Operating System - HP-UX
1748195 Members
4543 Online
108759 Solutions
New Discussion юеВ

Re: cancel non-owned print jobs

 
SOLVED
Go to solution
Dave Chamberlin
Trusted Contributor

cancel non-owned print jobs

Greetings,
My problem is I need to allow user B to cancel a print queue, using cancel -e. I have tried creating a script and a C program and did chmod 4755 on those. Either way, the program still comes back with "must be root...". Why doesn't this work? Is there another way to do what I need to do?
Thanks
9 REPLIES 9
Cheryl Griffin
Honored Contributor

Re: cancel non-owned print jobs

You could set up Restricted SAM to give individual users the right to cancel other people's print jobs.

Cheers!
Cheryl
"Downtime is a Crime."
Cheryl Griffin
Honored Contributor

Re: cancel non-owned print jobs

A. Clay Stephenson
Acclaimed Contributor
Solution

Re: cancel non-owned print jobs

Dave, your C program will certainly work. I assume that your file was 4755 and owned by root AND that you then did a setuid(0) before making a system() call that invokes the cancel command. This absolutely will work.

I do exactly that using a program I have used for many years. In the past couple of years, I have even added some options that allow it to be called from some CGI code so that users can cancel their own jobs (or if members of a priviliged group) can cancel anyone's print job from a webpage.
If it ain't broke, I can fix that.
S.K. Chan
Honored Contributor

Re: cancel non-owned print jobs

This is how you can do this with "restricted sam builder". As root run ..
# sam -r
You will see "Load User Privleges" dislog box. In here select "userB"
=> Choose "Printers & Plotters"
=> From the menu Actions->Enable
=> Since you want "userB" to be able to cancel print requests you only need to "enable"..
Printers&Plotters->LP spooler->PrintRequests
=> From menu do, Actions->SaveUser Privileges

Dave Chamberlin
Trusted Contributor

Re: cancel non-owned print jobs

You the man Clay!! I put in the setuid statement and it works perfectly. The restricted SAM would work also - except the user does not have a GUI terminal. Curiously, I have never needed the setuid in the past and have created many programs that used the 4755 setting. I wonder if it because my other progams have all run in C-shell and this is Bourne Shell?
Thanks all
James R. Ferguson
Acclaimed Contributor

Re: cancel non-owned print jobs

Hi Dave:

In general, 'setuid' scripts will work *if* you explicitly declare the Posix shell interpreter:

#!/usr/bin/sh
#...remainder of script

Regards!

...JRF...
Cheryl Griffin
Honored Contributor

Re: cancel non-owned print jobs

You can run SAM in tui (text) mode also. I prefer tui because gui seems to take forever.
From the command line I unset the display:
# unset DISPLAY
# sam

Seems to work quicker than waiting for fancy gui screens. But that could be my imagination.

Cheryl
"Downtime is a Crime."
Bill Hassell
Honored Contributor

Re: cancel non-owned print jobs

Probably not the Bourne shell, despite the name sh. In HP-UX, the POSIX shell is called /usr/bin/sh while the Bourne shell is hidden away in /usr/old/bin/sh (should you ever want it). The POSIX shell is like all POSIX shells (ksh, bash, etc) and of course, nothing like csh. However, all script writers will agree that setuid for scripts is a really bad idea in that there are so many easy exploits to gain normally forbidden privileges.

Instead, look at having the users login as lp (you'll have to modify the lp user to provide a password and $HOME directory). Now users can su to lp, cancel their job and leave without compromising root's privileges.

And yes, the character mode for sam (and swinstall, etc) all run faster than their GUI versions. In fact, when you use a smart HP termnal, the function keys are more than twice as fast than mousing around on the windows. I use the character mode so much that I created an alias:

alias samc="(unset DISPLAY;sam)"

which leaves the DISPLAY set in the login shell but unsets it just for SAM.


Bill Hassell, sysadmin
Misa
Frequent Advisor

Re: cancel non-owned print jobs

There's always sudo for this function:

http://hpux.cs.utah.edu/

sudo allows you to specify who can use root (or another userid): anything from "user A can do any root command anywhere" to "user A can run command B as root, but only on machine C."

sudo has been picked over by many people during its lifetime and AFAIK is free of exploits (assuming you do write your configuration file correctly).

You can also set up a print queue (done with JetAdmin, at least) such that anyone can cancel jobs in the queue.