Provided by: lprng_3.8.28-4ubuntu1_i386 bug


       lpd.perms - permissions control file for the LPRng line printer spooler system


       The  file  lpd.perms  is used to provide permission information for the
       LPRng Printer spooler system.  Blank lines and all characters  after  a
       hash  sign  (‘‘#’’)  to the end of line are ignored.  If a hash sign is
       desired in the permission information, it  should  be  escaped  with  a
       backslash  (‘‘\’’).   All  other  lines  specify  permissions entry and
       should be of the following form:
              ACCEPT [[not] key = value[,value]* ]*
              REJECT [[not] key = value[,value]* ]*
              DEFAULT ACCEPT
              DEFAULT REJECT

       Each LPD  service  request  is  checked  against  the  entries  in  the
       permissions  database  or file.  The following is a typical permissions
              # Set default permissions
              DEFAULT ACCEPT
              # Reject any connections from outside our subnet
              # Only accept spooling (LPR) from
              # Engineering Lab or the Dean’s office
              # Do not accept forwarded jobs for printing
              # Allow only the administrators control access
              ACCEPT SERVICE=C,M REMOTEUSER=root,papowell
              ACCEPT SERVICE=C,M SERVER REMOTEUSER=root,papowell
              # Allow only the user on the same host who spooled job to remove it
              # Allow users to check status
              ACCEPT SERVICE=C LPC=status
              # Require connection for other operations over UNIX socket
              # not TCP/IP port.  Effectively requiring them to be made from the
              # localhost
              REJECT SERVICE=C

              # Variation - accept all spooled jobs,  but then apply
              #  permissions checking when job is printed.  Allows
              #  prevents remote spoolers from locking up trying resend
              #  same request
              ACCEPT SERVICE=R

       Permission checking is done by using a set of  keys  (or  fields)  with
       associated values to check for permission.  The SERVICE key has value P
       for printing (i.e.- unspooling), R for spooling (i.e.- LPR request),  P
       for  printing  (i.e.,  after  job  has been spooled), C printer control
       (i.e. - LPC), M for removal (i.e.-  LPRM  request),  and  Q  for  queue
       information  (i.e.-  LPQ  request).   The key is used when checking for
       connection information.

       Initially, all of the keys have  undefined  or  NULL  values,  and  are
       assigned  values  during  the  permissions  checking  process.   When a
       connection is made to the server,  it  assigns  The  REMOTEHOST  (alias
       REMOTEIP)  key  the  list  of  IP addresses and hostnames determined by
       doing a reverse Domain Name Service (DNS) lookup on the  remote  host’s
       IP address.  If the reverse DNS fails, then only the IP address will be
       used.  The REMOTEPORT (PORT is an alias for REMOTEPORT) is assigned the
       port  number  of  the  connection origination.  The UNIXSOCKET key will
       match  (be  true)  if  the  connection  is  over  a  UNIX  socket.   By
       convention,  this is from the localhost.  Finally, the SERVICE value is
       assigned X, and the lpd server will check the database to  see  if  the
       connection is accepted or rejected.

       The  server will then read the request information from the connection.
       If the request is for an authenticated data transfer, the  server  will
       invoke  the appropriate authentication mechanism which will assign AUTH
       a true (or  matching)  value,  AUTHTYPE  the  type  of  authentication,
       AUTHUSER  the  authenticated  user  id value, which may differ from the
       actual user name, and AUTHFROM the authenticated identification of  the
       originator  of  the  request,  which  may be a server if the request is

       Next, the SERVICE value is set to R, C, M, or Q depending on whether it
       is  an  LPR,  LPC,  LPRM,  or LPQ request, and the LPC value set to the
       requested LPC command if  it  was  an  LPC  request.   If  the  request
       contained  a  user  name,  then REMOTEUSER is set to this name.  If the
       request contained a printer name, then PRINTER is set  to  the  printer
       name.  If the request is a print request, then the HOST value is set to
       the list of host names and IP addresses given by a DNS  lookup  of  the
       value  in  the  H  field  of the job.  The database is scanned again to
       determine if the operation can be performed on the requested queue.  To
       simplify  the  rule  writing, if the operation requires modification or
       checking of individual jobs, such as the LPC, LPQ,  or  LPRM  commands,
       then  the various checks that depend on jobs will succeed in this step.

       Finally,  if  the  operation  requires  modification  or  checking   of
       individual  jobs,  such  as  the  LPC,  LPQ, or LPRM commands, then the
       specified print queue is scanned, and for each job in the print  queue,
       the  HOST  and  USER  values are set to the host and user values in the
       control file for the job.

       The database is checked as follows.  Each line of the permissions  file
       is  scanned for key names and values, and these are matched against the
       request keys information.  When all matches on a line  are  made,  then
       search  terminates  with  the  specified action (ACCEPT/REJECT).  If no
       match is found the default permission value is used.  The  DEFAULT  key
       is  used  to  specify  the  current  default  permission to be used for
       successful matches or if there is no match after  scanning  the  entire
       permissions database.

       The  following  keys provide some additional checking capabilties.  The
       REMOTEGROUP entry checks that the REMOTEUSER value appears in  a  group
       or  netgroup  entry in the system database, and the GROUP entry for the
       USER value.  For example, GROUP=student*,staff* would check to  see  if
       any  of  the group names matching student* or staff* have the specified
       user name in them.   If  a  system  has  the  netgroups  capability,  a
       printer,  group,  or remotegroup name starting with a @ will be treated
       as a netgroup name, and specified user name or printer will be  checked
       to see if it is in the group.

       The  SERVER  entry  will be true (match) if the request originated from
       the print server.  The SAMEHOST is true (matches) if the REMOTEHOST and
       HOST  values  have  a  common  entry,  i.e.  -  are the same host.  The
       SAMEUSER is true (matches)  if  the  REMOTEUSER  and  USER  values  are
       identical.   The  AUTHSAMEUSER  is true (matches) if the AUTHUSER value
       that orginated the request and the AUTHUSER which was used to  transfer
       a  job  are  identical.   AUTHJOB  is  true  (matches)  if  the job was
       transferred using authentication.  The FORWARD value is  an  alias  for

       The  CONTROLLINE  value can be used to determine if there is a matching
       line in the control file.  This facility has been used to  ensure  that
       jobs contain various information fields in order to be printed.

       Key          Match Connect Job   Job    LPQ  LPRM  LPC
                                  Spool Print
       SERVICE      S     ’X’     ’R’   ’P’    ’Q’  ’M’   ’C,S’
       USER         S     -       JUSR  JUSR   JUSR JUSR  JUSR
       HOST         S     RH      JH    JH     JH   JH    JH
       GROUP        S     -       JUSR  JUSR   JUSR JUSR  JUSR
       REMOTEPORT   N     PORT    PORT  -      PORT PORT  PORT
       REMOTEUSER   S     -       JUSR  JUSR   JUSR CUSR  CUSR
       REMOTEHOST   S     RH      RH    JH     RH   RH    RH
       UNIXSOCKET   V     SK      SK    SK     SK   SK    SK
       CONTROLLINE  S     -       CL    CL     CL   CL    CL
       PRINTER      S     -       PR    PR     PR   PR    PR
       FORWARD      V     -       SA    -      -    SA    SA
       SAMEHOST     V     -       SA    -      SA   SA    SA
       SAMEUSER     V     -       -     -      SU   SU    SU
       SERVER       V     -       SV    -      SV   SV    SV
       AUTH         V     -       AU    -      AU   AU    AU
       AUTHTYPE     S     -       AU    -      AU   AU    AU
       AUTHUSER     S     -       AU    -      AU   AU    AU
       AUTHSAMEUSER S     -       AU    -      AU   AU    AU
       AUTHFROM     S     -       AU    -      AU   AU    AU
       AUTHJOB      V     -       AU    -      AU   AU    AU
         PORT is alias for REMOTEPORT
         REMOTEIP is alias for REMOTEHOST
         IP is alias for HOST

          JH = HOST          host in control file
          RH = REMOTEHOST    connecting host name/IP
          JUSR = USER        user in control file
          CUSR = REMOTEUSER  user from control request
          JIP= IP            host/IP addr of host in control file
          RIP= REMOTEIP      host/IP addr of requesting host
          PORT=              connecting host origination port
           SK=  match if connection over a UNIX socket
          CONTROLLINE=       pattern match of control line in control file
          FW= IP of source of request == IP of host in control file
          SA= IP of source of request == IP of host in control file
          SU= user from request == user in control file
          SA= IP of source of request == IP of server host
          SV= matches if from same address as server
          AU= value determined by server authentication operation
                             AUTH is true if authenticated transfer,
                             TYPE is set to the type of authentication (pgp, kerberos, etc)
                             AUTHUSER is user authentication id
                             AUTHFROM is sender authentication id (can be remote server)
                             AUTHSAMEUSER matches if remote user authentication id matches original
                             user authentication id
                             AUTHJOB it true if print job has authentication
       Match: S = string with wild card, IP = IPaddress[/netmask],
          N = low[-high] number range, V = exact value match
       SERVICE: ’X’ - Connection request; ’R’ - lpr request from remote host;
           ’P’ - print job in queue; ’Q’ - lpq request, ’M’ - lprm request;
           ’C’ - lpc spool control request; ’S’ - lpc spool status request
          ’U’ - administratively allowed user operation
       NOTE: when printing (P action), the remote and job check values
          (i.e. - RUSR, JUSR) are identical.

       The special key letter=patterns searches the control file line starting
       with the (upper case) letter, and is usually  used  with  printing  and
       spooling  checks.   For  example,  C=A*,B*  would  check that the class
       information (i.e.- line in the control file  starting  with  C)  had  a
       value starting with A or B.

       A  permission  line consists of a list of tests and a result value.  If
       all of the  tests  succeed,  then  a  match  has  been  found  and  the
       permission  testing  completes  with  the  result  value.   You use the
       DEFAULT reserved word to set the default ACCEPT/DENY result.   The  NOT
       keyword will reverse the sense of a test.

       Each test can have one or more optional values separated by commas. For
       example  USER=john,paul,mark  has  3  test  values.   The  Match  value
       specifies how the matching is done.

       S = string type match - string match with glob.
           Format:  string with wildcards (*)
               * matches 0 or more chars
           Character comparison is case insensitive.
           For example - USER=th*s matches uTHS, This, This, Theses

       IP = IP address and submask.  IP address must be in dotted form.
           Format: x.x.x.x[/y.y.y.y or /z]
               x.x.x.x is IP address
               y.y.y.y is optional submask, default is
               z is a netmask with most significant z bits set.
           Match is done by IP address to a 32 bit value and using:
               success = ((x ^ IP ) & y) == 0   (C language notation)
           i.e.- only bits where mask is non-zero are used in comparison.
           For example - IP= matches all address 130.191.X.X
           IP= has the same value.

       N = numerical range  -  low-high integer range.
           Format: low[-high]
           Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)

       The  authentication  entries AUTH, AUTHTYPE, AUTHUSER, AUTHSAMEUSER and
       AUTHFROM can be used to check permissions for authenticated operations.
       AUTH  is  set  (true)  if  authentication was done.  We can use this to
       reject non-authenticated transfers:
       The AUTHTYPE will match the authentication type being used or requested
       by  the  remote  client  or  server.  The AUTHUSER matches the original
       client authentication information used by the client to make a  request
       to  the  server,  and  the  AUTHFROM  matches the sender authentication
       information.  The AUTHSAMEUSER will match if the remote client or  user
       authentication id is the same as that used for the job generation.


       The   LPC=op  entry  is  useful  to  allow  various  users  to  perform
       administration  operations.   The  following  permissions  entry  would
       allows users to hold or release their own jobs:


       There  is  a  subtle  problem  with  names  and  IP addresses which are
       obtained for ’multi-homed hosts’, i.e. - those with  multiple  ethernet
       interfaces,   and  for  IPV6  (IP Version 6),  in which a host can have
       multiple addresses,  and for the normal host  which  can  have  both  a
       short name and a fully qualified domain name.

       When  performing  an IP address match,  the entire list of IP addresses
       for a system will now be  checked.   If  one  of  these  matches,  then
       success  is  reported.   Similarly,   the entire list of host names and
       aliases will be checked.  If one of these matches,  then  success  will
       be reported.


       The  files used by LPRng are set by values in the printer configuration
       file.  The following are a commonly used set of default values.
       //etc/lprng/lpd.conf                         LPRng configuration file
       ${HOME}/.printcap                            user printer description file
       //etc/printcap                               printer description file
       //etc/lprng/lpd.perms                        permissions
       /var/run/lprng/lpd                           lock file for queue control
       /var/spool/lpd                               spool directories
       /var/spool/lpd/QUEUE/control                 queue control
       /var/spool/lpd/QUEUE/log                     trace or debug log file
       /var/spool/lpd/QUEUE/acct                    accounting file
       /var/spool/lpd/QUEUE/status                  status file


       lpd.conf(5),  lpc(8),  lpd(8),  checkpc(8),  lpr(1),  lpq(1),  lprm(1),
       printcap(5), pr(1), lprng_certs(1), lprng_index_certs(1).


       LPRng  is  a enhanced printer spooler system with functionality similar
       to  the  Berkeley  LPR   software.    The   LPRng   mailing   list   is;  subscribe  by sending mail to
       with the word subscribe in the body.  The software  is  available  from


       Patrick Powell <>.