Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ukma!rutgers!njin!princeton!phoenix!bernsten
From: bernsten@phoenix.Princeton.EDU (Dan Bernstein)
Newsgroups: comp.unix.wizards
Subject: Re: lpr output filters
Message-ID: <7752@phoenix.Princeton.EDU>
Date: 15 Apr 89 00:52:42 GMT
References: <1158@novavax.UUCP> <8414@xanth.cs.odu.edu> <16878@mimsy.UUCP> <1347@dukeac.UUCP>
Reply-To: bernsten@phoenix.Princeton.EDU (Dan Bernstein)
Distribution: usa
Organization: Hmph.
Lines: 27

In article <1347@dukeac.UUCP> klg@dukeac.UUCP (Kim Greer) writes:
> In article <16878@mimsy.UUCP> chris@mimsy.UUCP (Chris Torek) writes:
> ++The discussion is really about `files that can be viewed on a terminal
> ++but not printed'.
> ++It is worth noting that this effort is doomed to failure, as there
> ++are terminals that are printers, or have integral printers.
> ++If you have physically secure terminals, you could set something up
> ++so that the files can be viewed only on /dev/ttyA2, /dev/ttyh0, and
> ++so forth.
>   I think Chris is right; it is doomed.  Even "secure" terminals can
> run "script"  to capture the screen output and then immediately print
> the typescript file.  You don't have script on your system?  A pd
> version is available.

Chris is correct that the only way to ensure that a file is viewed but
not printed is through a direct connection to a physical terminal that
does not allow printing. So you could set up a setuid program that
checks the inode of fd 1 and only sends output if the inode matches
one of the physically secure ttys. script most certainly does not
defeat this, as it allocates a pseudo-terminal, which can't pretend
to be a different inode any more than ``| tee output'' can.

No government standard for security that I know of allows ``viewing
but not printing''; has nobody heard of screen-adjusted cameras? 
I don't understand what purpose the original poster had in mind.

---Dan Bernstein, bernsten@phoenix.princeton.edu