[Xprint] Limiting Xprint server access to restricted user group?

[Felix Schulte]

On 5/31/05, Peter Macarthur <petermacarthurmobile at yahoo.com.au> wrote:
> Is there a way to limit the access to a Xprint server
> to a restricted user group instead of all users on a
> machine? We'd like to tighten security on our machines
> a little bit and are therefore looking for a way to
> increase access control beyond the '-nolisten tcp'
> option.
> 

All X.org servers after X11R6.8.0 support a way for authentication of
local users and groups. You can exit /etc/init.d/xprint and remove the
-ac switch from the list of Xprt start options and then add a "(sleep
30 ; DISPLAY=theprintdisplay:theid xhost +si:localuser:root)".
The following section "SERVER INTERPRETED ACCESS TYPES" from
http://www.die.net/doc/linux/man/man7/xsecurity.7.html has more
information (but lacks examples):
-snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip-
SERVER INTERPRETED ACCESS TYPES
The sample implementation includes several Server Interpreted mechanisms:

    IPv6                          IPv6 literal addresses
    hostname                      Network host name
    localuser                     Local connection user id
    localgroup                    Local connection group id

IPv6
    A literal IPv6 address as defined in IETF RFC 3513. 
hostname
    The value must be a hostname as defined in IETF RFC 2396. Due to
Mobile IP and dynamic DNS, the name service is consulted at connection
authentication time, unlike the traditional host access control list
which only contains numeric addresses and does not automatically
update when a host's address changes. Note that this definition of
hostname does not allow use of literal IP addresses.
localuser & localgroup
    On systems which can determine in a secure fashion the credentials
of a client process, the "localuser" and "localgroup" authentication
methods provide access based on those credentials. The format of the
values provided is platform specific. For POSIX & UNIX platforms, if
the value starts with the character '#', the rest of the string is
treated as a decimal uid or gid, otherwise the string is defined as a
user name or group name.
    If your system supports this method and you use it, be warned that
some programs that proxy connections and are setuid or setgid may get
authenticated as the uid or gid of the proxy process. For instance,
some versions of ssh will be authenticated as the user root, no matter
what user is running the ssh client, so on systems with such software,
adding access for localuser:root may allow wider access than intended
to the X display.
-snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip-

-- 
      _        Felix Schulte
    _|_|_     mailto:felix.schulte at gmail.com
    (0 0)        
ooO--(_)--Ooo