Personal tools
HylaFAX The world's most advanced open source fax server

Difference between revisions of "Advanced Permissions with 6.0"

(New page: With the release of Hylafax 6.0 now a couple of months old, new features were added including new Permissions which Iam going to write about on this page and how I implemented them into ou...)
 
 
(6 intermediate revisions by 3 users not shown)
Line 5: Line 5:
 
With Hylafax 4.4.4 it was fine for a one fax machine solution which we required at the time, but now as we were looking at expanding the use of Hylafax or needs had changed a little bit.
 
With Hylafax 4.4.4 it was fine for a one fax machine solution which we required at the time, but now as we were looking at expanding the use of Hylafax or needs had changed a little bit.
  
In this Wiki I will try and explain how we have successfully rolled out Hylafax 6.0.2 (currently) to 2 departments, with more to be added with multiaple users in each department.  This is going to be based on a CentOS 5.3 system which we had to move to from debian based system due to our requirement of a Serial Over Ip hub, so for other Distro's the file locations will vary.
+
In this Wiki I will try and explain how we have successfully rolled out Hylafax 6.0.2 (currently) to 2 departments, with more to be added with multiple users in each department.  This is going to be based on a CentOS 5.3 system which we had to move from a previous Debian based system due to our requirement of a Serial Over IP hub, so for other Distro's the file locations will vary.
  
Our requirement was to Setup a Hylafax Server for use with 2 incomming fax lines (1 for each department), and to restrict access to the public received & sent fax lists to only allow each department to view which faxes belonged to their fax line, via  the client software of yajhfc which we intend to distribute.
+
Our requirement was to Setup a Hylafax Server for use with 2 incoming fax lines (1 for each department), and to restrict access to the public received & sent fax lists to only allow each department to view which faxes belonged to their fax line, via  the client software of yajhfc which we intend to distribute.
  
 
Our Setup will be described as follows:-
 
Our Setup will be described as follows:-
Line 14: Line 14:
 
Dept2 with only allowing access to the received fax list for this fax line to USer3 & User4
 
Dept2 with only allowing access to the received fax list for this fax line to USer3 & User4
  
Users sending faxes will only be able to view thier own faxes which they have sent and not other peoples.
+
Users sending faxes will only be able to view their own faxes which they have sent and not other peoples.
  
 
The dept1 modem device will be /dev/ttyS1, and dept2 will be /dev/ttyS2.
 
The dept1 modem device will be /dev/ttyS1, and dept2 will be /dev/ttyS2.
  
1) Add the new Hylafax 6.0 premissions to /etc/hylafax/hfaxd.conf :-
+
1) Add the new Hylafax 6.0 permissions to /etc/hylafax/hfaxd.conf :-
 
+
<pre>
JobProtection: 0600<br>
+
JobProtection: 0600
PublicJobQ:    false<br>
+
PublicJobQ:    false
PublicRecvQ:  false<br>
+
PublicRecvQ:  false
 
+
</pre>
JobProtection sets the permissions of faxes which are sent by the user, 0600 is needed here to help with restricting access to the puclic list.
+
JobProtection sets the permissions of faxes which are sent by the user, 0600 is needed here to help with restricting access to the public list.
  
 
PublicJobQ set to false is required to restrict access to the public fax sent list, if set to true or line not present faxes will appear in the Public queue.
 
PublicJobQ set to false is required to restrict access to the public fax sent list, if set to true or line not present faxes will appear in the Public queue.
  
PublicRecvQ set to false is required to restrict access to the public fax received list view, file premissions are explained later in more detail for this area.
+
PublicRecvQ set to false is required to restrict access to the public fax received list view, file permissions are explained later in more detail for this area.
 
 
2) Next I will need to alter the RecvFileMode in my modem configuation lines in /var/spool/hylafax/config.ttyS1 & config.ttyS2 to the following if it already it not set like this:-
 
 
 
From<br>
 
RecvFileMode: 0644<br>
 
To<br>
 
RecvFileMode: 0600<br>
 
  
 +
2) Next I will need to alter the RecvFileMode in my modem configuration lines in /var/spool/hylafax/config.ttyS1 & config.ttyS2 to the following if it already it not set like this:-
 +
<pre>
 +
From
 +
RecvFileMode: 0644
 +
To
 +
RecvFileMode: 0600
 +
</pre>
 
This makes any received faxes not accessible to the public list, otherwise a value of 644 makes them accessible to the public.
 
This makes any received faxes not accessible to the public list, otherwise a value of 644 makes them accessible to the public.
  
3) I now need to create 2 actual linux users as follows:-
+
3) I now need to create 2 actual Linux users as follows:-
  
 
dept1    -    UID of 501
 
dept1    -    UID of 501
Line 46: Line 46:
 
You will need to make a note of the various UID's for later as these will be required when altering your hosts.hfaxd file later on.
 
You will need to make a note of the various UID's for later as these will be required when altering your hosts.hfaxd file later on.
  
You can create more linix user account if needed for the different users, but here I don't need them as I will only be using user1-4 for fax access which I shall add with the faxadduser command In the next step.
+
You can create more Linux user account if needed for the different users, but here I don't need them as I will only be using user1-4 for fax access which I shall add with the faxadduser command In the next step.
 +
 
 +
4) Now I shall add my user1, user2, user3, user4 to the hylafax configuration so I can grant them access to the appropriate faxes later on.
 +
<pre>
 +
/usr/sbin/faxadduser -p password user1
 +
</pre>
 +
Obviously here I would repeat this 4 times for user1-4 and then choose an appropriate password after the -p option.
 +
 
 +
Once these have been added 4 new lines will appear in the /var/spool/hylafax/etc/hosts.faxd file eg:-
 +
 
 +
<pre>
 +
^user1@::password:
 +
^user2@::password:
 +
^user3@::password:
 +
^user4@::password:
 +
</pre>
 +
The password will not be clear text but encrypted, I shall come back to this file in a later step.
 +
 
 +
5) Now i need to edit my /var/spool/hylafax/FaxDispatch file so I can assign the correct permissions & Unix user to the fax received depending which modem it has arrived on.
 +
<pre>
 +
# We want all faxes to be emailed in a PDF format<br>
 +
FILETYPE=pdf;
  
4) Now I shall add my user1, user2, user3, user4 to the hylafax configuration so I can grant them access to the appropiate faxes later on.
+
case "$DEVICE" in
 +
    ttyS1)                           # ttyS1 is the device id of the fax line for dept1
 +
        sudo /bin/chgrp 501 $FILE    # Change to owner group of the file from UUCP to dept1 UID 501
 +
        chmod g+r $FILE              # Give dept1 read rights
 +
        SENDTO=dept1                # EMail PDF to dept1 mailbox
 +
    ;;
 +
    ttyS2)                          # ttyS2 is the device id of the fax line for dept2
 +
        sudo /bin/chgrp 502 $FILE    # Change to owner group of the file from UUCP to dept1 UID 502
 +
        chmod g+r $FILE              # Give dept2 read rights
 +
        SENDTO=dept2                # EMail PDF to dept2 mailbox   
 +
    ;;
 +
esac
 +
</pre>
 +
The chgrp 501 $FILE changes the fax file ownership from uucp:uucp to uucp:dept1 so the new owner if not dept1.
 +
The chmod g+r $FILE gives read only access to dept1, no other user can view the fax.
 +
SENDTO optionally will email the PDF attachment to a mailbox, or another email address if specified.
  
/usr/sbin/faxadduser -p password user1
+
See next step regarding the use of the sudo command.
 +
 
 +
6)
 +
 
 +
You will have noticed in the FaxDispatch file in step 5 the use of the sudo command, this is a workaround as UUCP user which hylafax mainly operates does not have rights to chgrp of files.  So as follows are the steps below to get around this and make chgrp work correctly to assign correct ownership to files.  (NB This may not necessary be the case under other distros, so this step may vary.  This is based under CentOs).
 +
 
 +
Run visudo on /etc/sudoers and add the following lines:-
 +
<pre>
 +
uucp    ALL=(root) NOPASSWD: /bin/chgrp
 +
Defaults:uucp    !requiregetty
 +
</pre>
 +
The first additional line will enable uucp to run chgrp via the sudo command with root permissions, thus enabling FaxDispatch to successfully change the owner of the file.<br>
 +
The second line gets around another problem which may occur, if you don't have this line you may get something in a log file as following:-
 +
 
 +
''"sorry, you must have a tty to run sudo"''<br>
  
Obviosuly here I would repeat this 4 times for user1-4 and then choose an appropiate password after the -p option.
+
If you see this error, run visudo, search the option 'Defaults    requiretty' and comment it out.
  
Once these have been added 4 new lines will appear in the /var/spool/hylafax/etc/hosts.faxd file eg:-
+
7)
 +
Now we need to edit /var/spool/hylafax/hosts.faxd file so we can assign the user's we created in step 4 to their appropriate department fax queues.
 +
<pre>
 +
^user1@:501:password:
 +
^user2@:501:password:
 +
^user3@:502:password:
 +
^user4@:502:password:
 +
</pre>
 +
After the ^user1@::password section you will now notice I have entered 501, which is the UID for dept1 between the 2 '::' now, this assigns (groups) user1 to the dept1 fax machine. 
 +
I have also done this for user2 to dept1, and user 3 & 4 to dept2.
  
^user1@::password:<br>
+
8)
^user2@::password:<br>
+
Now we can restart Hylafax so the changes be picked up, and now in yajhfc users will log in with user1, user2, user3 & user4 and only user 1 & 2 will be able to view the faxes received for dept1, and users 3 & 4 will only be able to view the faxes for dept2.
^user3@::password:<br>
 
^user4@::password:<br>
 
  
The password will not be clear text but encrypted, I shall come back to this file in a later step.
+
Users will also now only be able to view the faxes which they have sent to the fax machine to be sent, but will not be able to view other peoples.
  
4) Now i need to edit my /var/spool/hylafax/FaxDispatch file so I can assign the correct permissions & unix user to the fax received depending which modem it has arrived on.
+
----
 +
''Thanks to Aidan & Alexandru Oniciuc for thier help in helping me getting this setup onto our system.  Andy Rogers''
 +
" Thanks to Aidan & Alexandru Oniciuc for thier help. Brilliant stuff. Praveen Narayana swamy "

Latest revision as of 08:23, 26 August 2010

With the release of Hylafax 6.0 now a couple of months old, new features were added including new Permissions which Iam going to write about on this page and how I implemented them into our work place using these new Permissions in a multi user/department environment.

Previously we had been using Hylafax 4.4.4 in our work place for the past 9 months trialling it and seeing how well it works, and how best we would roll it out to other departments.

With Hylafax 4.4.4 it was fine for a one fax machine solution which we required at the time, but now as we were looking at expanding the use of Hylafax or needs had changed a little bit.

In this Wiki I will try and explain how we have successfully rolled out Hylafax 6.0.2 (currently) to 2 departments, with more to be added with multiple users in each department. This is going to be based on a CentOS 5.3 system which we had to move from a previous Debian based system due to our requirement of a Serial Over IP hub, so for other Distro's the file locations will vary.

Our requirement was to Setup a Hylafax Server for use with 2 incoming fax lines (1 for each department), and to restrict access to the public received & sent fax lists to only allow each department to view which faxes belonged to their fax line, via the client software of yajhfc which we intend to distribute.

Our Setup will be described as follows:-

Dept1 with only allowing access to the received fax list for this fax line to User1 & User2 Dept2 with only allowing access to the received fax list for this fax line to USer3 & User4

Users sending faxes will only be able to view their own faxes which they have sent and not other peoples.

The dept1 modem device will be /dev/ttyS1, and dept2 will be /dev/ttyS2.

1) Add the new Hylafax 6.0 permissions to /etc/hylafax/hfaxd.conf :-

JobProtection: 0600
PublicJobQ:    false
PublicRecvQ:   false

JobProtection sets the permissions of faxes which are sent by the user, 0600 is needed here to help with restricting access to the public list.

PublicJobQ set to false is required to restrict access to the public fax sent list, if set to true or line not present faxes will appear in the Public queue.

PublicRecvQ set to false is required to restrict access to the public fax received list view, file permissions are explained later in more detail for this area.

2) Next I will need to alter the RecvFileMode in my modem configuration lines in /var/spool/hylafax/config.ttyS1 & config.ttyS2 to the following if it already it not set like this:-

From
RecvFileMode: 0644
To
RecvFileMode: 0600

This makes any received faxes not accessible to the public list, otherwise a value of 644 makes them accessible to the public.

3) I now need to create 2 actual Linux users as follows:-

dept1 - UID of 501 dept2 - UID of 502

You will need to make a note of the various UID's for later as these will be required when altering your hosts.hfaxd file later on.

You can create more Linux user account if needed for the different users, but here I don't need them as I will only be using user1-4 for fax access which I shall add with the faxadduser command In the next step.

4) Now I shall add my user1, user2, user3, user4 to the hylafax configuration so I can grant them access to the appropriate faxes later on.

/usr/sbin/faxadduser -p password user1

Obviously here I would repeat this 4 times for user1-4 and then choose an appropriate password after the -p option.

Once these have been added 4 new lines will appear in the /var/spool/hylafax/etc/hosts.faxd file eg:-

^user1@::password:
^user2@::password:
^user3@::password:
^user4@::password:

The password will not be clear text but encrypted, I shall come back to this file in a later step.

5) Now i need to edit my /var/spool/hylafax/FaxDispatch file so I can assign the correct permissions & Unix user to the fax received depending which modem it has arrived on.

# We want all faxes to be emailed in a PDF format<br>
FILETYPE=pdf;

case "$DEVICE" in
    ttyS1)                           # ttyS1 is the device id of the fax line for dept1
        sudo /bin/chgrp 501 $FILE    # Change to owner group of the file from UUCP to dept1 UID 501
        chmod g+r $FILE              # Give dept1 read rights
        SENDTO=dept1                 # EMail PDF to dept1 mailbox
    ;;
    ttyS2)                           # ttyS2 is the device id of the fax line for dept2
        sudo /bin/chgrp 502 $FILE    # Change to owner group of the file from UUCP to dept1 UID 502
        chmod g+r $FILE              # Give dept2 read rights
        SENDTO=dept2                 # EMail PDF to dept2 mailbox    
    ;;
esac

The chgrp 501 $FILE changes the fax file ownership from uucp:uucp to uucp:dept1 so the new owner if not dept1. The chmod g+r $FILE gives read only access to dept1, no other user can view the fax. SENDTO optionally will email the PDF attachment to a mailbox, or another email address if specified.

See next step regarding the use of the sudo command.

6)

You will have noticed in the FaxDispatch file in step 5 the use of the sudo command, this is a workaround as UUCP user which hylafax mainly operates does not have rights to chgrp of files. So as follows are the steps below to get around this and make chgrp work correctly to assign correct ownership to files. (NB This may not necessary be the case under other distros, so this step may vary. This is based under CentOs).

Run visudo on /etc/sudoers and add the following lines:-

uucp    ALL=(root) NOPASSWD: /bin/chgrp
Defaults:uucp    !requiregetty

The first additional line will enable uucp to run chgrp via the sudo command with root permissions, thus enabling FaxDispatch to successfully change the owner of the file.
The second line gets around another problem which may occur, if you don't have this line you may get something in a log file as following:-

"sorry, you must have a tty to run sudo"

If you see this error, run visudo, search the option 'Defaults requiretty' and comment it out.

7) Now we need to edit /var/spool/hylafax/hosts.faxd file so we can assign the user's we created in step 4 to their appropriate department fax queues.

^user1@:501:password:
^user2@:501:password:
^user3@:502:password:
^user4@:502:password:

After the ^user1@::password section you will now notice I have entered 501, which is the UID for dept1 between the 2 '::' now, this assigns (groups) user1 to the dept1 fax machine. I have also done this for user2 to dept1, and user 3 & 4 to dept2.

8) Now we can restart Hylafax so the changes be picked up, and now in yajhfc users will log in with user1, user2, user3 & user4 and only user 1 & 2 will be able to view the faxes received for dept1, and users 3 & 4 will only be able to view the faxes for dept2.

Users will also now only be able to view the faxes which they have sent to the fax machine to be sent, but will not be able to view other peoples.


Thanks to Aidan & Alexandru Oniciuc for thier help in helping me getting this setup onto our system. Andy Rogers " Thanks to Aidan & Alexandru Oniciuc for thier help. Brilliant stuff. Praveen Narayana swamy "


This page was last edited on 26 August 2010, at 08:23.

Powered by MediaWiki
Attribution-ShareAlike 2.5

Project hosted by iFAX Solutions