Re: print permissions
>
> On Wed, Jun 17, 1998 at 10:51:11AM -0400, tko@westgac3.dragon.com wrote:
> > Hamish Moffatt writes:
> > > On Wed, Jun 17, 1998 at 08:14:00AM -0400, Paul Miller wrote:
> > > > How can I control who can print and who can't?
> > >
> > > I am guessing, but I guess you could put everyone who may print
> > > in the lp group, and remove the setgid bit on /usr/bin/lpr* -- but
> > > then those users will be able to play with the files in /var/spool/lpd
> > > directly, which they normally cannot.
> > >
> >
> > Or, one could use the TCP wrapper methodology. Rename lpr, create a wrapper
> > and call it "lpr". Then have the wrapper check a "allowed user" file when a
> > print request comes in. It then either passes on the printing job to the real
> > lpr or rejects it with a diagnostic message (as a courtesy).
>
> However I think there is an element of "security by obscurity" in this --
> if they can find the original lpr, they can use it anyway. You can't make
> the wrapper script unreadable, either; you could write a program, but
> it's still going to know the location. I guess you could make the program
> unreadable (but executable), and make the actual lpr binary directory
> unreadable too. Urk.
What about this:
-rwsr-sr-x 1 root lp 14236 Jul 30 1997 /usr/bin/lpr
-rwxr-xr-x 1 root lp 14236 Jul 30 1997 /usr/bin/lpr.orig
(fake listing, just for demo purposes)
Now lpr is the wrapper program (not script) and the real lpr, lpr.orig
does not have the right permissions to run. I think this is how sudo
works.
Eric
--
E.L. Meijer (tgakem@chem.tue.nl) | tel. office +31 40 2472189
Eindhoven Univ. of Technology | tel. lab. +31 40 2475032
Lab. for Catalysis and Inorg. Chem. (TAK) | tel. fax +31 40 2455054
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: