Printer Sharing and Access Control

Now that your printer(s) are configured and ready for use, you can now begin to further customize your print servers to share to clients. By default, all clients on your network will be able send requests and jobs to your new print server. Moreover, since modern print servers use the Internet Printing Protocol, any requests from the Internet are accepted as well, which can become a security issue. You should have your firewall configured to block port 631, on which the Red Hat Linux printing system listens. You can further configure the server to restrict access of printers to certain users or groups. Such restrictions on resources is termed access control. Red Hat Linux has several facilities for restricting access to server resources.

Printer Sharing with LPRng and the /etc/hosts.lpd File

For pure Linux or Linux/UNIX environments, printer sharing can be controlled using the /etc/hosts.lpd file. This file is not created by default; as root, create the file /etc/hosts.lpd on the machine to which the printer is attached. On separate lines in the file, add the IP address or hostname of each machine which should have printing privileges:

falcon.example.com
pinky.example.com
samiam.example.com
pigdog.example.com
yeti.example.com

To have LPRng use /etc/hosts.lpd for access control, you must add the following line to /etc/lpd.perms:

ACCEPT SERVICE=X REMOTEHOST=</etc/hosts.lpd
        

NoteNote
 

This line must be added to /etc/lpd.perms before the line containing "REJECT SERVICE=X NOT SERVER". Failure to do so will prevent /etc/hosts.lpd from being recognized.

Finally, restart the lpd printer daemon by issuing the command /sbin/service lpd restart (as root).

Printer Sharing with CUPS and lpadmin

Printer sharing for Linux/UNIX environments can also be controlled using the lpadmin command.

Because lpadmin is part of CUPS, you must first ensure that your system is configured to use CUPS as the default printing system. To do this, launch the Printer System Switcher application by executing the command redhat-switch-printer and selecting CUPS.

Once CUPS has been selected as the default printing system, you can then use lpadmin to make the necessary change. For example, to allow only a few select users to use your expensive graphical inkjet printer, run the following command:

lpadmin -p graphic_inkjet -u allow:bob,ted,alice

Note that only the users you specify will be able to print to the graphic_inkjet printer. Root and other users will not be able to access it. The resulting entry will be added to /etc/cups/printers.conf:

<Printer graphic_inkjet>
  Info This printer was modified by the lpadmin command 
  Location Dustbin or Black Hole 
  DeviceURI file:/dev/null 
  State Idle 
  Accepting Yes 
  JobSheets none none 
  AllowUser bob 
  AllowUser ted
  AllowUser alice 
</Printer>

You can edit this file in a text editor to modify or add elements to the access control list, such as hostnames. For more information on using lpadmin, type man lpadmin at a shell prompt.

Printer Sharing with Samba

If you are setting up a print server in a heterogeneous environment where users run various operating systems (such as Linux and Windows), you can restrict printer access using Samba. The central point for configuration of Samba services (including file sharing and administration) is the file /etc/samba/smb.conf. The following is an example of setting up sharing for Windows clients and Linux clients using Samba.

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   printer = raw
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

In the example above, browsing has been turned off, so clients must explicitly configure the device instead of being able to browse the printer via Windows Network Neighborhood. Set the flag to yes to allow browsing. Also, set guest ok = no to yes to allow guest machines to print to your print server. Since Windows users will probably use the Windows-supported print drivers and send the binary print jobs to the printer, the setting printer = raw is used so that the print server does not use its own filters on top of the Windows print driver filter, potentially corrupting the output.

To restrict certain users access to printing services, the valid users option should be added. For example, to allow print access only to user fred and the group @design, set guest ok to no and add the following line:

valid users = fred @design

If your samba service is already started or running, you should restart it each time you edit the /etc/samba/smb.conf file by typing /sbin/service smb restart at a shell prompt.