root / pykota / trunk / SECURITY @ 2070

Revision 2070, 8.5 kB (checked in by jalet, 19 years ago)

Improved the section on database security

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1# $Id$
2
3PyKota - Print Quota for CUPS and LPRng
4
5(c) 2003, 2004, 2005 Jerome Alet <alet@librelogiciel.com>
6This program is free software; you can redistribute it and/or modify
7it under the terms of the GNU General Public License as published by
8the Free Software Foundation; either version 2 of the License, or
9(at your option) any later version.
10
11This program is distributed in the hope that it will be useful,
12but WITHOUT ANY WARRANTY; without even the implied warranty of
13MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14GNU General Public License for more details.
15
16You should have received a copy of the GNU General Public License
17along with this program; if not, write to the Free Software
18Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
19
20====================================================================
21
22How to improve PyKota's security :
23----------------------------------
24
25  - Secure your printers : 
26 
27    This is the most important thing to do !
28   
29    Tell them to refuse any print job not coming from your print server.
30    Do this with telnet to set ACLs based on incoming IP addresses if
31    possible, or through any other way.
32       
33    Put all your printers on a private unroutable subnet, different from
34    the subnet on which your client hosts will reside. Ensure that the
35    only machine allowed to access to this subnet is your print server.
36   
37   
38  - Secure your print servers : 
39 
40    Don't give shell access to your users on your print servers, and
41    don't let them execute unauthorized commands : they could very well
42    compile and/or execute tools like NetCat, and send datas directly to
43    the printer in the case the printer is networked, thus bypassing the
44    printing system and PyKota.
45       
46    Ensure that no regular user can read PyKota administrator's
47    configuration file, but that both the PyKota Administrator and the
48    user the printing system is run as can read it. With CUPS under
49    Debian you may want to do :
50   
51        $ chown pykota.pykota pykota.conf pykotadmin.conf   
52        $ chmod 640 pykota.conf
53        $ chmod 600 pykotadmin.conf
54       
55    Depending on your needs, you may want to put the user the printing
56    system is run as in the group 'pykota', and relax permissions a bit
57    so that this user can read the pykotadmin.conf file while printing.
58    For example :
59   
60        $ chmod 640 pykotadmin.conf
61        $ adduser lp pykota
62          (this makes user 'lp' a member of group 'pykota')
63   
64    Letting any user read PyKota administrator's configuration file may
65    expose passwords or database information which would allow write
66    access to the database, and so may transform your print quota
67    management in a nightmare.
68 
69    If you want to let users generate their own print quota reports,
70    then ensure that /etc/pykota/pykota.conf is readable by these users.
71    To do this you can either put this users in the group 'pykota' while
72    ensuring they can't read pykotadmin.conf with 'chmod 600 pykotadmin.conf'
73    or simply allow everyone to read pykota.conf with 'chmod 644 pykota.conf'
74   
75     
76  - Secure your database connections :
77 
78    Depending on the database backend used, either PostgreSQL or LDAP,
79    you may have to take additionnal measures to render your database
80    more secure. Please refer to your database system's documentation
81    to learn how to do so. This is out of the scope of the present
82    document which will only give basic informations.
83   
84    Keep in mind that if you use a centralized database, the first thing
85    you may want to do is to restrict which hosts can access to it, i.e.
86    only the print servers.
87 
88    PostgreSQL :
89   
90      For the PostgreSQL backend, PyKota already defines a user with
91      read/write access and another user with read-only access to the
92      Print Quota Database. PyKota doesn't set any passwords for these
93      users though, but doing so is recommended, and here's how to do :
94     
95      From the root shell do :
96     
97      $ su - postgres
98      $ psql template1
99      template1=# ALTER USER pykotauser WITH PASSWORD 'a.difficult.password';
100      template1=# ALTER USER pykotaadmin WITH PASSWORD 'another.password';
101      template1=# \q
102      $ exit
103     
104      Now modify PostgreSQL's pg_hba.conf to restrict access to the PyKota
105      database to PostgreSQL users 'pykotauser' and 'pykotaadmin' only,
106      and only if they connect from localhost and provide the correct
107      password. Here's an excerpt from our own pg_hba.conf :
108       
109        --- CUT ---       
110        local all    postgres                              ident sameuser
111        local all    all                                   reject
112        host  pykota pykotauser  127.0.0.1 255.255.255.255 crypt
113        host  pykota pykotaadmin 127.0.0.1 255.255.255.255 crypt
114        host  pykota all         127.0.0.1 255.255.255.255 reject
115        --- CUT ---       
116
117      Finally restart PostgreSQL so that the changes will be applied :
118     
119        $ /etc/init.d/postgresql restart
120       
121      Of course, depending on your needs, you may want to secure
122      your database connexions in a completely different way or
123      add other security layers on top of this. To do so please
124      refer to PostgreSQL's documentation because this is out of
125      the scope of the present document.
126     
127    LDAP :
128   
129      For the LDAP backend, you have to ensure that no regular user can
130      write to any PyKota specific attribute or objectClass. Otherwise
131      they could modify their quota at will. Here too you will have to
132      create two LDAP users which will be used for readonly and read+write
133      access to PyKota's datas. PyKota currently doesn't do this, so
134      you have to create an LDIF file this way (please adapt the
135      DNs to your own environment) :
136     
137        --- CUT ---     
138        dn: cn=pykotauser,dc=example,dc=com
139        cn: pykotauser
140        objectClass: simpleSecurityObject
141        objectClass: organizationalRole
142        description: PyKota ReadOnly User
143        userPassword: {CRYPT}jfdsk653dsZFL
144       
145        dn: cn=pykotaadmin,dc=example,dc=com
146        cn: pykotaadmin
147        objectClass: simpleSecurityObject
148        objectClass: organizationalRole
149        description: PyKota Read+Write User
150        userPassword: {CRYPT}kqsIu43Exoi5s
151        --- CUT ---
152
153      Then add these two users to your existing LDAP tree :
154     
155        $ ldapadd -W -x -D "cn=admin,dc=example,dc=com" -f users.ldif
156   
157      Now modify your LDAP server's configuration to respectively allow
158      read+write and readonly access to the datas :
159     
160        --- CUT ---
161        by dn="cn=pykotaadmin,dc=example,dc=com" write
162        by dn="cn=pykotauser,dc=example,dc=com" read
163        --- CUT ---
164
165      Finally restart your LDAP server so that the changes will be applied :
166     
167        $ /etc/init.d/slapd restart
168       
169      Of course, depending on your needs, you may want to secure
170      your database connexions in a completely different way or
171      add other security layers on top of this. To do so please
172      refer to your LDAP server's documentation because this is out
173      of the scope of the present document.
174       
175       
176  - Secure your CGI scripts :   
177 
178    If you use printquota.cgi or dumpykota.cgi, ensure that the user
179    they are run as can read the pykota.conf file but NOT the
180    pykotadmin.conf file.
181       
182    The particular user they will be run as depends on your web server's
183    settings.
184       
185    If you want to further restrict the access to these CGI scripts,
186    please read your web server's documentation to add either
187    encryption, authentication or both.
188       
189    The CGI scripts will honor the content of the REMOTE_USER CGI
190    environment variable which is set by your web server if an
191    authentication took place. If REMOTE_USER contains 'root' then, even
192    if you didn't authenticate using the real root account and password,
193    the scripts will consider they have been run by a PyKota
194    administrator and will report all datas if asked to do so. If
195    REMOTE_USER is not present, which means that you didn't chose to
196    secure access to your CGI scripts, the same will happen. If
197    REMOTE_USER contains something else, only datas pertaining to this
198    user will be made available through the web.
199   
200    NB : In any case, the CGI scripts actually included in PyKota only
201    do readonly accesses to PyKota's database.
202   
203====================================================================
Note: See TracBrowser for help on using the browser.