lprng 3.8.B-2 / etc / lprng / lpd.perms

This file is indexed.

/etc/lprng/lpd.perms is in lprng 3.8.B-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
###########################################################################
# LPRng - An Extended Print Spooler System
#
# Copyright 1988-2001 Patrick Powell, San Diego, CA
#     papowell@lprng.com
# See LICENSE for conditions of use.
#
###########################################################################
# MODULE: TESTSUPPORT/lpd.perms.proto
# PURPOSE: prototype printer permissions file
########################################################################## 
# Printer permissions data base
## #
##                  LPRng - An Enhanced Printer Spooler
##                     lpd.perms file
##                   Patrick Powell <papowell@lprng.com>
##
## Access control to the LPRng facilities is controlled by entries
## in a set of lpd.perms files.  The common location for these files
## are: /etc/lpd.perms,  /usr/etc/lpd.perms, and  /var/spool/lpd/lpd.perms.
## The locations of these files are set by the perms_path entry
## in the lpd.conf file or by compile time defaults in the
## src/common/defaults.c file.
## 
## Each time the lpd server is given a user request or carries out an
## operation,  it searches to the perms files to determine if the action
## is ACCEPT or REJECT.  The first ACCEPT or REJECT found terminates the search.
## If none is found,  then the last DEFAULT action is used.
## 
## Permissions are checked by the use of 'keys' and matches.  For each of
## the following LPR activities,  the following keys have a value. 
## 
## Key          Match Connect Job   Job    LPQ  LPRM  LPC
##                            Spool Print
## SERVICE      S     'X'     'R'   'P'    'Q'  'M'   'C'
## USER         S     -       JUSR  JUSR   JUSR JUSR  JUSR
## HOST         S     RH      JH    JH     JH   JH    JH
## GROUP        S     -       JUSR  JUSR   JUSR JUSR  JUSR
## IP           IP    RIP     JIP   JIP    RIP  JIP   JIP
## PORT         N     PORT    PORT  PORT   PORT PORT  PORT
## UNIXSOCKET   V     SK      SK    SK     SK   SK    SK
## REMOTEUSER   S     -       JUSR  JUSR   JUSR CUSR  CUSR
## REMOTEHOST   S     RH      RH    JH     RH   RH    RH
## REMOTEGROUP  S     -       JUSR  JUSR   JUSR CUSR  CUSR
## CONTROLLINE  S     -       CL    CL     CL   CL    CL
## PRINTER      S     -       PR    PR     PR   PR    PR
## FORWARD      V     -       SA    -      -    SA    SA
## SAMEHOST     V     -       SA    -      SA   SA    SA
## SAMEUSER     V     -       -     -      SU   SU    SU
## SERVER       V     -       SV    -      SV   SV    SV
## LPC          S     -       -     -      -    -     LPC
## AUTH         V     -       AU    AU     AU   AU    AU
## AUTHTYPE     S     -       AU    AU     AU   AU    AU
## AUTHUSER     S     -       AU    AU     AU   AU    AU
## AUTHFROM     S     -       AU    AU     AU   AU    AU
## AUTHSAMEUSER S     -       AU    AU     AU   AU    AU
##   REMOTEIP is an alias for REMOTEHOST
##   REMOTEPORT is an alias for PORT
##   IP is an alias for HOST

## 
## KEY:
##   JH = HOST          IP address/DNS name of host in control file
##   RH = REMOTEHOST    connecting host IP address/DNS Name
##   JUSR = USER        user in control file
##   CUSR = REMOTEUSER  user making control operation request
##   JIP= IP            IP address/DNS name of host in control file
##   RIP= REMOTEIP      IP address/DNS name of requesting host
##   PORT=              connecting host origination port
##   SK=                true (match) if connection from a unix socket
##   CONTROLLINE=       pattern match of control line in control file
##
##   SA= IP of source of request == IP of host in control file
##   SU= user name making request == user in control file
##   SV= IP of source of request = IP of server host or server Localhost
##   LPC= lpc command globmatched against values
##   AU= Authorization check on transfer
##       AUTH will be true (match) if authenticated request
##       AUTHTYPE will match authentication type of request to pattern
##       AUTHUSER will match client authentication id to pattern
##       AUTHFROM will match request originator authentication id to pattern
##       AUTHSAMEUSER will match requestor authentication id
##              to authentication id in job
## 
## Match: S = globmatch, IP = IPaddress[/netmask],
##   N = low[-high] number range, V= matching or compatible values
## SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
##    'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
##    'C' - lpc spool control request;
## NOTE: when printing (P action), the remote and job check values
##   (i.e. - RUSR, JUSR) are identical.
## NOTE: the HOST, USER, SAMEUSER and SAMEHOST checks always succeed
##   when checking permissions for a spool queue;  they are active only when
##   checking permissions of a spooled job.  
## 
## The UNIXSOCKET will match (true) when connection was made over a UNIX
##   socket.
## 
## The SAMEHOST match checks to see that one (or more) of the
##  IP addresses of the host originating a request is/are the
##  matches one or more of the IP addresses of the host whose
##  hostname appears in the control file.
## The SAMEHOST match checks to see that one (or more) of the
##  IP addresses of the host originating a request is/are the
##  matches one or more of the IP addresses of the server.
## FORWARD  is the same as NOT SAMEHOST, i.e. - request is
##  forwarded.
## 
## The  special key letter=patterns searches the control file
## line starting with the (upper case) letter, and is usually
## used  with  printing  and  spooling  checks.  For example,
## C=A*,B* would check that the class information (i.e.- line
## in  the control file starting with C) had a value starting
## with A or B.
## 
## A permission line consists of list of tests and an a result value
## If all of the tests succeed,  then a match has been found and the
## permission testing completes with the result value.  You use the
## DEFAULT reserved word to set the default ACCEPT/DENY result.
## The NOT keyword will reverse the sense of a test.
## 
## Each test can have one or more optional values separated by
## commas. For example USER=john,paul,mark has 3 test values.
## 
## The Match type specifies how the matching is done.
## S = glob type string match OR </path
##     Format:  string with wildcards (*) and ranges
##              * matches 0 or more chars
##              [a-d] matches a or b or c or d
##     Character comparison is case insensitive.
##     For example - USER=th*s matches uTHS, This, This, Theses
##                   USER=[d-f]x matches dx, ex, fx
##     If the match is </path then the specified file is
##     opened and read, and the file contents are treated like
##     S type entries separated by whitespace
##     
## 
## IP = IP address and submask.  IP address must be in dotted form.
##       OR </path
##      Format: x.x.x.x[/y.y.y.y]  x.x.x.x is IP address
##              y.y.y.y is optional submask, default is 255.255.255.255
##      Match is done by converting to 32 bit x, y, and IP value and using:
##         success = ((x ^ IP ) & y) == 0   (C language notation)
##     i.e.- only bits where mask is non-zero are used in comparison.
##     For example - REMOTEIP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
##     If the match is </path then the specified file is
##     opened and read, and the file contents are treated like
##     S type entries separated by whitespace
##          
## N = numerical range  -  low-high integer range.
##      Format: low[-high]
##      Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
## 
## The SAMEUSER and SAMEHOST are options that form values from information
## in control files or connections.  The GROUP entry searches the user group 
## database for group names matching the pattern,  and then searches these
## for the user name.  If the name is found,  the search is successful.
## The SERVER entry is successful if the request originated from the current
## lpd server host.
## 
## Note carefully that the USER, HOST, and IP values are based on values found
## in the control file currently being checked for permissions.  The
## REMOTEUSER, REMOTEHOST, and REMOTEIP are based on values supplied as part
## of a connection to the LPD server,  or on the actual TCP/IP connection.
##
## The LPC entry matches an LPC command.  For example LPC=topq would match 
## when an lpc topq command is being executed.  You must still have the
## SERVICE=C entry to trigger this action.
##
## Note: the SERVICE=R and SERVICE=P both check the LPR actions
## of sending a job.  However, SERVICE=R does it when the job is being
## sent to the LPD server.  Some LPD (and LPR) implementations cannot
## handle a job being rejected due to lack of permissions,  and sit in
## an endless loop trying to resend the job.  This is the reason for
## the SERVICE=P check.  You can accept the job for printing,  and then
## have the SERVICE=P check remove the job.
##
## NOTE: if you do not have an explicit ACCEPT SERVICE=P or
## DEFAULT ACCEPT action then your print jobs will be accepted
## and then quietly discarded.
## 
## Example Permissions
## 
## # All operations allowed except those specifically forbidden
## DEFAULT ACCEPT
## 
## # Accept connections from hosts on subnet 130.191.0.0 or
## # from the server.
##   ACCEPT SERVICE=X REMOTEIP=130.191.0.0/255.255.0.0,\
##              128.0.0.0/8
## # from a named set of sites
##   ACCEPT SERVICE=X REMOTEHOST=engpc*
## # listed in the /etc/accepthost file
##   ACCEPT SERVICE=X REMOTEHOST=</etc/accepthost
##     - /etc/rejecthost contains list of entries separated
##       by whitespace.  For example:
##            10.0.0.0/8 128.0.0.0/8
##            192.168.10.1  192.168.10.2
##   # don't take them from this particular host
##   REJECT SERVICE=X REMOTEHOST=badhost.eng.com
## # Reject all others
##   REJECT SERVICE=X
## 
## #Do not allow anybody but root or papowell on
## #astart1.astart.com or listed in the /etc/ok file
## #to use lpc commands:
##   ACCEPT SERVICE=C SERVER REMOTEUSER=root
##   ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com \
##        REMOTEUSER=papowell,</etc/ok
##     /etc/ok has list of users:
##         root papowell nobody
##         user1 user2
## 
## #Allow root on talker.astart.com to control printer hpjet
##   ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root
## #Reject all others
##   REJECT SERVICE=C
## 
## #Do not allow forwarded jobs or requests
##   REJECT SERVICE=R,C,M FORWARD
## 

##  If you want to have connections only from programs on
##  the local host, either set lpd_listen_port in lpd.conf to off,
##  uncomment the next line, or both:
REJECT NOT SERVER 

## You can make sure that connections come from a privileged port.
## Default is to allow them from any port so that non-setuid programs
#  can do printing.
#  Totally RFC1179
#REJECT SERVICE=X NOT PORT=1-1023
#REJECT SERVICE=X NOT PORT=1-1023
#  Privileged
#REJECT SERVICE=X NOT PORT=721-731
#
# allow root on server to control jobs
ACCEPT SERVICE=C SERVER REMOTEUSER=root
# allow anybody to get server, status, and printcap
ACCEPT SERVICE=C LPC=lpd,status,printcap
# reject all others
REJECT SERVICE=C
#
# allow same user on originating host to remove a job
ACCEPT SERVICE=M SAMEHOST SAMEUSER
# allow root on server to remove a job
ACCEPT SERVICE=M SERVER REMOTEUSER=root
REJECT SERVICE=M
# all other operations allowed
DEFAULT ACCEPT

APT Browse - Built by Thomas Orozco.