On Wed, Jun 17, 1998 at 10:51:11AM -0400, [EMAIL PROTECTED] wrote: > Hamish Moffatt writes: > > On Wed, Jun 17, 1998 at 08:14:00AM -0400, Paul Miller wrote: > > > How can I control who can print and who can't? > > > > I am guessing, but I guess you could put everyone who may print > > in the lp group, and remove the setgid bit on /usr/bin/lpr* -- but > > then those users will be able to play with the files in /var/spool/lpd > > directly, which they normally cannot. > > > > Or, one could use the TCP wrapper methodology. Rename lpr, create a wrapper > and call it "lpr". Then have the wrapper check a "allowed user" file when a > print request comes in. It then either passes on the printing job to the real > lpr or rejects it with a diagnostic message (as a courtesy).
However I think there is an element of "security by obscurity" in this -- if they can find the original lpr, they can use it anyway. You can't make the wrapper script unreadable, either; you could write a program, but it's still going to know the location. I guess you could make the program unreadable (but executable), and make the actual lpr binary directory unreadable too. Urk. Hamish -- Hamish Moffatt, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Latest Debian packages at ftp://ftp.rising.com.au/pub/hamish. PGP#EFA6B9D5 CCs of replies from mailing lists are welcome. http://hamish.home.ml.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
