root / pykota / trunk / SECURITY @ 2260

Revision 2260, 8.7 kB (checked in by jerome, 19 years ago)

Added some informations wrt systems on which CUPS doesn't run as root

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1# $Id$
2
3PyKota - Print Quota for CUPS and LPRng
4
5(c) 2003, 2004, 2005 Jerome Alet <alet@librelogiciel.com>
6This program is free software; you can redistribute it and/or modify
7it under the terms of the GNU General Public License as published by
8the Free Software Foundation; either version 2 of the License, or
9(at your option) any later version.
10
11This program is distributed in the hope that it will be useful,
12but WITHOUT ANY WARRANTY; without even the implied warranty of
13MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14GNU General Public License for more details.
15
16You should have received a copy of the GNU General Public License
17along with this program; if not, write to the Free Software
18Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
19
20====================================================================
21
22How to improve PyKota's security :
23----------------------------------
24
25  - Secure your printers : 
26 
27    This is the most important thing to do !
28   
29    Tell them to refuse any print job not coming from your print server.
30    Do this with telnet to set ACLs based on incoming IP addresses if
31    possible, or through any other way.
32       
33    Put all your printers on a private unroutable subnet, different from
34    the subnet on which your client hosts will reside. Ensure that the
35    only machine allowed to access to this subnet is your print server.
36   
37   
38  - Secure your print servers : 
39 
40    Don't give shell access to your users on your print servers, and
41    don't let them execute unauthorized commands : they could very well
42    compile and/or execute tools like NetCat, and send datas directly to
43    the printer in the case the printer is networked, thus bypassing the
44    printing system and PyKota.
45       
46    Ensure that no regular user can read PyKota administrator's
47    configuration file, but that both the PyKota Administrator and the
48    user the printing system is run as can read it. With CUPS under
49    Debian you may want to do :
50   
51        $ chown pykota.pykota ~pykota/pykota.conf ~pykota/pykotadmin.conf   
52        $ chmod 640 ~pykota/pykota.conf
53        $ chmod 600 ~pykota/pykotadmin.conf
54       
55    Depending on your needs, you may want to put the user the printing
56    system is run as in the group 'pykota', and relax permissions a bit
57    so that this user can read the pykotadmin.conf file while printing.
58    For example :
59   
60        $ chmod 640 ~pykota/pykotadmin.conf
61        $ adduser lp pykota
62          (this makes user 'lp' a member of group 'pykota')
63   
64    Another solution, needed on some systems :
65   
66        $ chmod a+rx ~pykota/
67        $ chown lp.pykota ~pykota/pykota.conf ~pykota/pykotadmin.conf
68       
69    Letting any user read PyKota administrator's configuration file may
70    expose passwords or database information which would allow write
71    access to the database, and so may transform your print quota
72    management in a nightmare.
73 
74    If you want to let users generate their own print quota reports,
75    then ensure that /etc/pykota/pykota.conf is readable by these users.
76    To do this you can either put this users in the group 'pykota' while
77    ensuring they can't read pykotadmin.conf with 'chmod 600 pykotadmin.conf'
78    or simply allow everyone to read pykota.conf with 'chmod 644 pykota.conf'
79   
80     
81  - Secure your database connections :
82 
83    Depending on the database backend used, either PostgreSQL or LDAP,
84    you may have to take additionnal measures to render your database
85    more secure. Please refer to your database system's documentation
86    to learn how to do so. This is out of the scope of the present
87    document which will only give basic informations.
88   
89    Keep in mind that if you use a centralized database, the first thing
90    you may want to do is to restrict which hosts can access to it, i.e.
91    only the print servers.
92 
93    PostgreSQL :
94   
95      For the PostgreSQL backend, PyKota already defines a user with
96      read/write access and another user with read-only access to the
97      Print Quota Database. PyKota doesn't set any passwords for these
98      users though, but doing so is recommended, and here's how to do :
99     
100      From the root shell do :
101     
102      $ su - postgres
103      $ psql template1
104      template1=# ALTER USER pykotauser WITH PASSWORD 'a.difficult.password';
105      template1=# ALTER USER pykotaadmin WITH PASSWORD 'another.password';
106      template1=# \q
107      $ exit
108     
109      Now modify PostgreSQL's pg_hba.conf to restrict access to the PyKota
110      database to PostgreSQL users 'pykotauser' and 'pykotaadmin' only,
111      and only if they connect from localhost and provide the correct
112      password. Here's an excerpt from our own pg_hba.conf :
113       
114        --- CUT ---       
115        local all    postgres                              ident sameuser
116        local all    all                                   reject
117        host  pykota pykotauser  127.0.0.1 255.255.255.255 crypt
118        host  pykota pykotaadmin 127.0.0.1 255.255.255.255 crypt
119        host  pykota all         127.0.0.1 255.255.255.255 reject
120        --- CUT ---       
121
122      Finally restart PostgreSQL so that the changes will be applied :
123     
124        $ /etc/init.d/postgresql restart
125       
126      Of course, depending on your needs, you may want to secure
127      your database connections in a completely different way or
128      add other security layers on top of this. To do so please
129      refer to PostgreSQL's documentation because this is out of
130      the scope of the present document.
131     
132    LDAP :
133   
134      For the LDAP backend, you have to ensure that no regular user can
135      write to any PyKota specific attribute or objectClass. Otherwise
136      they could modify their quota at will. Here too you will have to
137      create two LDAP users which will be used for readonly and read+write
138      access to PyKota's datas. PyKota currently doesn't do this, so
139      you have to create an LDIF file this way (please adapt the
140      DNs to your own environment) :
141     
142        --- CUT ---     
143        dn: cn=pykotauser,dc=example,dc=com
144        cn: pykotauser
145        objectClass: simpleSecurityObject
146        objectClass: organizationalRole
147        description: PyKota ReadOnly User
148        userPassword: {CRYPT}jfdsk653dsZFL
149       
150        dn: cn=pykotaadmin,dc=example,dc=com
151        cn: pykotaadmin
152        objectClass: simpleSecurityObject
153        objectClass: organizationalRole
154        description: PyKota Read+Write User
155        userPassword: {CRYPT}kqsIu43Exoi5s
156        --- CUT ---
157
158      Then add these two users to your existing LDAP tree :
159     
160        $ ldapadd -W -x -D "cn=admin,dc=example,dc=com" -f users.ldif
161   
162      Now modify your LDAP server's configuration to respectively allow
163      read+write and readonly access to the datas :
164     
165        --- CUT ---
166        by dn="cn=pykotaadmin,dc=example,dc=com" write
167        by dn="cn=pykotauser,dc=example,dc=com" read
168        --- CUT ---
169
170      Finally restart your LDAP server so that the changes will be applied :
171     
172        $ /etc/init.d/slapd restart
173       
174      Of course, depending on your needs, you may want to secure
175      your database connections in a completely different way or
176      add other security layers on top of this. To do so please
177      refer to your LDAP server's documentation because this is out
178      of the scope of the present document.
179       
180       
181  - Secure your CGI scripts :   
182 
183    If you use printquota.cgi or dumpykota.cgi, ensure that the user
184    they are run as can read the pykota.conf file but NOT the
185    pykotadmin.conf file.
186       
187    The particular user they will be run as depends on your web server's
188    settings.
189       
190    If you want to further restrict the access to these CGI scripts,
191    please read your web server's documentation to add either
192    encryption, authentication or both.
193       
194    The CGI scripts will honor the content of the REMOTE_USER CGI
195    environment variable which is set by your web server if an
196    authentication took place. If REMOTE_USER contains 'root' then, even
197    if you didn't authenticate using the real root account and password,
198    the scripts will consider they have been run by a PyKota
199    administrator and will report all datas if asked to do so. If
200    REMOTE_USER is not present, which means that you didn't chose to
201    secure access to your CGI scripts, the same will happen. If
202    REMOTE_USER contains something else, only datas pertaining to this
203    user will be made available through the web.
204   
205    NB : In any case, the CGI scripts actually included in PyKota only
206    do readonly accesses to PyKota's database.
207   
208====================================================================
Note: See TracBrowser for help on using the browser.