Thanks for the suggestions... easiest answer was:
restrict by putting 'rg=xxx' in /etc/printcap. The effect is to allow
printing only
by users belonging to group 'xxx'.
Seems to work great... except for the minor note that a user not in the
access list doesn't seem to get anything telling them denied, but I'm sure
that could be remedied with a bunch of fiddling somehow...
I also received a couple suggestions on using filters/scripts through the
printcap, but then also requires some fiddling when it's a "remote" network
based printer. I'll attach at the bottom.
>I'm aware of the /etc/hosts.lpd file for restricing remote printing by
>hostname.
>
>Is there a reasonable way to restrict printing to a specific printer by
>machine and/or username?
>(We have a poster/plotter that we'd like to tightly restrict while
>allowing most other printers open access).
>
>Thanks,
>Dan
Script/filter suggestions:
>From: George Gallen <ggallen_at_slackinc.com>
>
>If the printer isn't a remote printer, why not use a filter (script) which
>either passes the data to STDOUT or passes a null to STDOUT and
>ditches the STDIN if no OK to print to.
>as long as the printcap entry doesn't have a "rm=" filters
>will work, if it has a rm=, then you have to create a second
>printcap entry which when it's done will pass off the output
>to the entry with the rm= queue. The problem is lpr doesn't
>run the data through a filter (even if it's listed) if it's
>a remote queue.
>
>What you could do is setup something like a /etc/nogood file
>have your script grep against this file with the current username
>and/or domain.
>
>I'm not a real good script writer myself, rarely use them
>except mostly as batch files.
>
>Then depending on which shell (csh, ksh or bash) the coding would
>be different.
>
>You might also be able to do it in perl and/or c. Say a 'c' program
>could use STDIN and STDOUT, first thing it does is check the user
>name and domain against a file, if it's ok then do a read/write
>from STDIN to STDOUT until EOF, otherwise just do a read from STDIN
>until EOF, just don't write to STDOUT. I'm not sure what would happen
>however, if you had a zero byte job going to a printer, it might still
>trigger a TOF on the printer.
>
>I'm not a PERL person, but it could be used as well.
>From: Oisin McGuinness <oisin_at_sbcm.com>
>
>The man page for lpd says:
>
>When an rs capability, which restricts remote users to those with local
> accounts, is specified in the /etc/printcap file for the printer being
> accessed, an lpr or lp request is honored only for those users having
> accounts on the same machine as the printer.
>
>
>Of course, to restrict stuff this way, you might have to be able to spare
>a box on which you restrict accounts to be a print spooler for this
>printer.
>
>Another way is to write your own if (input filter), see man printcap:
>
>The if filter is invoked with arguments according to the following format:
>
> if [-c] -wwidth -llength -iindent -nlogin -hhost acct-file
>
> The xf pass-through filter is specified when output is preformatted and
> does not require special filtering.
>
> The -c flag is passed only when the -l flag (pass control-characters
> literally) is specified to the lpr command. The -wwidth and -llength
> parameters specify the page width and length (from the assigned or default
> values of pw and pl respectively in the printcap file) in characters. The
> -n and -h flags specify the login name and hostname of the owner of the
> job, respectively. The acct-file is passed from the af entry in the
> printcap file.
>
> The if filter is opened for all individual jobs, which makes it suitable
> for accounting. When the if filter is not specified, the system uses the of
> filter as the default value. The of filter however, is opened only once and
> is only given the -wwidth and -llength flags.
>
>
>Then just wrap the filter that the plotter uses in something which checks
>the host/user name passed.
>Custom print filters are fun, though I have to admit it is a few years since
>I last wrote one.
>
>And of course, lprng should be able to do all this, but that's some work
>to set up.
--------------------------------------------------------------------------
Dan Kirkpatrick dkirk_at_phy.syr.edu
Computer Systems Manager
Department of Physics
Syracuse University, Syracuse, NY
http://www.phy.syr.edu/~dkirk Fax: (315) 443-9103
--------------------------------------------------------------------------
Received on Thu Jul 13 2000 - 19:44:37 NZST