Bug#311774: lprng: Fails to print to localhost when named pipe is missing
>>>>> "CS" == Craig Small <csmall@enc.com.au> writes:
CS> On Thu, Mar 16, 2006 at 09:15:41AM +0100, Anders Boström wrote:
>> No, I want to print via the existing non-chroot LPD from the chroot,
>> and I want to do it via the existing TCP socket in the non
>> chroot. Printing via this LPD from other hosts work fine, via the TCP
>> socket. It is *only* from a local chroot it doesn't work, because
>> lpr tries to be "smart" and use a local socket instead of the TCP
>> socket.
CS> That's force_localhost coming into play.
CS> Did you try it, did you try turning off force_localhost inside the
CS> printcap within the chroot?
>>
>> Yes!
CS> OK, send me your printcap and /etc/lprng/* inside the chroot.
CS> Also, what are you using to go into the chroot, pbuilder? chroot or
CS> something else?
OK, this is from the chroot:
/etc/printcap:
# LPD print queue configuration - Default options
# The printcap entry below sets defaults. Add default options
# or other entries here
#
.common:
:sd=/var/spool/lpd/%P
:sh:mx=0:mc=0
:lpr_bounce
:af=/var/log/lp-acct:lf=/var/log/lp-errs
sda4_local|HP Laserjet 5M
:tc=.common
:rm=hp5m-1
:rp=sda4
:if=/etc/magicfilter/ljet4m-filter
# ls -l /etc/lprng/
totalt 20
-rw-r--r-- 1 root root 118 2003-03-02 23:30 lpd.conf
-rw-r--r-- 1 root root 82 2002-04-11 05:27 lpd.conf.local
-rw-r--r-- 1 root root 11444 2004-11-18 06:54 lpd.perms
lrwxrwxrwx 1 root root 11 2004-08-20 10:36 printcap -> ../printcap
# cat /etc/lprng/lpd.conf
# LPRng for Debian GNU/Linux
# /etc/lprng/lpd.conf
# See lpd.conf(5) and /usr/share/doc/lprng/examples/lpd.conf.gz
#
# cat /etc/lprng/lpd.conf.local
# /etc/lprng/lpd.conf
# Local configuration settings for LPRng
# See lpd.conf (5)
lpd.perms is attached below. However, lpd config inside of the chroot
should not affect lpr, or should it?
I use chroot (as root) or dchroot (as normal user and in wrapper
scripts) to go into the chroot.
I've also tried with with force_localhost turned off by adding
:force_localhost@ to the printcap-entry above.
/ Anders
###########################################################################
# LPRng - An Extended Print Spooler System
#
# Copyright 1988-2001 Patrick Powell, San Diego, CA
# papowell@lprng.com
# See LICENSE for conditions of use.
#
###########################################################################
# MODULE: TESTSUPPORT/lpd.perms.proto
# PURPOSE: prototype printer permissions file
# $Id: lpd.perms.in,v 1.74 2004/09/24 20:19:53 papowell Exp $
##########################################################################
# Printer permissions data base
## #
## LPRng - An Enhanced Printer Spooler
## lpd.perms file
## Patrick Powell <papowell@lprng.com>
##
## VERSION=3.8.28
##
## Access control to the LPRng facilities is controlled by entries
## in a set of lpd.perms files. The common location for these files
## are: /etc/lpd.perms, /usr/etc/lpd.perms, and /var/spool/lpd/lpd.perms.
## The locations of these files are set by the perms_path entry
## in the lpd.conf file or by compile time defaults in the
## src/common/defaults.c file.
##
## Each time the lpd server is given a user request or carries out an
## operation, it searches to the perms files to determine if the action
## is ACCEPT or REJECT. The first ACCEPT or REJECT found terminates the search.
## If none is found, then the last DEFAULT action is used.
##
## Permissions are checked by the use of 'keys' and matches. For each of
## the following LPR activities, the following keys have a value.
##
## Key Match Connect Job Job LPQ LPRM LPC
## Spool Print
## SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C'
## USER S - JUSR JUSR JUSR JUSR JUSR
## HOST S RH JH JH JH JH JH
## GROUP S - JUSR JUSR JUSR JUSR JUSR
## IP IP RIP JIP JIP RIP JIP JIP
## PORT N PORT PORT PORT PORT PORT PORT
## UNIXSOCKET V SK SK SK SK SK SK
## REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR
## REMOTEHOST S RH RH JH RH RH RH
## REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR
## CONTROLLINE S - CL CL CL CL CL
## PRINTER S - PR PR PR PR PR
## FORWARD V - SA - - SA SA
## SAMEHOST V - SA - SA SA SA
## SAMEUSER V - - - SU SU SU
## SERVER V - SV - SV SV SV
## LPC S - - - - - LPC
## AUTH V - AU AU AU AU AU
## AUTHTYPE S - AU AU AU AU AU
## AUTHUSER S - AU AU AU AU AU
## AUTHFROM S - AU AU AU AU AU
## AUTHSAMEUSER S - AU AU AU AU AU
## REMOTEIP is an alias for REMOTEHOST
## REMOTEPORT is an alias for PORT
## IP is an alias for HOST
##
## KEY:
## JH = HOST IP address/DNS name of host in control file
## RH = REMOTEHOST connecting host IP address/DNS Name
## JUSR = USER user in control file
## CUSR = REMOTEUSER user making control operation request
## JIP= IP IP address/DNS name of host in control file
## RIP= REMOTEIP IP address/DNS name of requesting host
## PORT= connecting host origination port
## SK= true (match) if connection from a unix socket
## CONTROLLINE= pattern match of control line in control file
##
## SA= IP of source of request == IP of host in control file
## SU= user name making request == user in control file
## SV= IP of source of request = IP of server host or server Localhost
## LPC= lpc command globmatched against values
## AU= Authorization check on transfer
## AUTH will be true (match) if authenticated request
## AUTHTYPE will match authentication type of request to pattern
## AUTHUSER will match client authentication id to pattern
## AUTHFROM will match request originator authentication id to pattern
## AUTHSAMEUSER will match requestor authentication id
## to authentication id in job
##
## Match: S = globmatch, IP = IPaddress[/netmask],
## N = low[-high] number range, V= matching or compatible values
## SERVICE: 'X' - Connection request; 'R' - lpr request from remote host;
## 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request;
## 'C' - lpc spool control request;
## NOTE: when printing (P action), the remote and job check values
## (i.e. - RUSR, JUSR) are identical.
## NOTE: the HOST, USER, SAMEUSER and SAMEHOST checks always succeed
## when checking permissions for a spool queue; they are active only when
## checking permissions of a spooled job.
##
## The UNIXSOCKET will match (true) when connection was made over a UNIX
## socket.
##
## The SAMEHOST match checks to see that one (or more) of the
## IP addresses of the host originating a request is/are the
## matches one or more of the IP addresses of the host whose
## hostname appears in the control file.
## The SAMEHOST match checks to see that one (or more) of the
## IP addresses of the host originating a request is/are the
## matches one or more of the IP addresses of the server.
## FORWARD is the same as NOT SAMEHOST, i.e. - request is
## forwarded.
##
## The special key letter=patterns searches the control file
## line starting with the (upper case) letter, and is usually
## used with printing and spooling checks. For example,
## C=A*,B* would check that the class information (i.e.- line
## in the control file starting with C) had a value starting
## with A or B.
##
## A permission line consists of list of tests and an a result value
## If all of the tests succeed, then a match has been found and the
## permission testing completes with the result value. You use the
## DEFAULT reserved word to set the default ACCEPT/DENY result.
## The NOT keyword will reverse the sense of a test.
##
## Each test can have one or more optional values separated by
## commas. For example USER=john,paul,mark has 3 test values.
##
## The Match type specifies how the matching is done.
## S = glob type string match OR </path
## Format: string with wildcards (*) and ranges
## * matches 0 or more chars
## [a-d] matches a or b or c or d
## Character comparison is case insensitive.
## For example - USER=th*s matches uTHS, This, This, Theses
## USER=[d-f]x matches dx, ex, fx
## If the match is </path then the specified file is
## opened and read, and the file contents are treated like
## S type entries separated by whitespace
##
##
## IP = IP address and submask. IP address must be in dotted form.
## OR </path
## Format: x.x.x.x[/y.y.y.y] x.x.x.x is IP address
## y.y.y.y is optional submask, default is 255.255.255.255
## Match is done by converting to 32 bit x, y, and IP value and using:
## success = ((x ^ IP ) & y) == 0 (C language notation)
## i.e.- only bits where mask is non-zero are used in comparison.
## For example - REMOTEIP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X
## If the match is </path then the specified file is
## opened and read, and the file contents are treated like
## S type entries separated by whitespace
##
## N = numerical range - low-high integer range.
## Format: low[-high]
## Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged)
##
## The SAMEUSER and SAMEHOST are options that form values from information
## in control files or connections. The GROUP entry searches the user group
## database for group names matching the pattern, and then searches these
## for the user name. If the name is found, the search is successful.
## The SERVER entry is successful if the request originated from the current
## lpd server host.
##
## Note carefully that the USER, HOST, and IP values are based on values found
## in the control file currently being checked for permissions. The
## REMOTEUSER, REMOTEHOST, and REMOTEIP are based on values supplied as part
## of a connection to the LPD server, or on the actual TCP/IP connection.
##
## The LPC entry matches an LPC command. For example LPC=topq would match
## when an lpc topq command is being executed. You must still have the
## SERVICE=C entry to trigger this action.
##
## Note: the SERVICE=R and SERVICE=P both check the LPR actions
## of sending a job. However, SERVICE=R does it when the job is being
## sent to the LPD server. Some LPD (and LPR) implementations cannot
## handle a job being rejected due to lack of permissions, and sit in
## an endless loop trying to resend the job. This is the reason for
## the SERVICE=P check. You can accept the job for printing, and then
## have the SERVICE=P check remove the job.
##
## NOTE: if you do not have an explicit ACCEPT SERVICE=P or
## DEFAULT ACCEPT action then your print jobs will be accepted
## and then quietly discarded.
##
## Example Permissions
##
## # All operations allowed except those specifically forbidden
## DEFAULT ACCEPT
##
## # Accept connections from hosts on subnet 130.191.0.0 or
## # from the server.
## ACCEPT SERVICE=X REMOTEIP=130.191.0.0/255.255.0.0,\
## 128.0.0.0/8
## # from a named set of sites
## ACCEPT SERVICE=X REMOTEHOST=engpc*
## # listed in the /etc/accepthost file
## ACCEPT SERVICE=X REMOTEHOST=</etc/accepthost
## - /etc/rejecthost contains list of entries separated
## by whitespace. For example:
## 10.0.0.0/8 128.0.0.0/8
## 192.168.10.1 192.168.10.2
## # don't take them from this particular host
## REJECT SERVICE=X REMOTEHOST=badhost.eng.com
## # Reject all others
## REJECT SERVICE=X
##
## #Do not allow anybody but root or papowell on
## #astart1.astart.com or listed in the /etc/ok file
## #to use lpc commands:
## ACCEPT SERVICE=C SERVER REMOTEUSER=root
## ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com \
## REMOTEUSER=papowell,</etc/ok
## /etc/ok has list of users:
## root papowell nobody
## user1 user2
##
## #Allow root on talker.astart.com to control printer hpjet
## ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root
## #Reject all others
## REJECT SERVICE=C
##
## #Do not allow forwarded jobs or requests
## REJECT SERVICE=R,C,M FORWARD
##
## If you want to have connections only from programs on
## the local host, then uncomment the next line:
REJECT NOT SERVER
## You can make sure that connections come from a privileged port.
## Default is to allow them from any port so that non-setuid programs
# can do printing.
# Totally RFC1179
#REJECT SERVICE=X NOT PORT=1-1023
#REJECT SERVICE=X NOT PORT=1-1023
# Privileged
#REJECT SERVICE=X NOT PORT=721-731
#
# allow root on server to control jobs
ACCEPT SERVICE=C SERVER REMOTEUSER=root
# allow anybody to get server, status, and printcap
ACCEPT SERVICE=C LPC=lpd,status,printcap
# reject all others
REJECT SERVICE=C
#
# allow same user on originating host to remove a job
ACCEPT SERVICE=M SAMEHOST SAMEUSER
# allow root on server to remove a job
ACCEPT SERVICE=M SERVER REMOTEUSER=root
REJECT SERVICE=M
# all other operations allowed
DEFAULT ACCEPT
Reply to: