root / pykota / trunk / SECURITY @ 2069

Revision 2069, 5.7 kB (checked in by jalet, 19 years ago)

Improved the SECURITY document

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
1# $Id$
3PyKota - Print Quota for CUPS and LPRng
5(c) 2003, 2004, 2005 Jerome Alet <>
6This program is free software; you can redistribute it and/or modify
7it under the terms of the GNU General Public License as published by
8the Free Software Foundation; either version 2 of the License, or
9(at your option) any later version.
11This program is distributed in the hope that it will be useful,
12but WITHOUT ANY WARRANTY; without even the implied warranty of
14GNU General Public License for more details.
16You should have received a copy of the GNU General Public License
17along with this program; if not, write to the Free Software
18Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
22How to improve PyKota's security :
25  - Secure your printers : 
27    Tell them to refuse any print job not coming from your print server.
28    Do this with telnet to set ACLs based on incoming IP addresses if
29    possible, or through any other way.
31    Put all your printers on a private unroutable subnet, different from
32    the subnet on which your client hosts will reside. Ensure that the
33    only machine allowed to access to this subnet is your print server.
36  - Secure your print servers : 
38    Don't give shell access to your users on your print servers, and
39    don't let them execute unauthorized commands : they could very well
40    compile and/or execute tools like NetCat, and send datas directly to
41    the printer in the case the printer is networked, thus bypassing the
42    printing system and PyKota.
44    Ensure that no regular user can read PyKota administrator's
45    configuration file, but that both the PyKota Administrator and the
46    user the printing system is run as can read it. With CUPS under
47    Debian you may want to do :
49        $ chown pykota.pykota pykota.conf pykotadmin.conf   
50        $ chmod 640 pykota.conf
51        $ chmod 600 pykotadmin.conf
53    Depending on your needs, you may want to put the user the printing
54    system is run as in the group 'pykota', and relax permissions a bit
55    so that this user can read the pykotadmin.conf file while printing.
56    For example :
58        $ chmod 640 pykotadmin.conf
59        $ adduser lp pykota
60          (this makes user 'lp' a member of group 'pykota')
62    Letting any user read PyKota administrator's configuration file may
63    expose passwords or database information which would allow write
64    access to the database, and so may transform your print quota
65    management in a nightmare.
67    If you want to let users generate their own print quota reports,
68    then ensure that /etc/pykota/pykota.conf is readable by these users.
69    To do this you can either put this users in the group 'pykota' while
70    ensuring they can't read pykotadmin.conf with 'chmod 600 pykotadmin.conf'
71    or simply allow everyone to read pykota.conf with 'chmod 644 pykota.conf'
73  - Secure your CGI scripts :   
75    If you use printquota.cgi or dumpykota.cgi, ensure that the user
76    they are run as can read the pykota.conf file but NOT the
77    pykotadmin.conf file.
79    The particular user they will be run as depends on your web server's
80    settings.
82    If you want to further restrict the access to these CGI scripts,
83    please read your web server's documentation to add either
84    encryption, authentication or both.
86    The CGI scripts will honor the content of the REMOTE_USER CGI
87    environment variable which is set by your web server if an
88    authentication took place. If REMOTE_USER contains 'root' then, even
89    if you didn't authenticate using the real root account and password,
90    the scripts will consider they have been run by a PyKota
91    administrator and will report all datas if asked to do so. If
92    REMOTE_USER is not present, which means that you didn't chose to
93    secure access to your CGI scripts, the same will happen. If
94    REMOTE_USER contains something else, only datas pertaining to this
95    user will be made available through the web.
97    NB : In any case, the CGI scripts actually included in PyKota only
98    do readonly accesses to PyKota's database.
100  - Secure your database connection :
102    Depending on the database backend used, either PostgreSQL or
103    OpenLDAP, you may have to take additionnal measures to render
104    your database more secure. Please refer to your database system's
105    documentation on configuration to learn how to do so. This is out
106    of the scope of the present document which will only give basic
107    informations.
109    Keep in mind that if you use a centralized database, you may have
110    to restrict which hosts can access to it (i.e. the Print Servers).
112    For the PostgreSQL backend, PyKota already defines a user with
113    read/write access and another user with read-only access to
114    the Print Quota Database. PyKota doesn't set any passwords
115    for these users though, but doing it is recommended, and
116    explained elsewhere in PyKota's documentation.
118    For the LDAP backend, you have to ensure that no regular
119    user can write to any PyKota specific attribute or objectClass.
120    Otherwise they could modify their quota at will.
122    You also have to define two binding DNs in your LDAP tree,
123    one of them should be able to have a read only access to
124    everything. The other one should be able to write, for
125    example your LDAP admin user is fine for this.
126    Now put the readonly user in /etc/pykota/pykota.conf
127    and the read-write one in /etc/pykota/pykotadmin.conf
Note: See TracBrowser for help on using the browser.