# $Id$

PyKota - Print Quota for CUPS and LPRng

(c) 2003 Jerome Alet <alet@librelogiciel.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.

====================================================================

  These recommandations are there because as of April 28th 2003 
  PyKota doesn't enforce them. You may or may not follow them,
  depending on your user's IT knowledge, how much your trust them,
  etc...
  
====================================================================

How to improve PyKota's security :
----------------------------------

  - In CUPS disable RAW printing, so that users can't bypass the accounting
    filter.
    
  - Ensure that only the user your printing system is run as can
    execute the pykota filter. Depending on your system's configuration,
    this may give something like :
    
      $ chown lp.daemon /usr/bin/pykota
      $ chmod 700 /usr/bin/pykota
      
    If any user could run the pykota filter, then he theorically could 
    forbid any other user to print by incorrectly charging them for
    pages they would never have printed.
    
  - Ensure that only the print quota administrator (e.g. root) can 
    execute the edpykota and warnpykota commands. Depending on your 
    system's configuration, this may give something like :
    
      $ chown root.root /usr/bin/edpykota /usr/bin/warnpykota
      $ chmod 700 /usr/bin/edpykota /usr/bin/warnpykota
      
    or   
    
      $ chown root.lpadmin /usr/bin/edpykota /usr/bin/warnpykota
      $ chmod 750 /usr/bin/edpykota /usr/bin/warnpykota
      
    If any user could run warnpykota, then he could fill the mailboxes
    of all users who are above quota, by repeatedly running warnpykota.
    
    If any user could run edpykota, then he could, in the better case,
    set his account to noquota mode. In the worst case he could render
    PyKota and/or your printing system completely inoperative.
    
  - Ensure that no regular user can read PyKota administrator's 
    configuration file, but that both the print quota administrator and 
    the user the printing system is run as can read it. Depending on 
    your system's configuration, this may give something like : 
    
      $ chown lp.lpadmin /etc/pykota/pykotadmin.conf
      $ chmod 640 /etc/pykota/pykotadmin.conf
    
    If the print quota administrator is root then he will always be
    able to read PyKota's configuration file.
    
    Letting any user read PyKota administrator's configuration file may 
    expose passwords or database information which would allow direct 
    connections to it if the user can write and execute his own scripts 
    or download and execute his own version of PyKota. 
  
    If you want to let users generate their own print quota reports, 
    then ensure that /etc/pykota/pykota.conf is readable by
    everyone, but writeable only by the root user :
    
      $ chown root.root /etc/pykota/pykota.conf
      $ chmod 644 /etc/pykota/pykota.conf
      
    NB : If you use the printquota.cgi CGI script, ensure that
         the user this script is run as (e.g. nobody or www-data)
         can read PyKota's configuration file /etc/pykota/pykota.conf
         BUT can't read PyKota administrator's configuration file
         /etc/pykota/pykotadmin.conf
         Refer to Apache's documentation for details.
  
  - Secure your database connection :
  
    Depending on the database backend used, either PostgreSQL or
    OpenLDAP, you may have to take additionnal measures to render
    your database more secure. Please refer to your database system's
    documentation on configuration to learn how to do so. This is out
    of the scope of the present document which will only give basic
    informations.
    
    Keep in mind that if you use a centralized database, you may have
    to restrict which hosts can access to it (i.e. the Print Servers).
    
    For the PostgreSQL backend, PyKota already defines a user with 
    read/write access and another user with read-only access to
    the Print Quota Database. PyKota doesn't set any passwords
    for these users though, but doing it is recommanded, and 
    explained elsewhere in PyKota's documentation.
    
    For the OpenLDAP backend, YOU have to ensure that no regular
    user can write to any PyKota specific attribute or objectClass.
    Otherwise they could modify their quota at will.
    
====================================================================