/*
- * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $"
+ * "$Id: auth.c 7673 2008-06-18 22:31:26Z mike $"
*
* Authorization routines for the Common UNIX Printing System (CUPS).
*
static char *cups_crypt(const char *pw, const char *salt);
#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
#ifdef HAVE_GSSAPI
-static gss_cred_id_t get_gss_creds(const char *service_name);
+static gss_cred_id_t get_gss_creds(const char *service_name,
+ const char *con_server_name);
#endif /* HAVE_GSSAPI */
static char *get_md5_password(const char *username,
const char *group, char passwd[33]);
*/
void
-cupsdAllowIP(cupsd_location_t *loc, /* I - Location to add to */
- unsigned address[4], /* I - IP address to add */
- unsigned netmask[4]) /* I - Netmask of address */
+cupsdAllowIP(
+ cupsd_location_t *loc, /* I - Location to add to */
+ const unsigned address[4], /* I - IP address to add */
+ const unsigned netmask[4]) /* I - Netmask of address */
{
cupsd_authmask_t *temp; /* New host/domain mask */
char *ptr, /* Pointer into string */
username[256], /* Username string */
password[33]; /* Password string */
- const char *localuser; /* Certificate username */
+ cupsd_cert_t *localuser; /* Certificate username */
char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
md5[33], /* MD5 password */
basicmd5[33]; /* MD5 of Basic password */
if ((localuser = cupsdFindCert(authorization)) != NULL)
{
- strlcpy(username, localuser, sizeof(username));
+ strlcpy(username, localuser->username, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdAuthorize: Authorized as %s using Local",
return;
}
- con->type = CUPSD_AUTH_BASIC;
+#ifdef HAVE_GSSAPI
+ if (localuser->ccache)
+ con->type = CUPSD_AUTH_NEGOTIATE;
+ else
+#endif /* HAVE_GSSAPI */
+ con->type = CUPSD_AUTH_BASIC;
}
else if (!strncmp(authorization, "Basic", 5))
{
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_start() returned %d (%s)!\n",
+ "cupsdAuthorize: pam_start() returned %d (%s)!",
pamerr, pam_strerror(pamh, pamerr));
- pam_end(pamh, 0);
return;
}
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"cupsdAuthorize: pam_set_item() returned %d "
- "(%s)!\n", pamerr, pam_strerror(pamh, pamerr));
+ "(%s)!", pamerr, pam_strerror(pamh, pamerr));
# endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */
pamerr = pam_authenticate(pamh, PAM_SILENT);
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_authenticate() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_acct_mgmt() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: AIX authenticate of username \"%s\"",
- username);
+ "cupsdAuthorize: AIX authenticate of username "
+ "\"%s\"", username);
reenter = 1;
if (authenticate(username, password, &reenter, &authmsg) != 0)
* Get the server credentials...
*/
- if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
+ if ((server_creds = get_gss_creds(GSSServiceName, con->servername)) == NULL)
return;
/*
struct passwd *user, /* I - System user info */
const char *groupname) /* I - Group name */
{
- int i; /* Looping var */
- struct group *group; /* System group info */
- char junk[33]; /* MD5 password (not used) */
+ int i; /* Looping var */
+ struct group *group; /* System group info */
+ char junk[33]; /* MD5 password (not used) */
#ifdef HAVE_MBR_UID_TO_UUID
- uuid_t useruuid, /* UUID for username */
- groupuuid; /* UUID for groupname */
- int is_member; /* True if user is a member of group */
+ uuid_t useruuid, /* UUID for username */
+ groupuuid; /* UUID for groupname */
+ int is_member; /* True if user is a member of group */
#endif /* HAVE_MBR_UID_TO_UUID */
* Check group membership through MacOS X membership API...
*/
- if (user && group)
- if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
+ if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
+ {
+ if (group)
+ {
+ /*
+ * Map group name to UUID and check membership...
+ */
+
if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
- if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
+ }
+ else if (groupname[0] == '#')
+ {
+ /*
+ * Use UUID directly and check for equality (user UUID) and
+ * membership (group UUID)...
+ */
+
+ if (!uuid_parse((char *)groupname + 1, groupuuid))
+ {
+ if (!uuid_compare(useruuid, groupuuid))
+ return (1);
+ else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (is_member)
+ return (1);
+ }
+
+ return (0);
+ }
+ }
+ else if (groupname[0] == '#')
+ return (0);
#endif /* HAVE_MBR_UID_TO_UUID */
/*
void
cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */
- unsigned address[4],/* I - IP address to add */
- unsigned netmask[4])/* I - Netmask of address */
+ const unsigned address[4],/* I - IP address to add */
+ const unsigned netmask[4])/* I - Netmask of address */
{
cupsd_authmask_t *temp; /* New host/domain mask */
*/
static gss_cred_id_t /* O - Server credentials */
-get_gss_creds(const char *service_name) /* I - Service name */
+get_gss_creds(
+ const char *service_name, /* I - Service name */
+ const char *con_server_name) /* I - Hostname of server */
{
OM_uint32 major_status, /* Major status code */
minor_status; /* Minor status code */
gss_cred_id_t server_creds; /* Server credentials */
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
/* Service name token */
- char buf[1024], /* Service name buffer */
- fqdn[HTTP_MAX_URI]; /* Hostname of server */
+ char buf[1024]; /* Service name buffer */
- snprintf(buf, sizeof(buf), "%s@%s", service_name,
- httpGetHostname(NULL, fqdn, sizeof(fqdn)));
+ snprintf(buf, sizeof(buf), "%s@%s", service_name, con_server_name);
token.value = buf;
token.length = strlen(buf);
/*
- * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $".
+ * End of "$Id: auth.c 7673 2008-06-18 22:31:26Z mike $".
*/