1########################################################################### 2# LPRng - An Extended Print Spooler System 3# 4# Copyright 1988-1995 Patrick Powell, San Diego State University 5# papowell@sdsu.edu 6# See LICENSE for conditions of use. 7# 8########################################################################### 9# MODULE: TESTSUPPORT/printer_perms.proto 10# PURPOSE: prototype printer permissions file 11# lpd.perms.proto,v 3.2 1997/12/20 21:16:26 papowell Exp 12########################################################################## 13# Printer permissions data base 14# 15# Permissions are checked by the use of 'keys' and matches. For each of 16# the following LPR activities, the following keys have a value. 17# 18#Key Match Connect Job Job Status Remove Control 19# Accept Print 20#SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C,S` 21#USER S JUSR JUSR CUSR CUSR 22#HOST S RH JH JH RH JH JH 23#GROUP S JUSR JUSR CUSR CUSR 24#IP IP RIP JIP JIP RIP JIP RIP 25#PORT N PORT PORT PORT PORT PORT 26#REMOTEHOST S RH RH JH RH RH RH 27#REMOTEIP IP RIP RIP JIP RIP RIP RIP 28#PRINTER S PR PR PR CPR CPR 29#FORWARD FW FW 30#SAMEHOST SA SA 31#L=pattern CFL CFL 32#SAMEUSER SU 33#SERVER IP RIP JIP JIP RIP JIP RIP 34# 35# KEY: RH = REMOTEHOST - connecting host name (If no name, IP address) 36# RIP= REMOTEIP - connecting host IP 37# PORT= - connecting host origination port 38# JH= Job HOST - host name from job 39# JIP= Job HOST IP - host name from job IP address 40# JUSR= Job USER - user name from job 41# CUSR= Control USER - user sent from remote host 42# PR = Printer - printer name from job 43# CPR = Printer - printer name sent from remote host 44# FW = FORWARD - RIP != JIP 45# SA = SAMEHOST - RIP == JIP (i.e.- for job removal) 46# SU - CUSR == JUSR (i.e.- for job removal) 47# L=pattern - matches line starting with L in control file 48# L must be upper case 49# SERVICE MEANING 50# C lpc queue control operation 51# M lprm request from remote host 52# P printing job in spool queue 53# Q lpq (queue status) request from remote host 54# R spooling request from remote host 55# S lpc status request 56# X connection request from remote host 57# 58#A permission line consists of list of tests and an a result value 59#If all of the tests succeed, then a match has been found and the 60#permission testing completes with the result value. You use the 61#DEFAULT reserved word to set the default ACCEPT/DENY result. 62#The NOT keyword will reverse the sense of a test. 63# 64#Each test can have one or more optional values separated by 65#commas. For example USER=john,paul,mark has 3 test values. 66# 67#The Match type specifies how the matching is done. 68#S = string type match - string match with glob. 69# Format: string with wildcards (*) 70# * matches 0 or more chars 71# Character comparison is case insensitive. 72# For example - USER=th*s matches uTHS, This, This, Theses 73# 74#IP = IP address and submask. IP address must be in dotted form. 75# Format: x.x.x.x[/y.y.y.y] x.x.x.x is IP address 76# y.y.y.y is optional submask, default is 255.255.255.255 77# Match is done by converting to 32 bit x, y, and IP value and using: 78# success = ((x ^ IP ) & y) == 0 (C language notation) 79# i.e.- only bits where mask is non-zero are used in comparison. 80# For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X 81# 82#N = numerical range - low-high integer range. 83# Format: low[-high] 84# Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged) 85# 86#The SAMEUSER and SAMEHOST are options that form values from information 87#in control files or connections. The GROUP entry searches the user group 88#database for group names matching the pattern, and then searches these 89#for the user name. If the name is found, the search is successful. 90# 91#Example Permissions 92# 93#Reject connections all users not on subnet 130.191.0.0 94# REJECT SERVICE=X NOT IP=130.191.0.0/255.255.0.0 95#Do not allow anybody but root on dickory.sdsu.edu to use control 96# facilities. The first line accepts the user, second rejects 97# all others 98# ACCEPT SERVICE=C HOST=dickory.sdsu.edu USER=papowell 99# REJECT SERVICE=C 100# 101#Allow root on talker.sdsu.edu to control printer hpjet 102# ACCEPT SERVICE=C HOST=talker.sdsu.edu PRINTER=hpjet USER=root 103# 104#Do not allow forwarded jobs 105# REJECT FORWARD 106# 107#start all 108DEFAULT ACCEPT 109# Default configuration: allow only root on server to do LPC functions 110ACCEPT SERVICE=C SERVER REMOTEUSER=root 111ACCEPT SERVICE=C SERVER REMOTEUSER=_USER_ 112REJECT SERVICE=C 113# 114# allow same user on originating host to remove a job 115ACCEPT SERVICE=M SAMEHOST SAMEUSER 116# allow root on server to remove a job 117ACCEPT SERVICE=M SERVER REMOTEUSER=root 118REJECT SERVICE=M 119#end all 120#start t1 121PRINTER=t1 ACCEPT 122#end t1 123