Choose your language

Choose your login

Support

Security for advanced features

This page applies to:

It’s important to strike the right balance between offering rich features and ensuring optimal security. PaperCut NG/MF uses a permission-controlled security.properties file to manage the security aspects of the following advanced features:

  • Print Scripting
  • Device Scripting
  • Custom Program for User Sync and Authentication
  • Card Conversion and Card Number Conversion

By offering control of these settings, you can harness these powerful features when necessary while also minimizing the attack surface area for features that might not be in use.

The default settings are selected to have the right balance of security for the majority of customers.

Where to configure these features

Configure and/or enable these features in the security.properties file. This file:

  • is located in [app-server]/server for all operating systems
  • for security reasons, can only be edited by operating system administrators
  • requires a PaperCut Application Server restart.

security.properties file configuration summary

The configuration file contains comments and descriptions for each of the settings. Most administrators will quickly understand and edit the file. Here’s a summary, including links to the related documentation.

  1. Configure the security.properties file for the features you want to use, according to these procedures:

  2. If you are using site servers, edit the security.properties file for each of the site servers to reflect the changes that you made in the security.properties file on the application server.

  3. If you haven’t already, restart the PaperCut Application Server .

  4. Follow the procedure for the feature(s) you are implementing:

Security keys and their default values

Security key

Description

security.print-and-device.script.enabled=
 

Controls whether print scripts and device scripts are enabled.

-------------

Applicable to both PaperCut NG and MF.

Default = N

security.print-script.allow-unsafe-code=
 

Controls whether print scripts are allowed to execute potentially unsafe code such as calling other programs. 

Enabling this allows powerful raw Java functionality but comes at a potential security risk.

-----------------------

Applicable to both PaperCut NG and MF.

Default = N

security. device-script.allow-unsafe-code=
 

Controls if device scripts are allowed to execute potentially unsafe code such as calling other programs. 

Enabling this allows powerful raw Java functionality but comes at a potential security risk.

-----------------------

Applicable to PaperCut MF only.

Default = N

security.custom-executable.allowed-directory-list=
 

Controls which directories that custom executable files are allowed to be executed within.

You can grant access to multiple directories by separating them with a semicolon (;). This may be useful to assist in testing new versions. If an executable is found in more than one of the directories, the first directory matched will be used based on the order it is entered in the key.

Best practice is to store the executable files on the local filesystem in a secure location. Use absolute paths, and do not include the executable name as part of the path. 

Example: 
security.custom-executable.allowed-directory-list=c:\custom\\

Indirect or relative paths are not allowed. 

Example: 
/home/programs//ng-mf/program will not match against /home/program in the allowed directory list.

The executable name set in the admin interface must exist in one of the paths listed in the allowed directory list key. 

Note: The custom source program does not need to be in the PaperCut install directory.

Example directories:

Linux

security.custom-executable.allowed-directory-list=/custom/ 

Windows*

security.custom-executable.allowed-directory-list=C:\\custom\\

*Windows paths must have a double backslash (\\) between every directory name.

For more details, see Synchronizing and authenticating user and group details with custom programs. 

------------------------------------

Applicable to both PaperCut NG and MF.

Default = empty

security.card-no-converter-script.allow-unsafe-code=N  
 

Controls whether card conversion scripts are allowed to execute potentially unsafe code, such as calling other programs. 

Enabling this allows powerful raw Java functionality, but comes at a potential security risk.

-------------------------------

Applicable to both PaperCut NG and MF.

Default = N

security.card-no-converter-script.path-allow-list=
 

Controls what directories card conversion scripts are allowed to be executed within.

Separate multiple values with a semicolon (;). 

Best practice is to store the executable files on the local filesystem in a secure location. Use absolute paths, and do not include the executable name as part of the path. 

Example: 
security.card-no-converter.path-allow-list=c:\\custom\\

Indirect or relative paths are not allowed. 

Example: 
/home/programs//ng-mf/program will not match against /home/program in the path-allow-list.

The executable name set in the admin UI must exist in one of the paths listed in the path-allow-list. 

Do not enter the executable name in the path(s) listed in the key value.

Note: The custom source program does not need to be in the PaperCut install directory.

Example paths:

Linux

security.card-no-converter.path-allow-list=/custom/​​​​

Windows*

security.card-no-converter.path-allow-list=C:\\custom\\

*Windows paths must have a double backslash (\\) between every directory name.

Example:
/custom/;/custom/scripts/
c:\\custom\\scripts\\

----------------------------

Applicable to PaperCut NG and MF.

Default = empty

Comments