Re: print permissions
On Wed, Jun 17, 1998 at 10:51:11AM -0400, tko@westgac3.dragon.com wrote:
> Hamish Moffatt writes:
> > On Wed, Jun 17, 1998 at 08:14:00AM -0400, Paul Miller wrote:
> > > How can I control who can print and who can't?
> >
> > I am guessing, but I guess you could put everyone who may print
> > in the lp group, and remove the setgid bit on /usr/bin/lpr* -- but
> > then those users will be able to play with the files in /var/spool/lpd
> > directly, which they normally cannot.
> >
>
> Or, one could use the TCP wrapper methodology. Rename lpr, create a wrapper
> and call it "lpr". Then have the wrapper check a "allowed user" file when a
> print request comes in. It then either passes on the printing job to the real
> lpr or rejects it with a diagnostic message (as a courtesy).
However I think there is an element of "security by obscurity" in this --
if they can find the original lpr, they can use it anyway. You can't make
the wrapper script unreadable, either; you could write a program, but
it's still going to know the location. I guess you could make the program
unreadable (but executable), and make the actual lpr binary directory
unreadable too. Urk.
Hamish
--
Hamish Moffatt, hamish@debian.org, hamish@rising.com.au, hmoffatt@mail.com
Latest Debian packages at ftp://ftp.rising.com.au/pub/hamish. PGP#EFA6B9D5
CCs of replies from mailing lists are welcome. http://hamish.home.ml.org
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: