SUMMARY: restrincting access to printers in Solaris

From: Mikhail Nesterenko (mikhail@cis.ksu.edu)
Date: Tue Jul 08 1997 - 10:07:58 CDT


Hi there,

I asked the list about the ways of restricting access of SOME users
from SOME machines to SOME networked printers. "lpadmin -u allow/deny"
seemed to be the command to do it but the syntax of this command
seemed to be too restrictive (I've put my original question in the end
of the message).

ACKS

I'd like to thank these nice people for their suggestions:

Mariel Feder <unix.support@central.meralco.com.ph>
peter.allan@aeat.co.uk (Peter M Allan)
bismark@alta.Jpl.Nasa.Gov (Bismark Espinoza)

SOLUTIONS

There seems to be no clean way of doing it. (It would be nice if UNIX
groups not just individual users were recognized by lpadmin). Anyways,
here is the analysis of the proposed solutions:

* use allow/deny lists of "lpadmin":

   no can do. We have 40 faculty and staff to be allowed to use
   printers, about 400-600 students and 30 hosts shared by faculty and
   students. The syntax of allow/deny lists is:

   machine!user

   which means that I have to specify EVERY machine!user pair in
   either allow or deny list. For the faculty this produces 40x30=1200
   records. OUCH!

* use "all" quantifier in allow/deny list like "all!user" or "machine!all":

   nope. "machine!all" defeats the purpose of selective
   allowing/denying; "all!user" allows "user" from ANY machine in the
   world to print on the restricted printers. We do not run a
   firewall and the machines on campuswide network are already not
   trustworthy.

* change permissions on "lp" command so that only faculty can run it:
   
    naah. The students still want to print on some non-restricted
    printers.

* replace "lp" with a handwritten script:

    the script has to either completely replace lp (and /usr/ucb/lpr)
    or run it from within the script:

    -- replace: no thanks, I have to write communication with lpsched/lpNet
       Sun does not pay me to do the job for them;

    -- run it: this would involve making the handwritten script SID
       with all the pain and security implications. Only as a last resort!

With the hints from the proposed solutions I've come up with the
following idea:

* specify the following allow lists on the printhost:

printhost!faculty1 printhost!faculty2 printhost!faculty3 etc.

allowing faculty to print from the printhost only; replace /bin/lp
and /usr/ucb/lpr with a non-SID script that checks if the request is
made to the restricted printer and if yes it does:

rsh printhost /bin/lp <request>
or lpr

this seems like the most workable solution. thanks for your
attention. Long live sun-managers list!

--
Mikhail

ORIGINAL QUESTION

Mikhail Nesterenko wrote: > > Folks, > > I am faced with the problem of restricting user's access to a couple > of HP printers such that only faculty are able to print on these > printers. > > The faculty (as well as other users) can login to multiple Solaris boxes > and would like to print from any of them. Our printserver is a Solaris > box running standard Solaris SystemV-ish spooling system. > > The only way I see now is to use users.allow lists located in: > > /etc/lp/printers/<printer_name>/users.allow > > and manipulated by "lpadmin -u allow" command or directly. Now the > syntax for this list is: > > system!user > > Which means that if I want to allow only certain users (faculty) to > print from only certain machines (departmental Unix boxes) and > DISallow the rest I'll have to list a Cartesian product of: > > {faculty} x {departmental machines} > > in users.allow. Which is going to be a huge, hard to parse and > maintain list. > QUESTION: is there any sane way of restricting user's access to > printers in Solaris? >



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:58 CDT