[SUMMARY] hosts.lpd problem

From: Siddall P (pauls@essex.ac.uk)
Date: Wed Jul 21 1993 - 13:35:06 CDT


Hi,
        Sorry this is a little late - I waited to see if I got any more
        responses.

        Original Question:

>
> Hello Sun Managers,
>
> My problem is NOT allowing the user "nobody" to print. This is
> mainly to stop PC-NFS users who do not login from printing.
>
> I've tried setting up the hosts.lpd file with an entry :
>
> + -@xyz
>
> where xyz is defined in the netgroup file running NIS as :
> (,nobody,).
>
> I've also attempted explicit machines etc. (for testing) and the
> 'nobody' user isn't being stopped from printing when running
> (for example) net print filea lpt2:
>
> The machine is a 4/330 running 4.1.3 and the PC-NFS is a mixture
> of 3.0.1, 4.0a and mainly 3.5.
>
> Did I miss something??
>
> Any ideas/solutions anyone??
>
> TIA,
> Paul
>
Here are the 3 replies:

1 - Richard Elling wrote:

There are 2 ways you could approach this problem:
        1) upgrade to Solaris 2 and just add nobody to the list
        of users who are denied access to the printer.

        2) modify the print filter to perform access list checking.
        We do this with modified newsprint and transcript filters.

In terms of printer maintenance, option 1 is the easiest.

2 - Pat Cain wrote:

Possibility is that the netgroup you have set up is too large.

Try trimming it down to half a dozen hosts/users (create a new netgroup,
containing a subset of the original, don't destroy what you've already got)
and reboot or restart significant processes (ypserv among them).

I found that with 4.1.1 that I can't have 50 entries in my netgroups, but
a mere 2 or 3 work fine. I haven't experimented with the limit, I
abandoned the project instead, and had my routers do my "netgrouping".

3 - Iain A. Mc Crone wrote:

We have the same problem and the only thing we came up with was to exclude
"nobody" from your NIS passwd file altogether.

-- -- -- -- -- --

We can't go to Solaris 2 yet so I'm not able to follow up Richard's first
solution although I'd probably do this when running Solaris 2.

My particular netgroup for the 'noprint' group only contained the 1 entry so
I don't think that's the problem - although our NIS netgroup file IS large(!)

I tried Iain's solution and when I did a net print c:\config.sys lpt1: the file
was queued and the user shown was root (!!). We were not sure if this could be (is) a security whole so we put nobody back into passwd file!! -Iain maybe you did something extra??
- If so would you mail me with any extra info? - ta

I've found out whilst playing with the hosts.lpd file that if I add an entry
of the form : -hostname then it does disallow access but that's _too_
restrictive. It's the username field that doesn't seem to work.
e.g. hostname -nobody (or whatever user I try) STILL allows lpr to work

We did try another approach - to add an "rs" (restircted group) line into
the /etc/printcap file - to only allow 'ircstaff' to print and this worked -
but PC-NFS didn't return an error - it just didn't print. The only problem with this is that root (etc) isn't a member of ircstaff so we need to tweak things
a little. This is the way we will probably go.

Thanks to those who replied and if anyone else out there has any ideas please
send them to me. If I get more info I'll post another summary.

Raymond Ballisti (ballisti@ifh.ee.ethz.ch) also wanted info/solutions - Hope
this is of some help Ray.

Thanks to:
richard.elling@eng.auburn.edu
pjc%denver.ssds.COM
iain@cee.hw.ac.uk

        Paul



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:02 CDT