This chapter assumes that you are familiar with the standard IRIX treatment of printing and tape devices, including system backup and restoration strategies. Complete information on the use of peripheral devices with SGI systems can be found in the guide titled IRIX Admin: Peripheral Devices . Further, complete information on system backups can be found in the guide titled IRIX Admin: Backup, Security, and Accounting .
Sections in this chapter include:
Printing under the Trusted IRIX/CMW system requires no special resources. Except where noted in this chapter, printing operates exactly as described in your standard IRIX documentation. Trusted IRIX/CMW meets the requirement for B1-level systems for labeled printing. Each page of printed output has a MAC label printed at the top and bottom of the page.
The system intercepts the output of a print request before it is sent to the printer and ensures that appropriate banner pages and individual page labels are produced. Line printing under Trusted IRIX/CMW is essentially the same as under standard IRIX, except that printed copy is labeled and fewer printer options are supported. The printer daemon process (see the lpsched(8) man page) must be run from the system startup scripts. The printer process can be stopped and restarted while the system is running by using the following commands (you must be logged in as lp or root with CAP=all+eip):
/etc/init.d/lp stop /etc/init.d/lp start
Trusted IRIX/CMW supports line printing on ASCII (dumb) printers and PostScript printers. The utilities that allow labeled PostScript output, however, are not resistant to label spoofing programs. Because of this weakness, it is up to the individual system administrator to determine whether PostScript printing can be allowed at the site. One possible method is to restrict printing to a single label on each PostScript printer and load the printer with pre-labeled paper.
This section defines the methods implemented to properly label printed output. There are several parts to the printing system: the print job submission program, the program that produces the output (in the case of PostScript), and the program that labels the output.
PostScript requires a print job to be written in the PostScript definition language. This language specifies the parameters and specifics of the printout. Trusted IRIX/CMW has implemented a filter to this output production program that attaches labels to the individual page specifications and creates an appropriately labeled banner page.
ASCII printers rely on escape sequences within the print stream to provide directions to the printer. Trusted IRIX/CMW has implemented a filter for ASCII print jobs that inserts the labels into the print stream.
Trusted IRIX/CMW has implemented the lp and pr utilities to produce labeled printer output. Using the information supplied here, the system administrator can extend support to other printers. Printing interface utilities under UNIX are usually in the form of shell scripts that are invoked by the lp command. The usual MAC policies are implemented around printing requests. The print request inherits the label of the user process that submitted the print job, and this label is used to control access to the print job. For example, MAC must be satisfied in order to cancel the print job or to call up the job on the printer spooler queue. When printing on an ASCII printer, the print job is sent through the pr filter program with the -b option in order to filter out escape sequences and apply the internal page labels.
Other optional arguments to the pr program are -l and -f, followed by the filename and the name of the type of printer.
The procedure in this section shows how to configure a device as a dumb printer. As an example, this section uses /dev/plp as the device name and elephant as the name of the printer.
The following procedure requires that /dev/plp and the hardware device that it is linked to are both labeled at dbadmin (for example, /dev/plp might be linked to /hw/parallel/plp). If they are not both labeled at dbadmin, follow the steps to change the labels. The printer setup may fail if the labels are not correct, and printing may not function even if the labels are corrected at a later time.
You can change the MAC label on/dev/plp by executing the following command from a shell with sufficient privilege. For more information see the chlabel(1) man page.
chlabel dbadmin /dev/plp
To change the MAC label for devices in the /hw directory and ensure that they are preserved when the machine is restarted, use the /etc/iosecurity file. For each hardware device in /hw that you want to print to, you must add an entry to the /etc/iosecurity file. The entries should have the following format:
After the entries have been added, you can either restart the machine or run the attrinit command by issuing the following command:
Refer to the attrinit(1) man page for information on required capabilities.
Check that the MAC labels have been set to dbadmin with the following commands (and their output):
ls -M /dev/plp /dev/plp [dbadmin] ls -M /hw/parallel/plp /hw/parallel/plp [dbadmin]
To create the printer named elephant, follow this procedure:
Log in as the root user at the dbadmin MAC label, with all capabilities, then change to the lp user by entering the following command:
su root -C all=eip newlabel dbadmin su lp
Note: the lp user cannot be logged into from any label other than dbadmin, therefore you need to use the newlabel command to set dbadmin before using su to change to the lp user.
Stop the printing spooler while the following operations takes place:
Create a new printer named elephant and set the MAC label range to msenlow/minthigh...msenhigh/mintlow (that is, all labels):
/usr/lib/lpadmin -pelephant -mdumb -v/dev/plp \
Enable the new printer:
Direct the new printer to begin accepting requests:
Direct lpadmin to make elephant the default printer.
Restart the printing spooler:
Confirm that the printer elephant is enabled and will accept requests. The displayed information should indicate that printer “elephant is accepting requests since date”.
Some larger systems have multiple device ports. If you are installing printers on these ports, be sure that each printer has been labeled at dbadmin using the /etc/iosecurity file described previously.
If you are installing a serial printer, you can use any /dev/ttyd* port, but that port must be labeled at dbadmin in /etc/iosecurity as described previously.
One of the most important responsibilities of the system administrator is that of preventive maintenance. It is very important to create frequent backups of all files on the system. It is far less painful to recover a system whose files are a day old than it is to start from scratch. If you back up your entire filesystem at least weekly and back up changed files every day, you can maintain a reasonable assurance that the data contained on your backups is uncorrupted and current.
The original distribution media for your system should always be stored in a safe place.
After your trusted software is installed and configured, but before you allow users to begin work, make a complete backup of your system using tar and make a record of all your system files, their attributes and a checksum, and store this backup with your distribution media. With this record and the original tapes you should be able to recreate your system if needed.
Backups should be done by the individual users in a workstation environment or by the system administrator if a server is used. The specific backup practices at any given site should be approved by the system administrator. The tape device for the Trusted IRIX/CMW system (/dev/tape) is shipped with an exact label. The system administrator must change this label each time a user at a different label wishes to use the tape device.
B1 systems are required to provide for labeled tape backups. Trusted IRIX/CMW meets this requirement by providing the new M keyword to the tar command. This keyword directs tar to maintain the security labels on all files placed on the tape. To recover files from backup, use tar with the M keyword. Always remember that it is still possible to make unlabeled backups using tar without the M keyword. Also, using tar to extract labeled files without the M keyword results in the loss of label data. (When the files are recovered they will be labeled at the user's process label.) It is therefore strongly recommended that access to the physical tape device and possession of magnetic tapes be limited to the system administrator. Even though tar maintains labeling on the tape, the act of making a tape is still subject to MAC. Assuming that root makes the system backups, root should follow this procedure for system backups:
Make sure that root has read privilege to all directories and files.
Use the chlabel command to change the label of the tape device to match your label.
Change directories to the directory you wish to back up.
Enter the following command to begin the backup:
tar cvM .
Write the highest label on your system on the surface of the tape cartridge, so it is not inadvertently made available or discarded.
Recovering files in this manner is the reverse of removal.You must make certain that the tape device is properly labeled and then you can restore files using the tape you made previously. If all the files in a directory are known to be at a single label, you can log in with sufficient clearance and change the label of the tape device to match the directory label and make a single level backup. You should still use the M keyword to tar, however, to maintain the label information. Also, write the label of the information content of the tape on the surface of the tape cartridge.
A program called /etc/rmt in the Trusted IRIX/CMW system allows you to use the remote tape drive feature of tar. The /etc/rmt file is distributed with the label binary.
To use the remote tape drive features of tar over a monolabel network connection, you must change the label of /etc/rmt to match the label of your monolabel network.
The xfsdump(1M) command backs up directories and files with their attributes including MAC labels, capabilities, and ACLs. The files and directories are stored in a dump file which could be storage media, a regular file, or standard output. The xfsdump command must be executed by root. If the xfsdump command is executed at the dbadmin label, the following set of capabilities are needed: CAP_DAC_READ_SEARCH+eip, CAP_DEVICE_MGT+eip, and CAP_MAC_READ+eip. If xfsdump is executed with other MAC label such as dblow or userlow, CAP_MAC_WRITE+eip capability is also required unless -J option is specified. This is because the xfsdump command maintains an online dump inventory (/var/xfsdump/inventory), and this directory must be labelled dbadmin to enforce security. Also, the xfsdump command can back up multilevel directories and their attributes successfully without being executed with a moldy MAC label.
The xfsrestore(1M) command can be executed only by root to restore directories, files and their attributes from an xfsdump(1M) file, and requires the following capabilities: CAP_DEVICE_MGT+eip, CAP_MAC_READ+eip, CAP_MAC_WRITE, CAP_DAC_READ_SEARCH+eip, and CAP_DAC_WRITE+eip. If the dump file contains a multilevel directory, the xfsrestore command must also be executed at a moldy MAC label. Because the dbadmin MAC label does not have a relative moldy MAC label, it should not be used by the xfsrestore(1M) command. Otherwise, the multilevel directory will not be restored properly.
To backup a multilevel directory, run this command as root:
# suattr -M dbadmin -C 'all= CAP_DAC_READ_SEARCH \ CAP_DEVICE_MGT,CAP_MAC_READ+eip' -c "xfsdump -s mld_dir_pathname - / > dumpfile"
|Note: The dumpfile should be located in the directory labeled dbadmin (default /var/xfsdump/inventory), or the CAP_MAC_WRITE+eip capability should be attached to the command.|
To restore the dumpfile to a target directory, run this command as root:
# suattr -m -M dblow -C 'all= CAP_MAC_WRITE \ CAP_MAC_READ,CAP_DEVICE_MGT,CAP_DAC_READ_SEARCH,\ CAP_DAC_WRITE+eip' -c "xfsrestore -f dumpfile target_dir"
To restore data from standard input which is the standard output of the xfsdump(1M) command, both the xfsdump(1M) and xfsrestore(1M) commands should use the same label, and a label other than dbadmin. For example,
# suattr -m -M userlow -C CAP_MAC_READ,CAP_MAC_WRITE, \ CAP_DEVICE_MGT,CAP_DAC_READ_SEARCH,CAP_DAC_WRITE+eip -c \ "xfsdump -l 0 -E -F -s moldy_dir - / | xfsrestore - /mount_point"
For more information see the xfsdump(1M) and xfsrestore(1M) man pages.