lpr output filters

[Dan Bernstein]

In article <1347 at dukeac.UUCP> klg at dukeac.UUCP (Kim Greer) writes:
> In article <16878 at mimsy.UUCP> chris at mimsy.UUCP (Chris Torek) writes:
> ++The discussion is really about `files that can be viewed on a terminal
> ++but not printed'.
> ++It is worth noting that this effort is doomed to failure, as there
> ++are terminals that are printers, or have integral printers.
> ++If you have physically secure terminals, you could set something up
> ++so that the files can be viewed only on /dev/ttyA2, /dev/ttyh0, and
> ++so forth.
>   I think Chris is right; it is doomed.  Even "secure" terminals can
> run "script"  to capture the screen output and then immediately print
> the typescript file.  You don't have script on your system?  A pd
> version is available.

Chris is correct that the only way to ensure that a file is viewed but
not printed is through a direct connection to a physical terminal that
does not allow printing. So you could set up a setuid program that
checks the inode of fd 1 and only sends output if the inode matches
one of the physically secure ttys. script most certainly does not
defeat this, as it allocates a pseudo-terminal, which can't pretend
to be a different inode any more than ``| tee output'' can.

No government standard for security that I know of allows ``viewing
but not printing''; has nobody heard of screen-adjusted cameras? 
I don't understand what purpose the original poster had in mind.

---Dan Bernstein, bernsten at phoenix.princeton.edu