1###########################################################################
2# LPRng - An Extended Print Spooler System
3#
4# Copyright 1988-1995 Patrick Powell, San Diego State University
5#     papowell@sdsu.edu
6# See LICENSE for conditions of use.
7#
8###########################################################################
9# MODULE: TESTSUPPORT/printer_perms.proto
10# PURPOSE: prototype printer permissions file
11# lpd.perms.proto,v 3.2 1997/12/20 21:16:26 papowell Exp
12########################################################################## 
13# Printer permissions data base
14#
15# Permissions are checked by the use of 'keys' and matches.  For each of
16# the following LPR activities,  the following keys have a value. 
17#
18#Key     Match  Connect Job    Job    Status Remove Control 
19#                       Accept Print
20#SERVICE  S     'X'     'R'   'P'     'Q'    'M'    'C,S`
21#USER     S            JUSR   JUSR          CUSR     CUSR
22#HOST     S     RH     JH     JH     RH     JH       JH
23#GROUP    S            JUSR   JUSR          CUSR     CUSR
24#IP       IP    RIP    JIP    JIP    RIP    JIP      RIP
25#PORT     N     PORT   PORT          PORT   PORT     PORT
26#REMOTEHOST S   RH     RH     JH     RH     RH       RH
27#REMOTEIP IP    RIP    RIP    JIP    RIP    RIP      RIP
28#PRINTER  S            PR     PR     PR     CPR      CPR
29#FORWARD               FW                   FW
30#SAMEHOST              SA                   SA
31#L=pattern             CFL    CFL
32#SAMEUSER                                   SU
33#SERVER  IP     RIP   JIP     JIP   RIP     JIP      RIP
34#
35#  KEY: RH = REMOTEHOST  - connecting host name (If no name, IP address)
36#       RIP= REMOTEIP    - connecting host IP
37#       PORT=            - connecting host origination port
38#       JH= Job HOST     - host name from job
39#       JIP= Job HOST IP - host name from job IP address
40#       JUSR= Job USER   - user name from job
41#       CUSR= Control USER   - user sent from remote host
42#       PR = Printer     - printer name from job
43#       CPR = Printer    - printer name sent from remote host
44#       FW = FORWARD     - RIP != JIP
45#       SA = SAMEHOST    - RIP == JIP   (i.e.- for job removal)
46#       SU               - CUSR == JUSR (i.e.- for job removal)
47#       L=pattern        - matches line starting with L in control file
48#                          L must be upper case
49#    SERVICE  MEANING
50#      C      lpc queue control operation
51#      M      lprm request from remote host
52#      P      printing job in spool queue
53#      Q      lpq (queue status) request from remote host
54#      R      spooling request from remote host
55#      S      lpc status request
56#      X      connection request from remote host
57#
58#A permission line consists of list of tests and an a result value
59#If all of the tests succeed,  then a match has been found and the
60#permission testing completes with the result value.  You use the
61#DEFAULT reserved word to set the default ACCEPT/DENY result.
62#The NOT keyword will reverse the sense of a test.
63#
64#Each test can have one or more optional values separated by
65#commas. For example USER=john,paul,mark has 3 test values.
66#
67#The Match type specifies how the matching is done.
68#S = string type match - string match with glob.
69#    Format:  string with wildcards (*)
70#             * matches 0 or more chars
71#    Character comparison is case insensitive.
72#    For example - USER=th*s matches uTHS, This, This, Theses
73#
74#IP = IP address and submask.  IP address must be in dotted form.
75#     Format: x.x.x.x[/y.y.y.y]  x.x.x.x is IP address
76#             y.y.y.y is optional submask, default is 255.255.255.255
77#     Match is done by converting to 32 bit x, y, and IP value and using:
78#        success = ((x ^ IP ) & y) == 0   (C language notation)
79#    i.e.- only bits where mask is non-zero are used in comparison.
80#    For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
81#         
82#N = numerical range  -  low-high integer range.
83#     Format: low[-high]
84#     Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
85#
86#The SAMEUSER and SAMEHOST are options that form values from information
87#in control files or connections.  The GROUP entry searches the user group 
88#database for group names matching the pattern,  and then searches these
89#for the user name.  If the name is found,  the search is successful.
90#
91#Example Permissions
92#
93#Reject connections all users not on subnet 130.191.0.0
94#  REJECT SERVICE=X NOT IP=130.191.0.0/255.255.0.0
95#Do not allow anybody but root on dickory.sdsu.edu to use control
96#  facilities.  The first line accepts the user, second rejects
97#  all others
98#  ACCEPT SERVICE=C HOST=dickory.sdsu.edu USER=papowell
99#  REJECT SERVICE=C
100#
101#Allow root on talker.sdsu.edu to control printer hpjet
102#  ACCEPT SERVICE=C HOST=talker.sdsu.edu PRINTER=hpjet USER=root
103#
104#Do not allow forwarded jobs
105#  REJECT FORWARD
106#
107#start all
108DEFAULT ACCEPT
109# Default configuration: allow only root on server to do LPC functions
110ACCEPT SERVICE=C SERVER REMOTEUSER=root
111ACCEPT SERVICE=C SERVER REMOTEUSER=_USER_
112REJECT SERVICE=C
113#
114# allow same user on originating host to remove a job
115ACCEPT SERVICE=M SAMEHOST SAMEUSER
116# allow root on server to remove a job
117ACCEPT SERVICE=M SERVER REMOTEUSER=root
118REJECT SERVICE=M
119#end all
120#start t1
121PRINTER=t1 ACCEPT
122#end t1
123