This example is primarily to get Samba printing working but it will work fine for local UNIX printing too. This example assumes you have a HP LaserJet IIp and its connected on LPT1 (not LPT0).
- It has been usually understood that using the BSD "lpd" program is a *HIGH* security risk. The reason for this was because the various "lp" tools have SUID ROOT permissions. Meaning that when anybody runs the "lpr" program, the program will actually run as if "root" ran it.
Though we can't do anything about this for "lpr", we can fix things for "lpd" Increase the permissions on the /dev/lp* devices and remove the SUID bit from "lpd". What does open up the permissions on /dev/lp* do against you? People could possibly cat text to it and make it run out of paper but who cares!!!
The permissions were in /usr/bin/
--
-r-sr-sr-x 1 root root 13876 Oct 1 21:55 lpq
-rwxr-xr-x 1 root root 2406 Aug 15 1998 lpqall.faces
-r-sr-sr-x 1 root root 15068 Oct 1 21:55 lpr
-r-sr-sr-x 1 root root 14732 Oct 1 21:55 lprm
-rwxr-xr-x 1 root root 3492 Oct 1 21:55 lptest
-rwxr-xr-x 1 root root 2507 Oct 11 00:15 lpunlock
--
to
chmod 700 /usr/sbin/lpd
chmod 755 /usr/bin/lp*
chmod 4755 /usr/bin/lpr
and
chmod 660 /dev/lp0
One note about the file permissions on "lpr" from Section 8
#NOTE: I feel setting "lpr" to allow any group to execute it is
# a bad thing.
#
# I would like to add UNIX users and even the Samba process to
# the "lp" group already defined in /etc/groups and then be able
# to put things back to to 4750. BUT.. I just talked to a buddy
# of mine and this really isn't possible. Linux doesn't support
# multiple groups per file and Linux doesn't support access lists
# (ACLs') yet. So, you either have to do all this or run LPRng.
- Next, create the /etc/printcap file and put in the following. Please note that this example is for a HP LaserJet IIp on LPT1 and a Epson Stylus 500 Color ink jet on LPT2.
The following "lp" setting is for local UNIX printing and "Hp_Lj2p" is for Samba printing
--
##PRINTTOOL3## LOCAL ljet2p 300x300 letter {} LaserJet2p Default 1
lp:\
:sd=/var/spool/lpd/lp:\
:mx#0:\
:sh:\
:lp=/dev/lp1:\
:if=/var/spool/lpd/lp/filter:
##PRINTTOOL3## LOCAL epsonc 240x216 letter {} EpsonLQ24 Default {}
lp2:\
:sd=/var/spool/lpd/lp2:\
:mx#0:\
:sh:\
:lp=/dev/lp2:\
:if=/var/spool/lpd/lp2/filter:
Hp_Lj2p|raw:\
:rw:sh:\
:mx#0:\
:lp=/dev/lp1:\
:sd=/var/spool/samba:\
:fx=flp
Epson_S|raw:\
:rw:\
:sh:\
:mx#0:\
:lp=/dev/lp2:\
:sd=/var/spool/samba:\
:fx=flp
--
- Next, you need to re-enable "lpd" from Section 8 and then load up the lpd daemon:
- Redhat: /etc/rc.d/init.d/lpd start
- Slackware: /usr/sbin/lpd -l&
- If you are runngin Samba, you'll have to edit your /etc/smb.conf file as shown in the Samba section of TrinityOS and then re-start the SMB process.
- From here, Samba Printing should work fine.
- If you want to do native UNIX printing, it starts to get VERY crazy without a configuration tool. I could post my /var/spool/lpd/lp/filter file but its over 9K and specific to the way Redhat does things! So, I highly recommend to a GUI tool native for your specific distribution.
- Redhat:
Xwindows-GUI: printtool (via control-panel)
NOTE: The Hp Laserjet needs the "anti-staircase" option
- Slackware: ???
- Once the GUI tool sets up your printer, things should be good to go. To be honest, it SUCKS that I'm not documenting how to do it via a command line but I have to say that UNIX printing is so damn hard! Oh well.. sorry!