| 32 | | - Most of the stuff which was there was deleted because PyKota's |
| 33 | | configuration files permissions should take care of most |
| 34 | | security problems. BUT of course, you have to set them correctly ! |
| | 25 | - Secure your printers : |
| | 26 | |
| | 27 | Tell them to refuse any print job not coming from your print server. |
| | 28 | Do this with telnet to set ACLs based on incoming IP addresses if |
| | 29 | possible, or through any other way. |
| | 30 | |
| | 31 | Put all your printers on a private unroutable subnet, different from |
| | 32 | the subnet on which your client hosts will reside. Ensure that the |
| | 33 | only machine allowed to access to this subnet is your print server. |
| 38 | | Tell it to refuse any print job not coming from your print |
| 39 | | server. |
| | 38 | Don't give shell access to your users on your print servers, and |
| | 39 | don't let them execute unauthorized commands : they could very well |
| | 40 | compile and/or execute tools like NetCat, and send datas directly to |
| | 41 | the printer in the case the printer is networked, thus bypassing the |
| | 42 | printing system and PyKota. |
| | 43 | |
| | 44 | Ensure that no regular user can read PyKota administrator's |
| | 45 | configuration file, but that both the PyKota Administrator and the |
| | 46 | user the printing system is run as can read it. With CUPS under |
| | 47 | Debian you may want to do : |
| 41 | | Don't give shell access to your users on your print server, |
| 42 | | or don't let them execute unauthorized commands : they could |
| 43 | | very well compile and execute tools like NetCat, and send |
| 44 | | datas directly to the printer in the case the printer is |
| 45 | | networked, thus bypassing the printing system and PyKota. |
| | 49 | $ chown pykota.pykota pykota.conf pykotadmin.conf |
| | 50 | $ chmod 640 pykota.conf |
| | 51 | $ chmod 600 pykotadmin.conf |
| | 52 | |
| | 53 | Depending on your needs, you may want to put the user the printing |
| | 54 | system is run as in the group 'pykota', and relax permissions a bit |
| | 55 | so that this user can read the pykotadmin.conf file while printing. |
| | 56 | For example : |
| 47 | | - Ensure that no regular user can read PyKota administrator's |
| 48 | | configuration file, but that both the print quota administrator and |
| 49 | | the user the printing system is run as can read it. Depending on |
| 50 | | your system's configuration, this may give something like : |
| 51 | | |
| 52 | | $ chown lp.lpadmin /etc/pykota/pykotadmin.conf |
| 53 | | $ chmod 640 /etc/pykota/pykotadmin.conf |
| 54 | | |
| 55 | | If the print quota administrator is root then he will always be |
| 56 | | able to read PyKota's configuration file. |
| | 58 | $ chmod 640 pykotadmin.conf |
| | 59 | $ adduser lp pykota |
| | 60 | (this makes user 'lp' a member of group 'pykota') |
| 64 | | then ensure that /etc/pykota/pykota.conf is readable by |
| 65 | | everyone, but writeable only by the root user : |
| | 68 | then ensure that /etc/pykota/pykota.conf is readable by these users. |
| | 69 | To do this you can either put this users in the group 'pykota' while |
| | 70 | ensuring they can't read pykotadmin.conf with 'chmod 600 pykotadmin.conf' |
| | 71 | or simply allow everyone to read pykota.conf with 'chmod 644 pykota.conf' |
| | 72 | |
| | 73 | - Secure your CGI scripts : |
| | 74 | |
| | 75 | If you use printquota.cgi or dumpykota.cgi, ensure that the user |
| | 76 | they are run as can read the pykota.conf file but NOT the |
| | 77 | pykotadmin.conf file. |
| | 78 | |
| | 79 | The particular user they will be run as depends on your web server's |
| | 80 | settings. |
| | 81 | |
| | 82 | If you want to further restrict the access to these CGI scripts, |
| | 83 | please read your web server's documentation to add either |
| | 84 | encryption, authentication or both. |
| | 85 | |
| | 86 | The CGI scripts will honor the content of the REMOTE_USER CGI |
| | 87 | environment variable which is set by your web server if an |
| | 88 | authentication took place. If REMOTE_USER contains 'root' then, even |
| | 89 | if you didn't authenticate using the real root account and password, |
| | 90 | the scripts will consider they have been run by a PyKota |
| | 91 | administrator and will report all datas if asked to do so. If |
| | 92 | REMOTE_USER is not present, which means that you didn't chose to |
| | 93 | secure access to your CGI scripts, the same will happen. If |
| | 94 | REMOTE_USER contains something else, only datas pertaining to this |
| | 95 | user will be made available through the web. |
| 67 | | $ chown root.root /etc/pykota/pykota.conf |
| 68 | | $ chmod 644 /etc/pykota/pykota.conf |
| 69 | | |
| 70 | | NB : If you use the printquota.cgi CGI script, ensure that |
| 71 | | the user this script is run as (e.g. nobody or www-data) |
| 72 | | can read PyKota's configuration file /etc/pykota/pykota.conf |
| 73 | | BUT can't read PyKota administrator's configuration file |
| 74 | | /etc/pykota/pykotadmin.conf |
| 75 | | Refer to Apache's documentation for details. |
| 76 | | |
| | 97 | NB : In any case, the CGI scripts actually included in PyKota only |
| | 98 | do readonly accesses to PyKota's database. |
| | 99 | |
