a> 153 154 <p><b>Table 17-1. Permission Keywords and Purpose</b></p> 155 156 <table border="1" frame="border" rules="all" class= 157 "CALSTABLE"> 158 <col> 159 <col> 160 161 <thead> 162 <tr> 163 <th>Keyword</th> 164 165 <th>Match</th> 166 </tr> 167 </thead> 168 169 <tbody> 170 <tr> 171 <td><acronym class="ACRONYM">DEFAULT</acronym></td> 172 173 <td>default result</td> 174 </tr> 175 176 <tr> 177 <td><acronym class="ACRONYM">SERVICE</acronym></td> 178 179 <td>Checking lpC, lpR, lprM, lpQ, and Printing</td> 180 </tr> 181 182 <tr> 183 <td><acronym class="ACRONYM">USER</acronym></td> 184 185 <td>P (logname) field name in print job control 186 file.</td> 187 </tr> 188 189 <tr> 190 <td><acronym class= 191 "ACRONYM">REMOTEUSER</acronym></td> 192 193 <td>user name in request from remote host.</td> 194 </tr> 195 196 <tr> 197 <td><acronym class="ACRONYM">HOST</acronym></td> 198 199 <td>DNS and IP address information for the H (host) 200 field name in print job control file</td> 201 </tr> 202 203 <tr> 204 <td><acronym class= 205 "ACRONYM">REMOTEHOST</acronym></td> 206 207 <td>DNS and IP address information for the connection 208 from the remote host making the request</td> 209 </tr> 210 211 <tr> 212 <td><acronym class="ACRONYM">IP</acronym></td> 213 214 <td>Alias for HOST</td> 215 </tr> 216 217 <tr> 218 <td><acronym class="ACRONYM">REMOTEIP</acronym></td> 219 220 <td>Alias for REMOTEHOST</td> 221 </tr> 222 223 <tr> 224 <td><acronym class= 225 "ACRONYM">REMOTEPORT</acronym></td> 226 227 <td>Originating TCP/IP port for the connection from 228 the remote host making the request</td> 229 </tr> 230 231 <tr> 232 <td><acronym class="ACRONYM">PORT</acronym></td> 233 234 <td>Alias for PORT</td> 235 </tr> 236 237 <tr> 238 <td><acronym class= 239 "ACRONYM">UNIXSOCKET</acronym></td> 240 241 <td>Connection is on a UNIX socket, i.e. from 242 localhost</td> 243 </tr> 244 245 <tr> 246 <td><acronym class="ACRONYM">SAMEUSER</acronym></td> 247 248 <td>USER and REMOTEUSER matches</td> 249 </tr> 250 251 <tr> 252 <td><acronym class="ACRONYM">SERVER</acronym></td> 253 254 <td>request originates on lpd server</td> 255 </tr> 256 257 <tr> 258 <td><acronym class="ACRONYM">FORWARD</acronym></td> 259 260 <td>destination of job is not host</td> 261 </tr> 262 263 <tr> 264 <td><acronym class= 265 "ACRONYM">REMOTEGROUP</acronym></td> 266 267 <td>REMOTEUSER is in the specified group or netgroup 268 in the <b class="APPLICATION">lpd</b> server group 269 database.</td> 270 </tr> 271 272 <tr> 273 <td><acronym class="ACRONYM">GROUP</acronym></td> 274 275 <td>USER is in the specified group or netgroup in the 276 <b class="APPLICATION">lpd</b> server group 277 database.</td> 278 </tr> 279 280 <tr> 281 <td><acronym class="ACRONYM">LPC</acronym></td> 282 283 <td>LPC command in the LPC request.</td> 284 </tr> 285 286 <tr> 287 <td><acronym class= 288 "ACRONYM">CONTROLLINE</acronym></td> 289 290 <td>match a line in control file</td> 291 </tr> 292 293 <tr> 294 <td><acronym class="ACRONYM">AUTH</acronym></td> 295 296 <td>authentication type</td> 297 </tr> 298 299 <tr> 300 <td><acronym class="ACRONYM">AUTHUSER</acronym></td> 301 302 <td>authenticated user</td> 303 </tr> 304 305 <tr> 306 <td><acronym class= 307 "ACRONYM">AUTHSAMEUSER</acronym></td> 308 309 <td>same authenticated user</td> 310 </tr> 311 312 <tr> 313 <td><acronym class="ACRONYM">AUTHFROM</acronym></td> 314 315 <td>authenticated forwarder</td> 316 </tr> 317 318 <tr> 319 <td><acronym class="ACRONYM">AUTHJOB</acronym></td> 320 321 <td>authenticated job in queue</td> 322 </tr> 323 324 <tr> 325 <td><acronym class="ACRONYM">AUTHCA</acronym></td> 326 327 <td>SSL signing certificates for job</td> 328 </tr> 329 </tbody> 330 </table> 331 </div> 332 333 <div class="SECT1"> 334 <h1 class="SECT1"><a name="DEFAULTPERMISSION">17.1. 335 Permission Checking Algorithm</a></h1> 336 337 <p>Options used:</p> 338 339 <ul> 340 <li> 341 <p><var class="LITERAL">default_permission=</var><span 342 class="emphasis"><i class="EMPHASIS">Default Permission 343 (accept)</i></span></p> 344 </li> 345 </ul> 346 <br> 347 <br> 348 349 <p>The <b class="APPLICATION">lpd</b> server uses the 350 following algorithm to do permission checks.</p> 351 352 <ol type="1"> 353 <li> 354 <p>The configuration information initially establishes 355 a default permission using the <var class= 356 "LITERAL">default_permission</var> configuration value. 357 This is used if an explicit permission is not 358 determined by the other steps in this algorithm.</p> 359 </li> 360 361 <li> 362 <p>Each line of the permissions file is a lists of 363 tests (patterns) and a permission value that is used if 364 all of the tests (patterns) on the line are successful. 365 A DEFAULT line sets the default result if all lines 366 fail.</p> 367 </li> 368 369 <li> 370 <p>Each line is executed in sequence until a match is 371 found. The first matching line terminates the 372 permission checking and the corresponding permission 373 value is used.</p> 374 </li> 375 376 <li> 377 <p>Each keyword has a value (or set of values) that are 378 matched against a set of patterns. If the keyword does 379 not have a value (or the <span class="emphasis"><i 380 class="EMPHASIS">null</i></span> value) then the match 381 will fail. Initially, all the keywords have a <var 382 class="LITERAL">null</var> value.</p> 383 </li> 384 385 <li> 386 <p>When a connection is received by the <b class= 387 "APPLICATION">lpd</b> server, REMOTEHOST and REMOTEPORT 388 are set to the the IP addresses and hostnames, and the 389 TCP/IP port of the host originating the IP address 390 respectively. REMOTEIP and IFHP are aliases for 391 REMOTEPORT and PORT is an alias for REMOTEPORT and are 392 provided for backwards compatibility with older 393 versions of <b class="APPLICATION">LPRng</b>. If the 394 connection was on a UNIX socket, then the UNIXSOCKET 395 flag is set. For example, a request originating from 396 <var class="LITERAL">10.0.0.2</var>, port 1011 would 397 set REMOTEIP to 10.0.0.2 and PORT to 1011.</p> 398 </li> 399 400 <li> 401 <p>The REMOTEHOST value is set to the result of doing a 402 reverse DNS lookup on the REMOTEIP address. This value 403 is the list of names <span class="emphasis"><i class= 404 "EMPHASIS">and</i></span> ip addresses in standard IP 405 notation (nnn.nnn.nnn.nnn) that are returned by the 406 lookup. If the DNS lookup fails then the REMOTEHOST 407 value is set to the REMOTEIP value. For example, lookup 408 of 10.0.0.2 would result in the names <tt class= 409 "FILENAME">h2.private</tt> and <tt class= 410 "FILENAME">patrick.private</tt>, and the only IP 411 address assigned to it was <var class= 412 "LITERAL">10.0.0.2</var>. The REMOTEHOST value would 413 then be the list <var class= 414 "LITERAL">h2.private,patrick.private,10.0.0.2</var>.</p> 415 </li> 416 417 <li> 418 <p>The SERVICE value is set to <var class= 419 "LITERAL">X</var> and then the permissions database is 420 scanned for a matching entry. The result is the 421 permission value of the first matching line or the 422 default permission. If the result is REJECT then the 423 connection is closed.</p> 424 </li> 425 426 <li> 427 <p>Next, a single line is read from the connection. 428 This line contains the request type, the print queue 429 name, and depending on the request type an optional 430 user name and options. The SERVICE value is set to <var 431 class="LITERAL">R,</var> <var class="LITERAL">Q,</var> 432 <var class="LITERAL">M,</var> and <var class= 433 "LITERAL">C,</var> for a <var class= 434 "LITERAL">lpR</var>, <var class="LITERAL">lpQ</var>, 435 <var class="LITERAL">lprM</var>, and <b class= 436 "APPLICATION">lpc</b> request respectively and PRINTER 437 to the print queue name.</p> 438 </li> 439 440 <li> 441 <p>If the request is for an <b class= 442 "APPLICATION">lpc</b> operation, the LPC value is set 443 to the name of the operation. For example, and <tt 444 class="COMMAND">lpc lpd</tt> operation</p> 445 </li> 446 447 <li> 448 <p>If the request contains a user name then REMOTEUSER 449 is assigned the user name.</p> 450 </li> 451 452 <li> 453 <p>If the request originates from the <b class= 454 "APPLICATION">lpd</b> server as determined by the 455 connection arriving from the <var class= 456 "LITERAL">localhost</var> address or an address 457 assigned to one of the network interfaces for this host 458 then the SERVER value is set to true (or matches).</p> 459 </li> 460 461 <li> 462 <p>If the request is for an authenticated transfer, 463 (see <a href="authref.htm">Authentication and 464 Encryption</a> ), then the authentication procedures 465 are carried out. After they have been performed, the 466 AUTH value is set to true, AUTHTYPE is set to the name 467 of the authentication method, AUTHUSER to the 468 authenticated identifier of the originator of the 469 request, and AUTHFROM to the authenticated identifier 470 of the originator of the connection.</p> 471 </li> 472 473 <li> 474 <p>Other matching keywords such as REMOTEGROUP use 475 values set at this time. These are discussed in the 476 next section.</p> 477 </li> 478 479 <li> 480 <p>The permission database is rescanned, this time to 481 see if there is permission to operate on the specified 482 spool queue. The permission database is first checked 483 to see if the requesting user has control (SERVICE=C) 484 permission. If they do, then they can perform any 485 operation on the spool queue. The scan is then repeated 486 for the actual request.</p> 487 </li> 488 489 <li> 490 <p>If there is no permission to perform the operation 491 then an error code and messages is returned on the 492 requesting connection.</p> 493 </li> 494 495 <li> 496 <p>If the operation is for a spool queue or server, no 497 other permissions checking is done. This includes the 498 <b class="APPLICATION">lpq</b> command, and most of the 499 <b class="APPLICATION">lpc</b> commands control queue 500 operations.</p> 501 </li> 502 503 <li> 504 <p>If the operation is for for individual jobs in a 505 spool queue, then the queue is scanned and job 506 information is extracted for each job in the queue. The 507 USER value is set to the job control file <var class= 508 "LITERAL">P</var> line. The value of the <var class= 509 "LITERAL">H</var> line in the control file is used to 510 perform a DNS lookup, and the HOST value is set to the 511 results of this lookup. IP is an alias for HOST, and is 512 retained for backwards compatibility.</p> 513 </li> 514 515 <li> 516 <p>The SAMEUSER value is set to true (or match) if the 517 REMOTEUSER value is identical to the USER value. 518 Similarly, SAMEHOST is set to true if the REMOTEHOST 519 value matches the HOST value. See the following 520 sections for other keywords such as GROUP.</p> 521 </li> 522 523 <li> 524 <p>The permission checking is done for each individual 525 job in a spool queue, and if it succeeds the action is 526 carried out on the job.</p> 527 </li> 528 </ol> 529 <br> 530 <br> 531 532 <p>These checks are applied on the arrival of a job from an 533 external connection. Unfortunately, there are a set of 534 print spooler implementations that do not handle job 535 rejection due to lack of permissions. These printers will 536 continually and repeatedly attempt to send a job for which 537 there is no printing permission until the job is removed by 538 administrative action. To accommodate these printers, we 539 must accept jobs for printing and then dispose of them. 540 This is done by using the SERVICE=P (printing) checks. 541 These checks are performed <span class="emphasis"><i class= 542 "EMPHASIS">after</i></span> the job has been accepted.</p> 543 544 <ol type="1"> 545 <li> 546 <p>When a print spool is active and is printing or 547 forwarding jobs, before it processes a job it will read 548 the job control file and set the <acronym class= 549 "ACRONYM">USER</acronym> and <acronym class= 550 "ACRONYM">HOST</acronym> values as discussed in the 551 previous sections. It will also set the <acronym class= 552 "ACRONYM">AUTH</acronym>, <acronym class= 553 "ACRONYM">AUTHUSER</acronym>, and <acronym class= 554 "ACRONYM">AUTHJOB</acronym> values as well, if the job 555 was spooled by using an authenticated method.</p> 556 </li> 557 558 <li> 559 <p>The permissions database will be scanned and the 560 resulting permission determined. Note that the values 561 of the REMOTE keys are undefined, and tests using them 562 will have unpredictable effects.</p> 563 </li> 564 565 <li> 566 <p>If the job does not have permission to be printed, 567 it will normally be removed from the spool queue.</p> 568 </li> 569 </ol> 570 <br> 571 <br> 572 573 <p>While this model is very simple it can handle a wide 574 range of situations. However, it is really based on the 575 simple <span class="emphasis"><i class= 576 "EMPHASIS">trust</i></span> that users will not <span 577 class="emphasis"><i class="EMPHASIS">impersonate</i></span> 578 other users or hosts. If this is not the case, then more 579 elaborate procedures based on encryption and authentication 580 are called for.</p> 581 582 <p>There is a problem with permissions checking for <b 583 class="APPLICATION">lpq</b> (SERVICE=Q) requests. Since the 584 user name is not passed as part of the request, it is 585 impossible to use the REMOTEUSER clause to restrict <b 586 class="APPLICATION">lpq</b> operations.</p> 587 588 <p>The <var class="LITERAL">SERVICE=R</var> and <var class= 589 "LITERAL">SERVICE=P</var> facilities are provided to handle 590 problems with print spoolers that do not recognize a <span 591 class="emphasis"><i class="EMPHASIS">lack of 592 permission</i></span> error code, and will indefinitely 593 retry sending a job to the <b class="APPLICATION">lpd</b> 594 server. If this is the case, then the <var class= 595 "LITERAL">SERVICE=R</var> clause can be used to accept 596 jobs, and then the <var class="LITERAL">SERVICE=P</var> 597 clause will cause the <b class="APPLICATION">lpd</b> server 598 to remove of the job when it is scheduled for printing.</p> 599 </div> 600 </div> 601 602 <div class="NAVFOOTER"> 603 <hr align="LEFT" width="100%"> 604 605 <table summary="Footer navigation table" width="100%" border= 606 "0" cellpadding="0" cellspacing="0"> 607 <tr> 608 <td width="33%" align="left" valign="top"><a href= 609 "ifhp.htm" accesskey="P">Prev</a></td> 610 611 <td width="34%" align="center" valign="top"><a href= 612 "index.htm" accesskey="H">Home</a></td> 613 614 <td width="33%" align="right" valign="top"><a href= 615 "x8680.htm" accesskey="N">Next</a></td> 616 </tr> 617 618 <tr> 619 <td width="33%" align="left" valign="top"><b class= 620 "APPLICATION">ifhp</b> Filter</td> 621 622 <td width="34%" align="center" valign="top"> </td> 623 624 <td width="33%" align="right" valign="top">Rule Matching 625 Procedures</td> 626 </tr> 627 </table> 628 </div> 629 </body> 630</html> 631 632