root / pykota / trunk / SECURITY @ 971

# $Id$

PyKota - Print Quota for CUPS and LPRng

(c) 2003 Jerome Alet <alet@librelogiciel.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.

====================================================================

  These recommandations are there because as of April 28th 2003 
  PyKota doesn't enforce them. You may or may not follow them,
  depending on your user's IT knowledge, how much your trust them,
  etc...
  
====================================================================

How to improve PyKota's security :
----------------------------------

  - Ensure that only the user your printing system is run as can
    execute the pykota filter. Depending on your system's configuration,
    this may give something like :
    
      $ chown lp.daemon /usr/bin/pykota
      $ chmod 700 /usr/bin/pykota
      
    If any user could run the pykota filter, then he theorically could 
    forbid any other user to print by incorrectly charging them for
    pages they would never have printed.
    
  - Ensure that only the print quota administrator (e.g. root) can 
    execute the edpykota and warnpykota commands. Depending on your 
    system's configuration, this may give something like :
    
      $ chown root.root /usr/bin/edpykota /usr/bin/warnpykota
      $ chmod 700 /usr/bin/edpykota /usr/bin/warnpykota
      
    or   
    
      $ chown root.lpadmin /usr/bin/edpykota /usr/bin/warnpykota
      $ chmod 750 /usr/bin/edpykota /usr/bin/warnpykota
      
    If any user could run warnpykota, then he could fill the mailboxes
    of all users who are above quota, by repeatedly running warnpykota.
    
    If any user could run edpykota, then he could, in the better case,
    set his account to noquota mode. In the worst case he could render
    PyKota and/or your printing system completely inoperative.
    
  - Ensure that no regular user can read PyKota's configuration file,
    but that both the print quota administrator and the user the
    printing system is run as can read it. Depending on your system's
    configuration, this may give something like :
    
      $ chown lp.lpadmin /etc/pykota.conf
      $ chmod 640 /etc/pykota.conf
    
    If the print quota administrator is root then he will always be
    able to read PyKota's configuration file.
    
    Letting any user read PyKota's configuration file may expose
    passwords or database information which would allow direct
    connections to it if the user can write and execute his own
    scripts or download and execute his own version of PyKota.
  
    NB : If you use the printquota.cgi CGI script, ensure that
         the user this script is run as (e.g. nobody or www-data)
         can read PyKota's configuration file too, for example
         by putting www-data in the lpadmin group.
  
  - Secure your database connection :
  
    Depending on the database backend used (currently only PostgreSQL
    is supported), you may have to take additionnal measures to render
    your database more secure. Please refer to your database system's
    documentation on configuration to learn how to do so. This is out
    of the scope of the present document.
    
    Keep in mind that if you use a centralized database, you may have
    to restrict which hosts can access to it (i.e. the Print Servers).
    
    
====================================================================