Advanced Permissions with 6.0
With the release of Hylafax 6.0 now a couple of months old, new features were added including new Permissions which Iam going to write about on this page and how I implemented them into our work place using these new Permissions in a multi user/department environment.
Previously we had been using Hylafax 4.4.4 in our work place for the past 9 months trialling it and seeing how well it works, and how best we would roll it out to other departments.
With Hylafax 4.4.4 it was fine for a one fax machine solution which we required at the time, but now as we were looking at expanding the use of Hylafax or needs had changed a little bit.
In this Wiki I will try and explain how we have successfully rolled out Hylafax 6.0.2 (currently) to 2 departments, with more to be added with multiple users in each department. This is going to be based on a CentOS 5.3 system which we had to move from a previous Debian based system due to our requirement of a Serial Over IP hub, so for other Distro's the file locations will vary.
Our requirement was to Setup a Hylafax Server for use with 2 incoming fax lines (1 for each department), and to restrict access to the public received & sent fax lists to only allow each department to view which faxes belonged to their fax line, via the client software of yajhfc which we intend to distribute.
Our Setup will be described as follows:-
Dept1 with only allowing access to the received fax list for this fax line to User1 & User2 Dept2 with only allowing access to the received fax list for this fax line to USer3 & User4
Users sending faxes will only be able to view their own faxes which they have sent and not other peoples.
The dept1 modem device will be /dev/ttyS1, and dept2 will be /dev/ttyS2.
1) Add the new Hylafax 6.0 permissions to /etc/hylafax/hfaxd.conf :-
JobProtection: 0600 PublicJobQ: false PublicRecvQ: false
JobProtection sets the permissions of faxes which are sent by the user, 0600 is needed here to help with restricting access to the public list.
PublicJobQ set to false is required to restrict access to the public fax sent list, if set to true or line not present faxes will appear in the Public queue.
PublicRecvQ set to false is required to restrict access to the public fax received list view, file permissions are explained later in more detail for this area.
2) Next I will need to alter the RecvFileMode in my modem configuration lines in /var/spool/hylafax/config.ttyS1 & config.ttyS2 to the following if it already it not set like this:-
From RecvFileMode: 0644 To RecvFileMode: 0600
This makes any received faxes not accessible to the public list, otherwise a value of 644 makes them accessible to the public.
3) I now need to create 2 actual Linux users as follows:-
dept1 - UID of 501 dept2 - UID of 502
You will need to make a note of the various UID's for later as these will be required when altering your hosts.hfaxd file later on.
You can create more Linux user account if needed for the different users, but here I don't need them as I will only be using user1-4 for fax access which I shall add with the faxadduser command In the next step.
4) Now I shall add my user1, user2, user3, user4 to the hylafax configuration so I can grant them access to the appropriate faxes later on.
/usr/sbin/faxadduser -p password user1
Obviously here I would repeat this 4 times for user1-4 and then choose an appropriate password after the -p option.
Once these have been added 4 new lines will appear in the /var/spool/hylafax/etc/hosts.faxd file eg:-
^user1@::password: ^user2@::password: ^user3@::password: ^user4@::password:
The password will not be clear text but encrypted, I shall come back to this file in a later step.
5) Now i need to edit my /var/spool/hylafax/FaxDispatch file so I can assign the correct permissions & Unix user to the fax received depending which modem it has arrived on.
# We want all faxes to be emailed in a PDF format<br> FILETYPE=pdf; case "$DEVICE" in ttyS1) # ttyS1 is the device id of the fax line for dept1 sudo /bin/chgrp 501 $FILE # Change to owner group of the file from UUCP to dept1 UID 501 chmod g+r $FILE # Give dept1 read rights SENDTO=dept1 # EMail PDF to dept1 mailbox ;; ttyS2) # ttyS2 is the device id of the fax line for dept2 sudo /bin/chgrp 502 $FILE # Change to owner group of the file from UUCP to dept1 UID 502 chmod g+r $FILE # Give dept2 read rights SENDTO=dept2 # EMail PDF to dept2 mailbox ;; esac
The chgrp 501 $FILE changes the fax file ownership from uucp:uucp to uucp:dept1 so the new owner if not dept1. The chmod g+r $FILE gives read only access to dept1, no other user can view the fax. SENDTO optionally will email the PDF attachment to a mailbox, or another email address if specified.
See next step regarding the use of the sudo command.
You will have noticed in the FaxDispatch file in step 5 the use of the sudo command, this is a workaround as UUCP user which hylafax mainly operates does not have rights to chgrp of files. So as follows are the steps below to get around this and make chgrp work correctly to assign correct ownership to files. (NB This may not necessary be the case under other distros, so this step may vary. This is based under CentOs).
Run visudo on /etc/sudoers and add the following lines:-
uucp ALL=(root) NOPASSWD: /bin/chgrp Defaults:uucp !requiregetty
The first additional line will enable uucp to run chgrp via the sudo command with root permissions, thus enabling FaxDispatch to successfully change the owner of the file.
The second line gets around another problem which may occur, if you don't have this line you may get something in a log file as following:-
"sorry, you must have a tty to run sudo"
If you see this error, run visudo, search the option 'Defaults requiretty' and comment it out.
7) Now we need to edit /var/spool/hylafax/hosts.faxd file so we can assign the user's we created in step 4 to their appropriate department fax queues.
^user1@:501:password: ^user2@:501:password: ^user3@:502:password: ^user4@:502:password:
After the ^user1@::password section you will now notice I have entered 501, which is the UID for dept1 between the 2 '::' now, this assigns (groups) user1 to the dept1 fax machine. I have also done this for user2 to dept1, and user 3 & 4 to dept2.
8) Now we can restart Hylafax so the changes be picked up, and now in yajhfc users will log in with user1, user2, user3 & user4 and only user 1 & 2 will be able to view the faxes received for dept1, and users 3 & 4 will only be able to view the faxes for dept2.
Users will also now only be able to view the faxes which they have sent to the fax machine to be sent, but will not be able to view other peoples.
Thanks to Aidan & Alexandru Oniciuc for thier help in helping me getting this setup onto our system. Andy Rogers " Thanks to Aidan & Alexandru Oniciuc for thier help. Brilliant stuff. Praveen Narayana swamy "