SUMMARY: Restricted access to printer

From: /DD.SYS=12762/DD.UFD=ETX600/I=P/G=JUKKA/S=TOUKONEN/O=TELEBOX/@mailnet.fi
Date: Sun Dec 22 1991 - 16:37:51 CST


This is my second try to send this SUMMARY. ( 22-dec-1991 )

Thanks to everyone who replied. Somebody might find him/herself missing
blame this "reliable" post system.

First of all. My mailer is something strange because I'm using Finnish Tele
company's proprietary mail system. It is connected to FUNET (Finnish
Universities Network ( Internet ) ) via X.400.

I forgot to mention we are still using 3/60:s with 4.0.3 so we don't have
the newest manuals. I haven't even purchased the colour postscript but it
will happen soon.

The most of the colour postscript printing will be foils and I have heard
that automatic feeding of them have created problems. I'm going to check it
but if it's true it would be much more sensible to connect the printer to a
PC and run it locally ( and feed foils manually ).

IF I'm running it through the network the first I'm going to try the
solution with separate group of those authorized for printing:

>From: PN=hasley/O=edu/C=fi/ADMD=mailnet/PRMD=inet/OU=bgsu/OU=andy/FF=John
>Hasley

>Check the printcap(5) man page entry. There you will find an entry
>for 'rg', about which the 4.3BSD Line Printer Spooler Manual says:
>(Section 4.3)

> "Local access to printer queues is controlled with the rg printcap
entry.

> :rg=lprgroup:

>"Users must be in the group 'lprgroup' to submit jobs to the specified
>printer. The default is to allow all users access. Note that once the
>files are in the local queue, they can be printed locally or forwarded
>to another host depending on the configuration."

>The above is almost definitely what you want.

Anyone who wants to hear about real world testing mail me and I will send
results later ( next year ).

Summary of replies ( 430 lines long )
---------------------------------------------------------------------------
From:PN=/O=net/C=fi/ADMD=mailnet/PRMD=inet/OU=EU/OU=relay/DDA=RFC-822=tscs
(b)novak(a)relay.EU.net/FF= (Albert Novak)

    The file /etc/hosts.lpd lists hosts that only can have printer queue
access to your server. The format is the same as hosts.eqiv. See lpd(8).
The connection via a parallel port in the Sun server would be faster. A
sample printcap entry follows for an Aurora 210S S-Bus board:

hplj3|HP LaserJet III:\
:lp=/dev/ttyc0:\
:br#19200:\
:sd=/var/spool/hplj3:\
:fc#0777:\
:fs#06021:\
:lf=/usr/adm/lpd-errs:\
:pl#60:\
:mx#0:\
:sb:\
:sf:\
:sh:\
:xc#07737:\
:xs#040:

This worked at a distance of 65 feet away.

Albert Novak

UUCP: uupsi2!pdn!tscs!novak
---------------------------------------------------------------------------
From: PN=ca/O=informatik/C=DE/ADMD=DBP/PRMD=uni-kiel/OU=idefix/FF=Claus
Assmann

Take a look at printcap(5):
     rg str NULL restricted group. Only
                                  members of group allowed access

(Don't know, if it works :-)

Regards,

Claus
---------------------------------------------------------------------------
From:PN=/O=net/C=fi/ADMD=mailnet/PRMD=inet/OU=EU/OU=relay/DDA=RFC-822=trdl
nk(b)mike(a)relay.EU.net/FF= (Michael Sullivan)

>I don't have any experience with colour printers, but from what I know about
>black-on-white PostScript printers, I would say that a serial interface is
>fine if you are mostly going to print text or simple diagrams and charts, but
>if you are going to be printing high resolution images you will want the
>higher throughput of a parallel interface. It can take many minutes to send
>a grey-scale image to the printer over a serial interface; colour images
>will be three times as slow! Before you buy a parallel interface, be sure to
>inquire as to its maximum throughput, system overhead (does it generate an
>interrupt for every character?) and compatibility with your printing software.

>Regarding restricted access, take a look at printcap(5). It describes a
>restricted group (rg) capability which might do the trick.
>I have never tried it myself...

My reply:

Last yesterday I met again the question about printing speed. I think the
biggest piece of timecake depends on the rate of processing postscript code
to pixels ( most likely inside printer ). If I'm printing from the PC the
next time burner is the software translating graphics to postscript. Only
after them comes the transmission speed from server to printer.

If you have fast printer connected to fast workstation things can be totally
different.
--------------------------------------------------------------------------
From: PN=kevins/O=com/C=fi/ADMD=mailnet/PRMD=inet/OU=Sun/OU=Aus/FF= (Kevin
Sheehan ?Consulting Poster Child?)

My solution to a similar problem was to create a small setuid program
that checked the access list, then forked off the application (lpr in your
case) with the passed arguments if the check succeeded. The application
was only runnable by that user, so only the front end could run it.

Should work okay for lpr as well.

          l & h,
          kev

kevin.sheehan@fourx.aus.sun.com

--------------------------------------------------------------------------
From:PN=CCTR114/O=nz/C=fi/ADMD=mailnet/PRMD=inet/OU=ac/OU=canterbury/OU=cs
c/FF=Bill Rea, University of Canterbury, New Zealand

Below is a C program which I use as an input filter to stop computer
science people from using our printers. The restricted group field in
the printcap file only allows a single group to use the printer. The
input filter excludes the specified groups.
                                             ___
Bill Rea
-------------------------------Included File-------------------------------

#include <stdio.h>
#include <grp.h>

/***********************************************************************/
/* */
/* The purpose of this program is to count the number of pages which a */
/* user prints for any given print job. It looks through the file and */
/* counts up the lines and increases the page counter for each form */
/* feed or when then number of lines goes over a page. */
/* This version excludes computer science users. If a Computer */
/* Science User is found trying to print it just aborts with an error */
/* not to print the job (exit value 2). */
/* */
/* Author: W.S. Rea */
/* Date: 23-Feb-1990 */
/* Modifications: */
/* 23-Mar-1990 Exclude Computer Science Users */
/* */
/***********************************************************************/

main (argc,argv)
int argc;
char *argv[];
{
  char *login;
  char *length;
  char *actfil;
  char *code;
  int print_plus_();
  struct group *cosc_group;
  int i,lines,pages,ch,chars,page_length,login_len;
  int gid,status;
  FILE *output_file;

  lines=0; /* They can print no lines is they want but they */
  pages=1; /* get charged for at least a page. */
  if (argc == 9)
  {
    length=argv[2]+2; /* If the argument count is 9 then they haven't */
    login=argv[5]; /* used the -l option so pick out the page */
    actfil=argv[8]; /* length, their login name and the account file*/
  }
  else if (argc == 10)
  {
    length=argv[3]+2; /* If the argument count is 10 then the -l */
    login=argv[6]; /* option was used, all the values are moved */
    actfil=argv[9]; /* along one in the arg list. */
  }
  else
  {
    exit(2); /* Don't understand anything other than 9 or */
  } /* 10 arguments, abort the job. */
  cosc_group=getgrgid(341); /*Exclude Stage 2 Cosc */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(348); /*Exclude Stage 2 Cosc */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(349); /* Exclude Stage 3 Cosc */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(347); /* Exclude Cosc Hons */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(346); /* Exclude Cosc Masters */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(345); /* Exclude Cosc Ph.D. */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(344); /* Exclude Cosc Staff */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(341); /* Exclude CMIS */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(342); /* Exclude CMIS */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }
  cosc_group=getgrgid(340); /* Exclude ordinary Cosc */
  while (*(cosc_group -> gr_mem) != NULL)
  {
    if (strcmp(login,*(cosc_group -> gr_mem)) == 0)
       exit(2);
    *(cosc_group -> gr_mem)++;
  }

  while((ch = getchar()) != EOF)
  {
     putchar(ch);
  }
}
--------------------------------------------------------------------------
From: PN=ckon/O=gr/C=fi/ADMD=mailnet/PRMD=inet/OU=intranet/FF= (Chris
Kondellis)

>Hi,
>You can use the /etc/hosts.lpd file (lpd(8))

>I hope this will help

>-C

>ckon@intranet.gr

My reply:

Even if I didn't ask host depedend solution later It came in my mind It
could be possible use hosts.lpd file to restrict PC:s access to printer.
I'm not sure about PC-NFS printing mechanism. Does the spooler see the files
coming from the remote hosts ( PCs ) or does the server pretend local
printing requests ?
-------------------------------------------------------------------------
From: PN=hasley/O=edu/C=fi/ADMD=mailnet/PRMD=inet/OU=bgsu/OU=andy/FF=John
Hasley

Check the printcap(5) man page entry. There you will find an entry
for 'rg', about which the 4.3BSD Line Printer Spooler Manual says:
(Section 4.3)

     "Local access to printer queues is controlled with the rg printcap
entry.

     :rg=lprgroup:

"Users must be in the group 'lprgroup' to submit jobs to the specified
printer. The default is to allow all users access. Note that once the
files are in the local queue, they can be printed locally or forwarded
to another host depending on the configuration."

The above is almost definitely what you want.

Or, if you want something more fancy, you can play with making your own
filter. The same paper continues: (Section 5)

     "Filters are spawned by lpd with their standard input the data
to be printed, and standard output the printer. The standard error is
attached to the lf file for logging errors or syslogd may be used for
logging errors. A filter must return a 0 exit code if there were no
errors, 1 if the job should be reprinted, and 2 if the job should be
thrown away. When lprm sends a kill signal to the lpd process controlling
printing, it sends a SIGINT signal to all filters and descendents of filters.
This signal can be trapped by filters that need to do cleanup operations
such as deleting temporary files.
  "Arguments passed to a filter depend on its type. The of fileter
is called with the following arguments.

     filter -wwidth -llength

"The width and length values come from the pw and pl entries in the
printcap database. The if filter is passed the following parameters.

     filter [-c] -wwidth -llength -iindent -n login -h host accounting_file

[[Optional -c means pass control characters, -w and -l are as above,
  -n is login name, -h is host name, and the accounting file is the
  accounting file listed in printcap.]]

"All other filters are called with the following arguments:

     filter -xwidth -ylength -n login -h host accounting_file
     [arg0 arg1 arg2 3 arg4 5 arg6 arg7]

"The -x and -y options specify the horizontal and vertical page size
in pixels (from the px and py entries in the printcap file). The rest
of the arguments are the same as for the if filter.

As for specifics about using your printer, I'm afraid I can't help you,
because the printer with which I have experience is unsuited for your
needs.

hasley@bgsu.edu
--------------------------------------------------------------------------
From:PN=bkelley/O=com/C=fi/ADMD=mailnet/PRMD=inet/OU=ford/OU=pms/OU=pms001
/FF= ( Brian Kelley )

There are several ways to restrict printer access. I would probably
set up a print filter which would look at a list of authorized users. If
the user isn't in the list, you could easily Email their print job back
to them with a note stating that they were not authorized to print to the
printer... It might also be possible to setup a new group of users for
printer access, though I've never done it that way.

bkelley@pms001.pms.ford.com
--------------------------------------------------------------------------
From: PN=smc/O=gov/C=fi/ADMD=mailnet/PRMD=inet/OU=LANL/OU=goshawk/FF=
(Susan Coghlan)

  If you don't absolutely have to be offline, you could use the
:rg= field
in the /etc/printcap file to restrict access to users in a
specific group
(as defined in the /etc/groups file).

smc@goshawk.lanl.gov
--------------------------------------------------------------------------
From: PN=leh/O=edu/C=fi/ADMD=mailnet/PRMD=inet/OU=ufl/OU=cis/OU=manatee

Look at the rg=str option to restrict printer usage to a single
group.

Les

--------------------------------------------------------------------------
From:PN=pjw/O=mil/C=fi/ADMD=mailnet/PRMD=inet/OU=navy/OU=usna/OU=sma/OU=ma
th30/FF= (Peter J. Welcher (math FACULTY) <pjw@math30.sma.usna.navy.MIL>

>An issue I haven't seen adequately discussed, so I'm interested in your
>replies.

>Have you considered what happens when Postscript without a proper header gets
>sent to your colour printer ? You could waste 200 pages of colour hardcopy
printing
>Postscript as text (we've done it with b&w laser printers). That gets expensive
>!

>Yet there are lots of PC programs that don't put %! PS-Adobe at the top of
>the output. If you use the hot key under PC-NFS, the file that printer output
>accumulates in may not start with %! PS-Adobe, for various reasons. >Something
>to think about: one wants a filter that rejects non-Postscript files.

My reply:

I haven't find that a problem because Postscript-only printers can handle
only postscript. The problem will arise with newer QMS printers with
autosensing file format. If it thinks postscript file is a text file to
print with Laserjet emulation, huge masses of paper is produced.

We have met the problem when line printers start to print megabytes of
postscript. But it's so rare happening I have not bothered to create any
automatic filtering.
-------------------------------------------------------------------------
From:PN=erueg/O=de/C=fi/ADMD=mailnet/PRMD=inet/OU=gwdg/OU=uni-math/OU=cfga
uss/FF= (Eckhard Rueggeberg)

Put an input filter entry (:if=...:) in the /etc/printcap. Then install
a sciptfile as that filter. This gets the user name as 5th and remote
host as 7th parameter (You can find the others in the "System and Network
Administration Manual" in the Chapter "Input Filters", which is 15.3 if
I remember correctly.) This script can handle the printing request (which
comes on standard input) as it wants to, cat'ing it to either stdout, which
is printing in fact, or /dev/null, according to user name.

My printcap entry for a PostScript (HPLJIII) printer is

1|psout|HP Laserjet III PostScript Output|pslaser:\
        :br#19200:ms=litout:sh:sc:mx#0:\
        :lp=/dev/ttyb:\
        :lf=/var/adm/lpd.errs:\
        :af=/var/adm/lpd.acct:\
        :sd=/var/spool/lpd/psout:\
        :if=/var/spool/lpd/psout/ps-if:

and we use it serial, as you can see. We use an other printer parallel,
because it is an old PC dot matrix printer with only parallel port. For
that purpose, we bought a (PC) Hardware Printer Spooler with 256KB buffer
which has a serial input and parallel output. This seems to be rather quick
and not too expensive (around 100 US$, we couldn't get one in Germany.

Hope this helps,

---------------------------------------------------------------------------
Original message:

RESTRICTED ACCESS TO PRINTER
****************************

We are going to install a postscript colour printer to our server
Sun sparc 2 or IPX . We have also about 70 PC:s running SUN PC-NFS
and using server printers.

Any experience ? Can we use serial line or shall we buy parallel inter-
face ? Printcaps ?

But the more general problem is how to create restricted access to the
printer. We can't have a server dedicated to only those users who
should be able to print.
We should have an easy identification process which asks who is printing
( NOT ONLINE ! ) and after looking from the list of authorized printer
users lets the printfile be transferred to printer or not.

************************************************************************
Jukka Toukonen
ABB STR\MBERG DRIVES OY elec.mail jukka.p.toukonen@telebox.tele.fi
P.O.Box 655 fax. +358-61-161 045
SF-65101 VAASA voice. +358-61-162 399
FINLAND
************************************************************************



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:21 CDT