| 32 | | - In CUPS disable RAW printing, so that users can't bypass the accounting |
| 33 | | filter. |
| 34 | | |
| 35 | | - Ensure that only the user your printing system is run as can |
| 36 | | execute the pykota filter. Depending on your system's configuration, |
| 37 | | this may give something like : |
| 38 | | |
| 39 | | $ chown lp.daemon /usr/bin/pykota |
| 40 | | $ chmod 700 /usr/bin/pykota |
| 41 | | |
| 42 | | If any user could run the pykota filter, then he theorically could |
| 43 | | forbid any other user to print by incorrectly charging them for |
| 44 | | pages they would never have printed. |
| 45 | | |
| 46 | | - Ensure that only the print quota administrator (e.g. root) can |
| 47 | | execute the edpykota and warnpykota commands. Depending on your |
| 48 | | system's configuration, this may give something like : |
| 49 | | |
| 50 | | $ chown root.root /usr/bin/edpykota /usr/bin/warnpykota |
| 51 | | $ chmod 700 /usr/bin/edpykota /usr/bin/warnpykota |
| 52 | | |
| 53 | | or |
| 54 | | |
| 55 | | $ chown root.lpadmin /usr/bin/edpykota /usr/bin/warnpykota |
| 56 | | $ chmod 750 /usr/bin/edpykota /usr/bin/warnpykota |
| 57 | | |
| 58 | | If any user could run warnpykota, then he could fill the mailboxes |
| 59 | | of all users who are above quota, by repeatedly running warnpykota. |
| 60 | | |
| 61 | | If any user could run edpykota, then he could, in the better case, |
| 62 | | set his account to noquota mode. In the worst case he could render |
| 63 | | PyKota and/or your printing system completely inoperative. |
| | 32 | - Most of the stuff which was there was deleted because PyKota's |
| | 33 | configuration files permissions should take care of most |
| | 34 | security problems. BUT of course, you have to set them correctly ! |
