Reducing Printing Restrictions in Trusted Extensions (Task Map)

The following tasks are optional. They reduce the printing security that Trusted Extensions provides by default when the software is installed.

How to Remove Labels From Printed Output

Printers that do not have a Trusted Extensions printer model script do not print labeled banner or trailer pages. The body pages also do not include labels.

Before You Begin

You must be in the Security Administrator role in the global zone.

• At the appropriate label, do one of the following:
  • From the print server, stop banner printing altogether.

    $ lpadmin -p printer -o nobanner=never

    Body pages are still labeled.

  • Set the printer model script to an Oracle Solaris script.

    $ lpadmin -p printer  \
    -m { standard | netstandard | standard_foomatic | netstandard_foomatic }

    No labels appear on printed output.

How to Assign a Label to an Unlabeled Print Server

A Oracle Solaris print server is an unlabeled print server that can be assigned a label for Trusted Extensions access to the printer at that label. Printers that are connected to an unlabeled print server can print jobs only at the label that has been assigned to the print server. Jobs print without labels or trailer pages and might print without banner pages. If a job prints with a banner page, the page does not contain any security information.

A Trusted Extensions system can be configured to submit jobs to a printer that is managed by an unlabeled print server. Users can print jobs on the unlabeled printer at the label that the security administrator assigns to the print server.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Open the Solaris Management Console in the appropriate scope.

   For details, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.

2. Under System Configuration, navigate to the Computers and Networks tool.

   Provide a password when prompted.

3. Assign an unlabeled template to the print server.

   For details, see How to Assign a Security Template to a Host or a Group of Hosts.

   Choose a label. Users who are working at that label can send print jobs to the Oracle Solaris printer at the label of the print server. Pages do not print with labels, and banner and trailer pages are also not part of the print job.

Example 15-2 Sending Public Print Jobs to an Unlabeled Printer

Files that are available to the general public are suitable for printing to an unlabeled printer. In this example, marketing writers need to produce documents that do not have labels printed on the top and bottom of the pages.

The security administrator assigns an unlabeled host type template to the Oracle Solaris print server. The template is described in Example 13-6. The arbitrary label of the template is PUBLIC. The printer pr-nolabel1 is connected to this print server. Print jobs from users in a PUBLIC zone print on the pr-nolabel1 printer with no labels. Depending on the settings for the printer, the jobs might or might not have banner pages. The banner pages do not contain security information.

How to Remove Page Labels From All Print Jobs

This procedure prevents all print jobs on a Trusted Extensions printer from including visible labels on the body pages of the print job.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Edit the /usr/lib/lp/postscript/tsol_separator.ps file.

   Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

2. Find the definition of /PageLabel.

   Find the following lines:

   %% To eliminate page labels completely, change this line to
   %% set the page label to an empty string: /PageLabel () def
   /PageLabel Job_PageLabel def

   ---

   Note - The value Job_PageLabel might be different at your site.

   ---

3. Replace the value of /PageLabel with a set of empty parentheses.

   /PageLabel () def

How to Enable Specific Users to Suppress Page Labels

This procedure enables an authorized user or role to print jobs on a Trusted Extensions printer without labels on the top and bottom of each body page. Page labels are suppressed for all labels at which the user can work.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Determine who is permitted to print jobs without page labels.
2. Authorize those users and roles to print jobs without page labels.

   Assign a rights profile that includes the Print without Label authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.

3. Instruct the user or role to use the lp command to submit print jobs:

   % lp -o nolabels staff.mtg.notes

How to Suppress Banner and Trailer Pages for Specific Users

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Create a rights profile that includes the Print without Banner authorization.

   Assign the profile to each user or role that is allowed to print without banner and trailer pages.

   For details, see How to Create a Rights Profile for Convenient Authorizations.

2. Instruct the user or role to use the lp command to submit print jobs:

   % lp -o nobanner staff.mtg.notes

How to Enable Users to Print PostScript Files in Trusted Extensions

Before You Begin

You must be in the Security Administrator role in the global zone.

• Use one of the following three methods to enable users to print PostScript files:
  • To enable PostScript printing on a system, modify the /etc/default/print file.
    1. Create or modify the /etc/default/print file.

       Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

    2. Type the following entry:

       PRINT_POSTSCRIPT=1

    3. Save the file and close the editor.
  • To authorize all users to print PostScript files from a system, modify the /etc/security/policy.conf file.
    1. Modify the policy.conf file.

       Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

    2. Add the solaris.print.ps authorization.

       AUTHS_GRANTED=other-authorizations,solaris.print.ps

    3. Save the file and close the editor.
  • To enable a user or role to print PostScript files from any system, give just those users and roles the appropriate authorization.

    Assign a profile that includes the Print Postscript authorization to those users and roles. For details, see How to Create a Rights Profile for Convenient Authorizations.

Example 15-3 Enabling PostScript Printing From a Public System

In the following example, the security administrator has constrained a public kiosk to operate at the PUBLIC label. The system also has a few icons that open topics of interest. These topics can be printed.

The security administrator creates an /etc/default/print file on the system. The file has one entry to enable the printing of PostScript files. No user needs a Print Postscript authorization.

# vi /etc/default/print

# PRINT_POSTSCRIPT=0
PRINT_POSTSCRIPT=1