[969] | 1 | # $Id$ |
---|
| 2 | |
---|
| 3 | PyKota - Print Quota for CUPS and LPRng |
---|
| 4 | |
---|
[2028] | 5 | (c) 2003, 2004, 2005 Jerome Alet <alet@librelogiciel.com> |
---|
[969] | 6 | This program is free software; you can redistribute it and/or modify |
---|
| 7 | it under the terms of the GNU General Public License as published by |
---|
| 8 | the Free Software Foundation; either version 2 of the License, or |
---|
| 9 | (at your option) any later version. |
---|
| 10 | |
---|
| 11 | This program is distributed in the hope that it will be useful, |
---|
| 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 14 | GNU General Public License for more details. |
---|
| 15 | |
---|
| 16 | You should have received a copy of the GNU General Public License |
---|
| 17 | along with this program; if not, write to the Free Software |
---|
| 18 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. |
---|
| 19 | |
---|
| 20 | ==================================================================== |
---|
| 21 | |
---|
| 22 | How to improve PyKota's security : |
---|
| 23 | ---------------------------------- |
---|
| 24 | |
---|
[2069] | 25 | - Secure your printers : |
---|
[1209] | 26 | |
---|
[2069] | 27 | Tell them to refuse any print job not coming from your print server. |
---|
| 28 | Do this with telnet to set ACLs based on incoming IP addresses if |
---|
| 29 | possible, or through any other way. |
---|
| 30 | |
---|
| 31 | Put all your printers on a private unroutable subnet, different from |
---|
| 32 | the subnet on which your client hosts will reside. Ensure that the |
---|
| 33 | only machine allowed to access to this subnet is your print server. |
---|
[1209] | 34 | |
---|
| 35 | |
---|
[2069] | 36 | - Secure your print servers : |
---|
| 37 | |
---|
| 38 | Don't give shell access to your users on your print servers, and |
---|
| 39 | don't let them execute unauthorized commands : they could very well |
---|
| 40 | compile and/or execute tools like NetCat, and send datas directly to |
---|
| 41 | the printer in the case the printer is networked, thus bypassing the |
---|
| 42 | printing system and PyKota. |
---|
| 43 | |
---|
| 44 | Ensure that no regular user can read PyKota administrator's |
---|
| 45 | configuration file, but that both the PyKota Administrator and the |
---|
| 46 | user the printing system is run as can read it. With CUPS under |
---|
| 47 | Debian you may want to do : |
---|
[969] | 48 | |
---|
[2069] | 49 | $ chown pykota.pykota pykota.conf pykotadmin.conf |
---|
| 50 | $ chmod 640 pykota.conf |
---|
| 51 | $ chmod 600 pykotadmin.conf |
---|
| 52 | |
---|
| 53 | Depending on your needs, you may want to put the user the printing |
---|
| 54 | system is run as in the group 'pykota', and relax permissions a bit |
---|
| 55 | so that this user can read the pykotadmin.conf file while printing. |
---|
| 56 | For example : |
---|
[969] | 57 | |
---|
[2069] | 58 | $ chmod 640 pykotadmin.conf |
---|
| 59 | $ adduser lp pykota |
---|
| 60 | (this makes user 'lp' a member of group 'pykota') |
---|
[969] | 61 | |
---|
[1087] | 62 | Letting any user read PyKota administrator's configuration file may |
---|
[2069] | 63 | expose passwords or database information which would allow write |
---|
| 64 | access to the database, and so may transform your print quota |
---|
| 65 | management in a nightmare. |
---|
[969] | 66 | |
---|
[1087] | 67 | If you want to let users generate their own print quota reports, |
---|
[2069] | 68 | then ensure that /etc/pykota/pykota.conf is readable by these users. |
---|
| 69 | To do this you can either put this users in the group 'pykota' while |
---|
| 70 | ensuring they can't read pykotadmin.conf with 'chmod 600 pykotadmin.conf' |
---|
| 71 | or simply allow everyone to read pykota.conf with 'chmod 644 pykota.conf' |
---|
[1087] | 72 | |
---|
[2069] | 73 | - Secure your CGI scripts : |
---|
[971] | 74 | |
---|
[2069] | 75 | If you use printquota.cgi or dumpykota.cgi, ensure that the user |
---|
| 76 | they are run as can read the pykota.conf file but NOT the |
---|
| 77 | pykotadmin.conf file. |
---|
| 78 | |
---|
| 79 | The particular user they will be run as depends on your web server's |
---|
| 80 | settings. |
---|
| 81 | |
---|
| 82 | If you want to further restrict the access to these CGI scripts, |
---|
| 83 | please read your web server's documentation to add either |
---|
| 84 | encryption, authentication or both. |
---|
| 85 | |
---|
| 86 | The CGI scripts will honor the content of the REMOTE_USER CGI |
---|
| 87 | environment variable which is set by your web server if an |
---|
| 88 | authentication took place. If REMOTE_USER contains 'root' then, even |
---|
| 89 | if you didn't authenticate using the real root account and password, |
---|
| 90 | the scripts will consider they have been run by a PyKota |
---|
| 91 | administrator and will report all datas if asked to do so. If |
---|
| 92 | REMOTE_USER is not present, which means that you didn't chose to |
---|
| 93 | secure access to your CGI scripts, the same will happen. If |
---|
| 94 | REMOTE_USER contains something else, only datas pertaining to this |
---|
| 95 | user will be made available through the web. |
---|
| 96 | |
---|
| 97 | NB : In any case, the CGI scripts actually included in PyKota only |
---|
| 98 | do readonly accesses to PyKota's database. |
---|
| 99 | |
---|
[969] | 100 | - Secure your database connection : |
---|
| 101 | |
---|
[1052] | 102 | Depending on the database backend used, either PostgreSQL or |
---|
| 103 | OpenLDAP, you may have to take additionnal measures to render |
---|
[969] | 104 | your database more secure. Please refer to your database system's |
---|
| 105 | documentation on configuration to learn how to do so. This is out |
---|
[1106] | 106 | of the scope of the present document which will only give basic |
---|
| 107 | informations. |
---|
[969] | 108 | |
---|
| 109 | Keep in mind that if you use a centralized database, you may have |
---|
| 110 | to restrict which hosts can access to it (i.e. the Print Servers). |
---|
| 111 | |
---|
[1106] | 112 | For the PostgreSQL backend, PyKota already defines a user with |
---|
| 113 | read/write access and another user with read-only access to |
---|
| 114 | the Print Quota Database. PyKota doesn't set any passwords |
---|
[1386] | 115 | for these users though, but doing it is recommended, and |
---|
[1106] | 116 | explained elsewhere in PyKota's documentation. |
---|
[969] | 117 | |
---|
[2069] | 118 | For the LDAP backend, you have to ensure that no regular |
---|
[1106] | 119 | user can write to any PyKota specific attribute or objectClass. |
---|
| 120 | Otherwise they could modify their quota at will. |
---|
| 121 | |
---|
[1186] | 122 | You also have to define two binding DNs in your LDAP tree, |
---|
| 123 | one of them should be able to have a read only access to |
---|
| 124 | everything. The other one should be able to write, for |
---|
| 125 | example your LDAP admin user is fine for this. |
---|
| 126 | Now put the readonly user in /etc/pykota/pykota.conf |
---|
| 127 | and the read-write one in /etc/pykota/pykotadmin.conf |
---|
| 128 | |
---|
[969] | 129 | ==================================================================== |
---|