SUMMARY: Access-Control for lprm under SunOS 4

From: Jan-Olaf Droese (zdjod@lif.de)
Date: Fri Nov 08 1996 - 06:57:49 CST

Dear sun-managers,

Once again I was impressed of the fast reactions I got: The first replies
arrived at my mbox just a few minutes after I posted. I really like this
list!

The genereal agreement was that there is no way to directly get the
printing system to do what I want it to do. The workaround suggested by
most of you was to use a package called `sudo' which offers the
possibility to let certain users execute certain commands with root-
privileges.

Information about sudo can be found at

        http://www.courtesan.com/courtesan/products/sudo
        http://www.cs.colorado.edu/~millert/sudo

This was suggested by so many of you that I can't list all your names
here.

Michael Neef <neef@neuroinformatik.ruhr-uni-bochum.de> suggested using
a program called osh which seems to do the same thing as sudo.

Another suggestion (from nobroin@esoc.esa.de (Niall O Broin - Gray Wizard))
was building a setuid-root script which basically does the following:

        for each argument
                if there is no such job queued
                        exit with an appropriate error message
                else
                        get owner of job
                        get groups of owner
                        get groups of user running this script
                        if there is a common group
                                lprm job
                        else
                                exit with an appropriate error message
                        endif
                endif
        end

Someone suggested all the users who shall be able to kill other jobs
should be added to the group `lp'. Since under SunOS 4 there is no
such group but the printing system runs under group daemon, this does
not seem a good idea. Giving secondary group daemon to all those
users seems much like telling them the root-password.

I think I will have a look at the sudo-package soon. I am also thinking
about the setuid-script. Can't say now if this is more insecure than
using sudo.

Thanks again to all of you,

JanO

Original Question was:

I'm currently looking for a way to allow whole groups to remove
print-jobs submitted by group-members.

As far as I know, a job can only be cancelled by the person who
submitted it, or by root. Is there a way to overcome this restriction? 

-- 
Jan-Olaf Droese        | Lahmeyer International GmbH | #include
email: zdjod@lif.de    | Lyoner Str. 22              |   <stddisclaim.h>
phone: +49-69-6677-611 | 60528 Frankfurt am Main     |
fax:   +49-69-6677-623 | Germany                     |

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:15 CDT