Path: utzoo!attcan!uunet!lll-winken!csd4.milw.wisc.edu!bionet!agate!ucbvax!cs.glasgow.ac.UK!inei
From: inei@cs.glasgow.ac.UK (Nick Nei)
Newsgroups: comp.protocols.appletalk
Subject: Re:  Changing Apple LaserWriter type
Message-ID: <8878.8904281640@crete.cs.glasgow.ac.uk>
Date: 28 Apr 89 16:40:13 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 70


Jeff White writes:

> "... afraid people will print out unlimited copies with no control,
> [on LaserWriter] or people from the rest of the university will
> do all their printing here.

We have the same problem here at Glasgow University.  This is what I have
done:

     *  Rename the LaserWriter to "LazerWriter^A" (i.e. "z" instead
        of an "s" and embedd one/more control characters.  This make
        the device invisible from the Macintosh Chooser.

     *  Run lwsrv.  The name it uses is visible from the Macintosh Chooser.
        The mapping between LaserWriter to "LazerWriter^A" in the cap.printers
        file is like so:

                lwf173=F173.LocalTalk:LazerWriter^A@*

     *  Users from Macintosh MUST specify the following in their Chooser name:

                user-name:password

        The user-name is the UNIX login name and the password is anything
        they like.

     *  lwsrv picks up the user-name:password pair in the job and verifies
        the user and his/her quota.  The quota is whatever the System
        Manager likes:  no quota, periodic quota, one-off quota, etc.

     *  lwsrv uses /etc/passwd.laser which has user-name, password,
        real-name, group-name, real-name fields separated by colons.

     *  papif prints the file and figures out number of pages.  It updates
        /usr/spool/pages.laser.  This file has user-name and pages-used
        field.

     *  Before papif prints, it will check user-name, password and
        quota by reading /etc/passwd.laser and /usr/spool/pages.laser.
        If validation fails, it will print a diagnostic page on the
        LaserWriter saying: "wrong password", "wrong user-name" or
        "quota-exceeded".  If the latter then, the user is charged
        for the diagnostic page.

     *  Any lpr jobs from UNIX will similarly be charged.  Since you
        have to be logged in, the user is already validated.  The printing
	is done by papif and the quota will be updated.

I have augmented lwsrv and papif code to perform the above.  The system
has worked very well for 9 months.  (I know by the bribes I get from
students and the complaints from total strangers that they can't
use the LaserWriters!)  If nothing, I hope at least the control system
has saved a small forest somewhere.

The main security risk I anticipated was the LaserWriter renaming part.
Some clever hacker will be able to write an application to print to
the hidden LaserWriter.  If that happens, the log file will suddenly
detect unaccounted pages and I will be alerted.  Then what I will have
to do is to remove the LaserWriter from LocalTalk and connect it serially
to a UNIX machine and use something like Adobe's pscomm.

Somehow is is very gratifying not to see our LaserWriters churning
out multiple copies of party invitations, CVs, recipes and other
Universities' theses.

Mail:	Nick Nei, Computing Science Dept., 
	Glasgow Univ., 17 Lilybank Gardens,
      	Glasgow G12 8QQ, UK.  Tel: (041) 339 8855 x 5457
ARPA:	inei%cs.glasgow.ac.uk@nsfnet-relay.ac.uk USENET: inei@cs.glasgow.uucp