char *db = "moira/moira";
void do_host(char *host);
-void dump_acl(FILE *out, int id, int realms);
void sqlerr(void);
#ifndef MAX
#define MAX(a, b) ( (a) > (b) ? (a) : (b) )
char name[MACHINE_NAME_SIZE];
EXEC SQL END DECLARE SECTION;
+ init_acls();
+
EXEC SQL CONNECT :db;
EXEC SQL WHENEVER SQLERROR DO sqlerr();
"daemon", "daemon", now);
fprintf(out, "# Allow anybody to connect, get status, list queue, or "
"print (once a\n# job is spooled)\n");
- fprintf(out, "ACCEPT SERVICE=X,S,Q,P\nACCEPT LPC=status,lpq\n\n");
+ fprintf(out, "ACCEPT SERVICE=X,S,Q,P\nACCEPT LPC=status,lpq,printcap\n\n");
fprintf(out, "# Only trust certain host keys to forward jobs/commands\n");
- fprintf(out, "REJECT AUTHFROM=?* PRINTER=</var/spool/printer/queues.secure "
- "NOT AUTHFROM=</var/spool/printer/hostkeys.allow\n");
- fprintf(out, "REJECT AUTHFROM=?* AUTHJOB "
- "NOT AUTHFROM=</var/spool/printer/hostkeys.allow\n\n");
+ fprintf(out, "REJECT SERVICE=R AUTHFROM=?* "
+ "PRINTER=</var/spool/printer/queues.secure "
+ "NOT AUTHFROM=</var/spool/printer/hostkeys.allow FORWARD\n");
+ fprintf(out, "REJECT SERVICE=R AUTHFROM=?* AUTHJOB "
+ "NOT AUTHFROM=</var/spool/printer/hostkeys.allow FORWARD\n\n");
+
+ fprintf(out, "# Allow root to control and remove jobs\n");
+ fprintf(out, "ACCEPT SERVICE=C,R SERVER REMOTEUSER=root\n\n");
+
+ fprintf(out, "# Allow admins to control and remove jobs\n");
+ fprintf(out, "ACCEPT SERVICE=C,R AUTH=USER AUTHUSER=</var/spool/printer/lpcaccess.top\n\n");
+
+ fprintf(out, "# Printer-specific LPC ACLs\n");
+ EXEC SQL DECLARE csr_lpc CURSOR FOR
+ SELECT rp, duplexname FROM printers
+ WHERE rm = :rm AND lpc_acl != 0;
+ EXEC SQL OPEN csr_lpc;
+ while (1)
+ {
+ EXEC SQL FETCH csr_lpc INTO :name, :duplexname;
+ if (sqlca.sqlcode)
+ break;
+
+ strtrim(name);
+ strtrim(duplexname);
+ fprintf(out, "ACCEPT SERVICE=C,R PRINTER=%s%s%s AUTH=USER "
+ "AUTHUSER=</var/spool/printer/%s/lpcaccess\n",
+ name, *duplexname ? "," : "", duplexname, name);
+ }
+ EXEC SQL CLOSE csr_lpc;
+ fprintf(out, "\n");
fprintf(out, "# Reject jobs from unauthorized users to restricted queues\n");
EXEC SQL DECLARE csr_ac CURSOR FOR
EXEC SQL CLOSE csr_ac;
fprintf(out, "\n");
+ fprintf(out, "# Allow us to lock out users\n");
+ fprintf(out, "REJECT SERVICE=R USER=</var/spool/printer/users.deny\n");
fprintf(out, "# Accept authenticated jobs to all other printers\n");
fprintf(out, "ACCEPT SERVICE=R AUTH=USER,FWD\n");
fprintf(out, "# Allow authenticated users to lprm their jobs\n");
fprintf(out, "ACCEPT SERVICE=M AUTH=USER,FWD AUTHJOB AUTHSAMEUSER\n\n");
fprintf(out, "# Reject unauthentic print/lprm requests to authenticated queues\n");
- fprintf(out, "REJECT SERVICE=R,M "
+ fprintf(out, "REJECT SERVICE=R,M NOT AUTH "
"PRINTER=</var/spool/printer/queues.secure\n\n");
fprintf(out, "# Reject unauthentic print requests from off MITnet\n");
fprintf(out, "# Accept unauthentic print requests if same user and on MITnet\n");
fprintf(out, "ACCEPT SERVICE=M NOT AUTHJOB SAMEUSER REMOTEIP=</var/spool/printer/masks.allow\n\n");
- fprintf(out, "# Allow root to control and remove jobs\n");
- fprintf(out, "ACCEPT SERVICE=C SERVER REMOTEUSER=root\n\n");
-
- fprintf(out, "# Allow admins to control and remove jobs\n");
- fprintf(out, "ACCEPT SERVICE=C AUTH=USER AUTHUSER=</var/spool/printer/lpcaccess.top\n\n");
-
- fprintf(out, "# Printer-specific LPC ACLs\n");
- EXEC SQL DECLARE csr_lpc CURSOR FOR
- SELECT rp, duplexname FROM printers
- WHERE rm = :rm AND lpc_acl != 0;
- EXEC SQL OPEN csr_lpc;
- while (1)
- {
- EXEC SQL FETCH csr_lpc INTO :name, :duplexname;
- if (sqlca.sqlcode)
- break;
-
- strtrim(name);
- strtrim(duplexname);
- fprintf(out, "ACCEPT SERVICE=C PRINTER=%s%s%s AUTH=USER "
- "AUTHUSER=</var/spool/printer/%s/lpcaccess\n",
- name, *duplexname ? "," : "", duplexname, name);
- }
- EXEC SQL CLOSE csr_lpc;
- fprintf(out, "\n");
-
fprintf(out, "# Reject any other lpc, or lprm. Accept all else\n");
fprintf(out, "REJECT SERVICE=C,M\n");
- fprintf(out, "DEFAULT ACCEPT");
+ fprintf(out, "DEFAULT ACCEPT\n");
tarfile_end(tf);
/* list of kerberized queues */
sprintf(filename, "/var/spool/printer/%s/restrict.list", name);
out = tarfile_start(tf, filename, 0755, 1, 1, "daemon", "daemon",
now);
- dump_acl(out, ac, ka);
+ if (ka)
+ dump_krb_acl(out, "LIST", ac, 5);
+ else
+ dump_user_list(out, "LIST", ac);
tarfile_end(tf);
}
sprintf(filename, "/var/spool/printer/%s/lpcaccess", name);
out = tarfile_start(tf, filename, 0755, 1, 1, "daemon", "daemon",
now);
- dump_acl(out, lpc_acl, 1);
+ dump_krb_acl(out, "LIST", lpc_acl, 5);
tarfile_end(tf);
}
}
{
out = tarfile_start(tf, "/var/spool/printer/lpcaccess.top",
0755, 1, 1, "daemon", "daemon", now);
- dump_acl(out, lpc_acl, 1);
+ dump_krb_acl(out, "LIST", lpc_acl, 5);
tarfile_end(tf);
}
tarfile_close(tf);
}
-void dump_acl(FILE *out, int id, int realms)
-{
- EXEC SQL BEGIN DECLARE SECTION;
- int lid = id;
- char login[USERS_LOGIN_SIZE], princ[STRINGS_STRING_SIZE];
- EXEC SQL END DECLARE SECTION;
- char *at, *dot;
-
- EXEC SQL DECLARE csr_users CURSOR FOR
- SELECT u.login FROM users u, imembers im
- WHERE u.users_id = im.member_id
- AND im.member_type = 'USER' AND im.list_id = :lid;
- EXEC SQL OPEN csr_users;
- while (1)
- {
- EXEC SQL FETCH csr_users INTO :login;
- if (sqlca.sqlcode)
- break;
-
- fprintf(out, "%s%s\n", strtrim(login), realms ? "@ATHENA.MIT.EDU" : "");
- }
- EXEC SQL CLOSE csr_users;
-
- if (realms)
- {
- EXEC SQL DECLARE csr_krb CURSOR FOR
- SELECT s.string FROM strings s, imembers im
- WHERE s.string_id = im.member_id
- AND im.member_type = 'KERBEROS' AND im.list_id = :lid;
- EXEC SQL OPEN csr_krb;
- while (1)
- {
- EXEC SQL FETCH csr_krb INTO :princ;
- if (sqlca.sqlcode)
- break;
-
- strtrim(princ);
- at = strchr(princ, '@');
- dot = strchr(princ, '.');
-
- if (at)
- {
- if (dot && dot < at)
- fprintf(out, "%.*s/%s\n", dot - princ, princ, dot + 1);
- else
- fprintf(out, "%s\n", princ);
- }
- else
- {
- if (dot)
- fprintf(out, "%.*s/%s@ATHENA.MIT.EDU\n", dot - princ, princ);
- else
- fprintf(out, "%s@ATHENA.MIT.EDU\n", princ);
- }
- }
- }
- EXEC SQL CLOSE csr_krb;
-}
-
void sqlerr(void)
{
db_error(sqlca.sqlcode);