[969] | 1 | # $Id$ |
---|
| 2 | |
---|
| 3 | PyKota - Print Quota for CUPS and LPRng |
---|
| 4 | |
---|
[1257] | 5 | (c) 2003-2004 Jerome Alet <alet@librelogiciel.com> |
---|
[969] | 6 | This program is free software; you can redistribute it and/or modify |
---|
| 7 | it under the terms of the GNU General Public License as published by |
---|
| 8 | the Free Software Foundation; either version 2 of the License, or |
---|
| 9 | (at your option) any later version. |
---|
| 10 | |
---|
| 11 | This program is distributed in the hope that it will be useful, |
---|
| 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 14 | GNU General Public License for more details. |
---|
| 15 | |
---|
| 16 | You should have received a copy of the GNU General Public License |
---|
| 17 | along with this program; if not, write to the Free Software |
---|
| 18 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. |
---|
| 19 | |
---|
| 20 | ==================================================================== |
---|
| 21 | |
---|
[1386] | 22 | These recommendations are there because as of April 28th 2003 |
---|
[969] | 23 | PyKota doesn't enforce them. You may or may not follow them, |
---|
| 24 | depending on your user's IT knowledge, how much your trust them, |
---|
| 25 | etc... |
---|
| 26 | |
---|
| 27 | ==================================================================== |
---|
| 28 | |
---|
| 29 | How to improve PyKota's security : |
---|
| 30 | ---------------------------------- |
---|
| 31 | |
---|
[1186] | 32 | - Most of the stuff which was there was deleted because PyKota's |
---|
| 33 | configuration files permissions should take care of most |
---|
| 34 | security problems. BUT of course, you have to set them correctly ! |
---|
[1074] | 35 | |
---|
[1209] | 36 | - Secure your printer : |
---|
| 37 | |
---|
| 38 | Tell it to refuse any print job not coming from your print |
---|
| 39 | server. |
---|
| 40 | |
---|
| 41 | Don't give shell access to your users on your print server, |
---|
| 42 | or don't let them execute unauthorized commands : they could |
---|
| 43 | very well compile and execute tools like NetCat, and send |
---|
| 44 | datas directly to the printer in the case the printer is |
---|
[1267] | 45 | networked, thus bypassing the printing system and PyKota. |
---|
[1209] | 46 | |
---|
[1087] | 47 | - Ensure that no regular user can read PyKota administrator's |
---|
| 48 | configuration file, but that both the print quota administrator and |
---|
| 49 | the user the printing system is run as can read it. Depending on |
---|
| 50 | your system's configuration, this may give something like : |
---|
[969] | 51 | |
---|
[1087] | 52 | $ chown lp.lpadmin /etc/pykota/pykotadmin.conf |
---|
| 53 | $ chmod 640 /etc/pykota/pykotadmin.conf |
---|
[969] | 54 | |
---|
| 55 | If the print quota administrator is root then he will always be |
---|
| 56 | able to read PyKota's configuration file. |
---|
| 57 | |
---|
[1087] | 58 | Letting any user read PyKota administrator's configuration file may |
---|
[1186] | 59 | expose passwords or database information which would allow write |
---|
| 60 | access to the database, and so may transform your print quota |
---|
| 61 | management in a nightmare. |
---|
[969] | 62 | |
---|
[1087] | 63 | If you want to let users generate their own print quota reports, |
---|
| 64 | then ensure that /etc/pykota/pykota.conf is readable by |
---|
| 65 | everyone, but writeable only by the root user : |
---|
| 66 | |
---|
| 67 | $ chown root.root /etc/pykota/pykota.conf |
---|
| 68 | $ chmod 644 /etc/pykota/pykota.conf |
---|
| 69 | |
---|
[971] | 70 | NB : If you use the printquota.cgi CGI script, ensure that |
---|
| 71 | the user this script is run as (e.g. nobody or www-data) |
---|
[1087] | 72 | can read PyKota's configuration file /etc/pykota/pykota.conf |
---|
| 73 | BUT can't read PyKota administrator's configuration file |
---|
| 74 | /etc/pykota/pykotadmin.conf |
---|
| 75 | Refer to Apache's documentation for details. |
---|
[971] | 76 | |
---|
[969] | 77 | - Secure your database connection : |
---|
| 78 | |
---|
[1052] | 79 | Depending on the database backend used, either PostgreSQL or |
---|
| 80 | OpenLDAP, you may have to take additionnal measures to render |
---|
[969] | 81 | your database more secure. Please refer to your database system's |
---|
| 82 | documentation on configuration to learn how to do so. This is out |
---|
[1106] | 83 | of the scope of the present document which will only give basic |
---|
| 84 | informations. |
---|
[969] | 85 | |
---|
| 86 | Keep in mind that if you use a centralized database, you may have |
---|
| 87 | to restrict which hosts can access to it (i.e. the Print Servers). |
---|
| 88 | |
---|
[1106] | 89 | For the PostgreSQL backend, PyKota already defines a user with |
---|
| 90 | read/write access and another user with read-only access to |
---|
| 91 | the Print Quota Database. PyKota doesn't set any passwords |
---|
[1386] | 92 | for these users though, but doing it is recommended, and |
---|
[1106] | 93 | explained elsewhere in PyKota's documentation. |
---|
[969] | 94 | |
---|
[1106] | 95 | For the OpenLDAP backend, YOU have to ensure that no regular |
---|
| 96 | user can write to any PyKota specific attribute or objectClass. |
---|
| 97 | Otherwise they could modify their quota at will. |
---|
| 98 | |
---|
[1186] | 99 | You also have to define two binding DNs in your LDAP tree, |
---|
| 100 | one of them should be able to have a read only access to |
---|
| 101 | everything. The other one should be able to write, for |
---|
| 102 | example your LDAP admin user is fine for this. |
---|
| 103 | Now put the readonly user in /etc/pykota/pykota.conf |
---|
| 104 | and the read-write one in /etc/pykota/pykotadmin.conf |
---|
| 105 | |
---|
[969] | 106 | ==================================================================== |
---|