Provided by: lprng_3.8.B-2.2_amd64 bug

NAME

       lpd.perms - permissions control file for the LPRng line printer spooler system

DESCRIPTION

       The file lpd.perms is used to provide permission information for the LPRng Printer spooler system.  Blank
       lines and all characters after a hash sign (``#'') to the end of line are ignored.  If  a  hash  sign  is
       desired  in  the  permission information, it should be escaped with a backslash (``\'').  All other lines
       specify permissions entry and should be of the following form:
              ACCEPT [[not] key = value[,value]* ]*
              REJECT [[not] key = value[,value]* ]*
              DEFAULT ACCEPT
              DEFAULT REJECT

       Each LPD service request is checked against the  entries  in  the  permissions  database  or  file.   The
       following is a typical permissions file:
              # Set default permissions
              DEFAULT ACCEPT
              # Reject any connections from outside our subnet
              REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0
              # Only accept spooling (LPR) from
              # Engineering Lab or the Dean's office
              REJECT SERVICE=R NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu
              # Do not accept forwarded jobs for printing
              REJECT SERVICE=R FORWARD
              # Allow only the administrators control access
              ACCEPT SERVICE=C,M REMOTEHOST=spooler.eng.sdsu.edu REMOTEUSER=root,papowell
              ACCEPT SERVICE=C,M SERVER REMOTEUSER=root,papowell
              # Allow only the user on the same host who spooled job to remove it
              ACCEPT SERVICE=M SAMEUSER SAMEHOST
              # Allow users to check status
              ACCEPT SERVICE=C LPC=status
              # Require connection for other operations over UNIX socket
              # not TCP/IP port.  Effectively requiring them to be made from the
              # localhost
              ACCEPT SERVICE=C UNIXSOCKET
              REJECT SERVICE=C

              # Variation - accept all spooled jobs,  but then apply
              #  permissions checking when job is printed.  Allows
              #  prevents remote spoolers from locking up trying resend
              #  same request
              ACCEPT SERVICE=R
              REJECT SERVICE=P NOT REMOTEHOST=*.eng.sdsu.edu,dean.sdsu.edu

       Permission  checking  is  done  by  using  a  set of keys (or fields) with associated values to check for
       permission.  The SERVICE key has value P for printing (i.e.-  unspooling),  R  for  spooling  (i.e.-  LPR
       request),  P  for  printing  (i.e.,  after  job  has been spooled), C printer control (i.e. - LPC), M for
       removal (i.e.- LPRM request), and Q for queue information (i.e.- LPQ request).  The X key  is  used  when
       checking for connection information.

       Initially,  all of the keys have undefined or NULL values, and are assigned values during the permissions
       checking process.  When a connection is made to the server, it assigns The  REMOTEHOST  (alias  REMOTEIP)
       key the list of IP addresses and hostnames determined by doing a reverse Domain Name Service (DNS) lookup
       on the remote host's IP address.  If the reverse DNS fails, then only the IP address will be  used.   The
       REMOTEPORT  (PORT  is an alias for REMOTEPORT) is assigned the port number of the connection origination.
       The UNIXSOCKET key will match (be true) if the connection is over a UNIX socket.  By convention, this  is
       from the localhost.  Finally, the SERVICE value is assigned X, and the lpd server will check the database
       to see if the connection is accepted or rejected.

       The server will then read the request information  from  the  connection.   If  the  request  is  for  an
       authenticated  data  transfer, the server will invoke the appropriate authentication mechanism which will
       assign AUTH a true (or matching) value, AUTHTYPE the type of authentication, AUTHUSER  the  authenticated
       user  id value, which may differ from the actual user name, and AUTHFROM the authenticated identification
       of the originator of the request, which may be a server if the request is forwarded.

       Next, the SERVICE value is set to R, C, M, or Q depending on whether it is an  LPR,  LPC,  LPRM,  or  LPQ
       request,  and  the  LPC  value set to the requested LPC command if it was an LPC request.  If the request
       contained a user name, then REMOTEUSER is set to this name.  If the request  contained  a  printer  name,
       then  PRINTER  is set to the printer name.  If the request is a print request, then the HOST value is set
       to the list of host names and IP addresses given by a DNS lookup of the value in the H field of the  job.
       The  database is scanned again to determine if the operation can be performed on the requested queue.  To
       simplify the rule writing, if the operation requires modification or checking of individual jobs, such as
       the LPC, LPQ, or LPRM commands, then the various checks that depend on jobs will succeed in this step.

       Finally,  if the operation requires modification or checking of individual jobs, such as the LPC, LPQ, or
       LPRM commands, then the specified print queue is scanned, and for each job in the print queue,  the  HOST
       and USER values are set to the host and user values in the control file for the job.

       The  database  is  checked  as  follows.   Each line of the permissions file is scanned for key names and
       values, and these are matched against the request keys information.  When all matches on a line are made,
       then  search  terminates  with  the  specified  action (ACCEPT/REJECT).  If no match is found the default
       permission value is used.  The DEFAULT key is used to specify the current default permission to  be  used
       for successful matches or if there is no match after scanning the entire permissions database.

       The  following keys provide some additional checking capabilities.  The REMOTEGROUP entry checks that the
       REMOTEUSER value appears in a group or netgroup entry in the system database, and the GROUP entry for the
       USER  value.   For  example,  GROUP=student*,staff* would check to see if any of the group names matching
       student* or staff* have the specified user name in them.  If a system has  the  netgroups  capability,  a
       printer,  group,  or remotegroup name starting with a @ will be treated as a netgroup name, and specified
       user name or printer will be checked to see if it is in the group.

       The SERVER entry will be true (match) if the request originated from the print server.  The  SAMEHOST  is
       true  (matches)  if  the  REMOTEHOST  and HOST values have a common entry, i.e. - are the same host.  The
       SAMEUSER is true (matches) if the REMOTEUSER and USER values are identical.   The  AUTHSAMEUSER  is  true
       (matches) if the AUTHUSER value that originated the request and the AUTHUSER which was used to transfer a
       job are identical.  AUTHJOB is true (matches) if the  job  was  transferred  using  authentication.   The
       FORWARD value is an alias for NOT SAMEHOST.

       The  CONTROLLINE  value  can  be used to determine if there is a matching line in the control file.  This
       facility has been used to ensure that jobs contain various information fields in order to be printed.

       Key          Match Connect Job   Job    LPQ  LPRM  LPC
                                  Spool Print
       SERVICE      S     'X'     'R'   'P'    'Q'  'M'   'C,S'
       USER         S     -       JUSR  JUSR   JUSR JUSR  JUSR
       HOST         S     RH      JH    JH     JH   JH    JH
       GROUP        S     -       JUSR  JUSR   JUSR JUSR  JUSR
       REMOTEPORT   N     PORT    PORT  -      PORT PORT  PORT
       REMOTEUSER   S     -       JUSR  JUSR   JUSR CUSR  CUSR
       REMOTEHOST   S     RH      RH    JH     RH   RH    RH
       UNIXSOCKET   V     SK      SK    SK     SK   SK    SK
       REMOTEGROUP  S     -       JUSR  JUSR   JUSR CUSR  CUSR
       CONTROLLINE  S     -       CL    CL     CL   CL    CL
       PRINTER      S     -       PR    PR     PR   PR    PR
       FORWARD      V     -       SA    -      -    SA    SA
       SAMEHOST     V     -       SA    -      SA   SA    SA
       SAMEUSER     V     -       -     -      SU   SU    SU
       SERVER       V     -       SV    -      SV   SV    SV
       AUTH         V     -       AU    -      AU   AU    AU
       AUTHTYPE     S     -       AU    -      AU   AU    AU
       AUTHUSER     S     -       AU    -      AU   AU    AU
       AUTHSAMEUSER S     -       AU    -      AU   AU    AU
       AUTHFROM     S     -       AU    -      AU   AU    AU
       AUTHJOB      V     -       AU    -      AU   AU    AU
         PORT is alias for REMOTEPORT
         REMOTEIP is alias for REMOTEHOST
         IP is alias for HOST

       KEY:
          JH = HOST          host in control file
          RH = REMOTEHOST    connecting host name/IP
          JUSR = USER        user in control file
          CUSR = REMOTEUSER  user from control request
          JIP= IP            host/IP addr of host in control file
          RIP= REMOTEIP      host/IP addr of requesting host
          PORT=              connecting host origination port
           SK=  match if connection over a UNIX socket
          CONTROLLINE=       pattern match of control line in control file
          FW= IP of source of request == IP of host in control file
          SA= IP of source of request == IP of host in control file
          SU= user from request == user in control file
          SA= IP of source of request == IP of server host
          SV= matches if from same address as server
          AU= value determined by server authentication operation
                             AUTH is true if authenticated transfer,
                             TYPE is set to the type of authentication (kerberos, etc)
                             AUTHUSER is user authentication id
                             AUTHFROM is sender authentication id (can be remote server)
                             AUTHSAMEUSER matches if remote user authentication id matches original
                             user authentication id
                             AUTHJOB it true if print job has authentication
       Match: S = string with wild card, IP = IP address[/netmask],
          N = low[-high] number range, V = exact value match
       SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
           'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
           'C' - lpc spool control request; 'S' - lpc spool status request
          'U' - administratively allowed user operation
       NOTE: when printing (P action), the remote and job check values
          (i.e. - RUSR, JUSR) are identical.

       The special key letter=patterns searches the control file line starting with the (upper case) letter, and
       is  usually  used  with  printing  and  spooling checks.  For example, C=A*,B* would check that the class
       information (i.e.- line in the control file starting with C) had a value starting with A or B.

       A permission line consists of a list of tests and a result value.  If all of the tests  succeed,  then  a
       match  has  been  found  and the permission testing completes with the result value.  You use the DEFAULT
       reserved word to set the default ACCEPT/DENY result.  The NOT keyword will reverse the sense of a test.

       Each test can have one or more optional values separated by commas. For example USER=john,paul,mark has 3
       test values.  The Match value specifies how the matching is done.

       S = string type match - string match with glob.
           Format:  string with wildcards (*)
               * matches 0 or more chars
           Character comparison is case insensitive.
           For example - USER=th*s matches uTHS, This, This, Theses

       IP = IP address and submask.  IP address must be in dotted form.
           Format: x.x.x.x[/y.y.y.y or /z]
               x.x.x.x is IP address
               y.y.y.y is optional submask, default is 255.255.255.255
               z is a netmask with most significant z bits set.
           Match is done by IP address to a 32 bit value and using:
               success = ((x ^ IP ) & y) == 0   (C language notation)
           i.e.- only bits where mask is non-zero are used in comparison.
           For example - IP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
           IP=130.191.0.0/16 has the same value.

       N = numerical range  -  low-high integer range.
           Format: low[-high]
           Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)

       The  authentication  entries  AUTH,  AUTHTYPE,  AUTHUSER,  AUTHSAMEUSER and AUTHFROM can be used to check
       permissions for authenticated operations.  AUTH is set (true) if authentication was  done.   We  can  use
       this to reject non-authenticated transfers:
       REJECT NOT AUTH
       The  AUTHTYPE  will match the authentication type being used or requested by the remote client or server.
       The AUTHUSER matches the original client authentication information used by the client to make a  request
       to  the  server,  and  the AUTHFROM matches the sender authentication information.  The AUTHSAMEUSER will
       match if the remote client or user authentication id is the same as that used for the job generation.

LPC=OP

       The LPC=op entry is useful to allow various users to perform administration  operations.   The  following
       permissions entry would allows users to hold or release their own jobs:
       ACCEPT SERVICE=C SAMEUSER SAMEHOST LPC=release

DNS, IPV6, AND MULTIHOMED HOSTS

       There  is a subtle problem with names and IP addresses which are obtained for 'multi-homed hosts', i.e. -
       those with multiple Ethernet interfaces,  and for IPV6 (IP Version 6),  in which a host can have multiple
       addresses,  and for the normal host which can have both a short name and a fully qualified domain name.

       When  performing  an IP address match,  the entire list of IP addresses for a system will now be checked.
       If one of these matches, then success is reported.  Similarly,  the entire list of host names and aliases
       will be checked.  If one of these matches,  then success will be reported.

FILES

       The  files  used  by  LPRng  are  set  by  values in the printer configuration file.  The following are a
       commonly used set of default values.
       /etc/lprng/lpd.conf                          LPRng configuration file
       ${HOME}/.printcap                            user printer description file
       /etc/printcap                                printer description file
       /etc/lprng/lpd.perms                         permissions
       /var/run/lprng/lpd                           lock file for queue control
       /var/spool/lpd                               spool directories
       /var/spool/lpd/QUEUE/control                 queue control
       /var/spool/lpd/QUEUE/log                     trace or debug log file
       /var/spool/lpd/QUEUE/acct                    accounting file
       /var/spool/lpd/QUEUE/status                  status file

SEE ALSO

       lpd.conf(5), lpc(8), lpd(8), checkpc(8), lpr(1), lpq(1),  lprm(1),  printcap(5),  pr(1),  lprng_certs(1),
       lprng_index_certs(1).

AUTHOR

       Patrick Powell <papowell@lprng.com>.

HISTORY

       LPRng  is a enhanced printer spooler system with functionality similar to the Berkeley LPR software.  The
       LPRng   developer   mailing   list   is   lprng-devel@lists.sourceforge.net;   subscribe   by    visiting
       https://lists.sourceforge.net/lists/listinfo/lprng-devel      or      sending      mail     to     lprng-
       request@lists.sourceforge.net with the word subscribe in the body.
       The software is available via http://lprng.sourceforge.net