]>
Commit | Line | Data |
---|---|---|
ef416fc2 | 1 | /* |
7e86f2f6 | 2 | * Authentication certificate routines for the CUPS scheduler. |
ef416fc2 | 3 | * |
d4874933 | 4 | * Copyright 2007-2016 by Apple Inc. |
7e86f2f6 | 5 | * Copyright 1997-2006 by Easy Software Products. |
ef416fc2 | 6 | * |
e3101897 | 7 | * Licensed under Apache License v2.0. See the file "LICENSE" for more information. |
ef416fc2 | 8 | */ |
9 | ||
10 | /* | |
11 | * Include necessary headers... | |
12 | */ | |
13 | ||
14 | #include "cupsd.h" | |
fa73b229 | 15 | #ifdef HAVE_ACL_INIT |
16 | # include <sys/acl.h> | |
bd7854cb | 17 | # ifdef HAVE_MEMBERSHIP_H |
18 | # include <membership.h> | |
19 | # endif /* HAVE_MEMBERSHIP_H */ | |
fa73b229 | 20 | #endif /* HAVE_ACL_INIT */ |
ef416fc2 | 21 | |
22 | ||
1b6c7278 MS |
23 | /* |
24 | * Local functions... | |
25 | */ | |
26 | ||
27 | static int ctcompare(const char *a, const char *b); | |
28 | ||
29 | ||
ef416fc2 | 30 | /* |
31 | * 'cupsdAddCert()' - Add a certificate. | |
32 | */ | |
33 | ||
34 | void | |
35 | cupsdAddCert(int pid, /* I - Process ID */ | |
5bd77a73 | 36 | const char *username, /* I - Username */ |
0fa6c7fa | 37 | int type) /* I - AuthType for username */ |
ef416fc2 | 38 | { |
39 | int i; /* Looping var */ | |
40 | cupsd_cert_t *cert; /* Current certificate */ | |
41 | int fd; /* Certificate file */ | |
42 | char filename[1024]; /* Certificate filename */ | |
43 | static const char hex[] = "0123456789ABCDEF"; | |
44 | /* Hex constants... */ | |
45 | ||
46 | ||
6c2b2b19 | 47 | cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAddCert: Adding certificate for PID %d", pid); |
ef416fc2 | 48 | |
49 | /* | |
50 | * Allocate memory for the certificate... | |
51 | */ | |
52 | ||
53 | if ((cert = calloc(sizeof(cupsd_cert_t), 1)) == NULL) | |
54 | return; | |
55 | ||
56 | /* | |
57 | * Fill in the certificate information... | |
58 | */ | |
59 | ||
0fa6c7fa MS |
60 | cert->pid = pid; |
61 | cert->type = type; | |
ef416fc2 | 62 | strlcpy(cert->username, username, sizeof(cert->username)); |
63 | ||
64 | for (i = 0; i < 32; i ++) | |
41681883 | 65 | cert->certificate[i] = hex[CUPS_RAND() & 15]; |
ef416fc2 | 66 | |
67 | /* | |
68 | * Save the certificate to a file readable only by the User and Group | |
69 | * (or root and SystemGroup for PID == 0)... | |
70 | */ | |
71 | ||
72 | snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid); | |
73 | unlink(filename); | |
74 | ||
75 | if ((fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400)) < 0) | |
76 | { | |
77 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
b9faaae1 | 78 | "Unable to create certificate file %s - %s", |
ef416fc2 | 79 | filename, strerror(errno)); |
80 | free(cert); | |
81 | return; | |
82 | } | |
83 | ||
84 | if (pid == 0) | |
85 | { | |
fa73b229 | 86 | #ifdef HAVE_ACL_INIT |
87 | acl_t acl; /* ACL information */ | |
88 | acl_entry_t entry; /* ACL entry */ | |
89 | acl_permset_t permset; /* Permissions */ | |
bd7854cb | 90 | # ifdef HAVE_MBR_UID_TO_UUID |
fa73b229 | 91 | uuid_t group; /* Group ID */ |
bd7854cb | 92 | # endif /* HAVE_MBR_UID_TO_UUID */ |
e53920b9 | 93 | static int acls_not_supported = 0; |
94 | /* Only warn once */ | |
fa73b229 | 95 | #endif /* HAVE_ACL_INIT */ |
96 | ||
97 | ||
ef416fc2 | 98 | /* |
99 | * Root certificate... | |
100 | */ | |
101 | ||
102 | fchmod(fd, 0440); | |
103 | fchown(fd, RunUser, SystemGroupIDs[0]); | |
104 | ||
ffe32673 | 105 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d", NumSystemGroups); |
bd7854cb | 106 | |
fa73b229 | 107 | #ifdef HAVE_ACL_INIT |
108 | if (NumSystemGroups > 1) | |
109 | { | |
110 | /* | |
111 | * Set POSIX ACLs for the root certificate so that all system | |
112 | * groups can access it... | |
113 | */ | |
114 | ||
12f89d24 MS |
115 | int j; /* Looping var */ |
116 | ||
bd7854cb | 117 | # ifdef HAVE_MBR_UID_TO_UUID |
118 | /* | |
d4874933 | 119 | * On macOS, ACLs use UUIDs instead of GIDs... |
bd7854cb | 120 | */ |
121 | ||
fa73b229 | 122 | acl = acl_init(NumSystemGroups - 1); |
123 | ||
124 | for (i = 1; i < NumSystemGroups; i ++) | |
125 | { | |
126 | /* | |
127 | * Add each group ID to the ACL... | |
128 | */ | |
129 | ||
12f89d24 MS |
130 | for (j = 0; j < i; j ++) |
131 | if (SystemGroupIDs[j] == SystemGroupIDs[i]) | |
132 | break; | |
133 | ||
134 | if (j < i) | |
135 | continue; /* Skip duplicate groups */ | |
136 | ||
fa73b229 | 137 | acl_create_entry(&acl, &entry); |
138 | acl_get_permset(entry, &permset); | |
139 | acl_add_perm(permset, ACL_READ_DATA); | |
140 | acl_set_tag_type(entry, ACL_EXTENDED_ALLOW); | |
141 | mbr_gid_to_uuid((gid_t)SystemGroupIDs[i], group); | |
142 | acl_set_qualifier(entry, &group); | |
143 | acl_set_permset(entry, permset); | |
144 | } | |
12f89d24 | 145 | |
bd7854cb | 146 | # else |
147 | /* | |
148 | * POSIX ACLs need permissions for owner, group, other, and mask | |
149 | * in addition to the rest of the system groups... | |
150 | */ | |
151 | ||
152 | acl = acl_init(NumSystemGroups + 3); | |
153 | ||
154 | /* Owner */ | |
155 | acl_create_entry(&acl, &entry); | |
156 | acl_get_permset(entry, &permset); | |
157 | acl_add_perm(permset, ACL_READ); | |
158 | acl_set_tag_type(entry, ACL_USER_OBJ); | |
159 | acl_set_permset(entry, permset); | |
160 | ||
161 | /* Group */ | |
162 | acl_create_entry(&acl, &entry); | |
163 | acl_get_permset(entry, &permset); | |
164 | acl_add_perm(permset, ACL_READ); | |
165 | acl_set_tag_type(entry, ACL_GROUP_OBJ); | |
166 | acl_set_permset(entry, permset); | |
167 | ||
168 | /* Others */ | |
169 | acl_create_entry(&acl, &entry); | |
170 | acl_get_permset(entry, &permset); | |
4744bd90 | 171 | acl_add_perm(permset, 0); |
bd7854cb | 172 | acl_set_tag_type(entry, ACL_OTHER); |
173 | acl_set_permset(entry, permset); | |
174 | ||
175 | /* Mask */ | |
176 | acl_create_entry(&acl, &entry); | |
177 | acl_get_permset(entry, &permset); | |
178 | acl_add_perm(permset, ACL_READ); | |
179 | acl_set_tag_type(entry, ACL_MASK); | |
180 | acl_set_permset(entry, permset); | |
181 | ||
182 | for (i = 1; i < NumSystemGroups; i ++) | |
183 | { | |
184 | /* | |
185 | * Add each group ID to the ACL... | |
186 | */ | |
187 | ||
12f89d24 MS |
188 | for (j = 0; j < i; j ++) |
189 | if (SystemGroupIDs[j] == SystemGroupIDs[i]) | |
190 | break; | |
191 | ||
192 | if (j < i) | |
193 | continue; /* Skip duplicate groups */ | |
194 | ||
bd7854cb | 195 | acl_create_entry(&acl, &entry); |
196 | acl_get_permset(entry, &permset); | |
197 | acl_add_perm(permset, ACL_READ); | |
198 | acl_set_tag_type(entry, ACL_GROUP); | |
199 | acl_set_qualifier(entry, SystemGroupIDs + i); | |
200 | acl_set_permset(entry, permset); | |
201 | } | |
202 | ||
203 | if (acl_valid(acl)) | |
204 | { | |
e53920b9 | 205 | char *text, *textptr; /* Temporary string */ |
206 | ||
bd7854cb | 207 | cupsdLogMessage(CUPSD_LOG_ERROR, "ACL did not validate: %s", |
208 | strerror(errno)); | |
209 | text = acl_to_text(acl, NULL); | |
210 | for (textptr = strchr(text, '\n'); | |
211 | textptr; | |
212 | textptr = strchr(textptr + 1, '\n')) | |
213 | *textptr = ','; | |
214 | ||
215 | cupsdLogMessage(CUPSD_LOG_ERROR, "ACL: %s", text); | |
a2326b5b | 216 | acl_free(text); |
bd7854cb | 217 | } |
218 | # endif /* HAVE_MBR_UID_TO_UUID */ | |
fa73b229 | 219 | |
220 | if (acl_set_fd(fd, acl)) | |
e53920b9 | 221 | { |
222 | if (errno != EOPNOTSUPP || !acls_not_supported) | |
223 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
224 | "Unable to set ACLs on root certificate \"%s\" - %s", | |
225 | filename, strerror(errno)); | |
226 | ||
227 | if (errno == EOPNOTSUPP) | |
228 | acls_not_supported = 1; | |
229 | } | |
230 | ||
fa73b229 | 231 | acl_free(acl); |
232 | } | |
233 | #endif /* HAVE_ACL_INIT */ | |
234 | ||
ef416fc2 | 235 | RootCertTime = time(NULL); |
236 | } | |
237 | else | |
238 | { | |
239 | /* | |
240 | * CGI certificate... | |
241 | */ | |
242 | ||
243 | fchmod(fd, 0400); | |
244 | fchown(fd, User, Group); | |
245 | } | |
246 | ||
ef416fc2 | 247 | write(fd, cert->certificate, strlen(cert->certificate)); |
248 | close(fd); | |
249 | ||
250 | /* | |
251 | * Insert the certificate at the front of the list... | |
252 | */ | |
253 | ||
254 | cert->next = Certs; | |
255 | Certs = cert; | |
256 | } | |
257 | ||
258 | ||
259 | /* | |
260 | * 'cupsdDeleteCert()' - Delete a single certificate. | |
261 | */ | |
262 | ||
263 | void | |
264 | cupsdDeleteCert(int pid) /* I - Process ID */ | |
265 | { | |
266 | cupsd_cert_t *cert, /* Current certificate */ | |
267 | *prev; /* Previous certificate */ | |
268 | char filename[1024]; /* Certificate file */ | |
269 | ||
270 | ||
271 | for (prev = NULL, cert = Certs; cert != NULL; prev = cert, cert = cert->next) | |
272 | if (cert->pid == pid) | |
273 | { | |
274 | /* | |
275 | * Remove this certificate from the list... | |
276 | */ | |
277 | ||
ffe32673 | 278 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteCert: Removing certificate for PID %d.", pid); |
ef416fc2 | 279 | |
ef416fc2 | 280 | if (prev == NULL) |
281 | Certs = cert->next; | |
282 | else | |
283 | prev->next = cert->next; | |
284 | ||
285 | free(cert); | |
286 | ||
287 | /* | |
288 | * Delete the file and return... | |
289 | */ | |
290 | ||
291 | snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid); | |
292 | if (unlink(filename)) | |
b9faaae1 | 293 | cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename); |
ef416fc2 | 294 | |
295 | return; | |
296 | } | |
297 | } | |
298 | ||
299 | ||
300 | /* | |
301 | * 'cupsdDeleteAllCerts()' - Delete all certificates... | |
302 | */ | |
303 | ||
304 | void | |
305 | cupsdDeleteAllCerts(void) | |
306 | { | |
307 | cupsd_cert_t *cert, /* Current certificate */ | |
308 | *next; /* Next certificate */ | |
309 | char filename[1024]; /* Certificate file */ | |
310 | ||
311 | ||
312 | /* | |
313 | * Loop through each certificate, deleting them... | |
314 | */ | |
315 | ||
316 | for (cert = Certs; cert != NULL; cert = next) | |
317 | { | |
318 | /* | |
319 | * Delete the file... | |
320 | */ | |
321 | ||
322 | snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, cert->pid); | |
323 | if (unlink(filename)) | |
b9faaae1 | 324 | cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename); |
ef416fc2 | 325 | |
326 | /* | |
327 | * Free memory... | |
328 | */ | |
329 | ||
330 | next = cert->next; | |
331 | free(cert); | |
332 | } | |
333 | ||
e1d6a774 | 334 | Certs = NULL; |
335 | RootCertTime = 0; | |
ef416fc2 | 336 | } |
337 | ||
338 | ||
339 | /* | |
340 | * 'cupsdFindCert()' - Find a certificate. | |
341 | */ | |
342 | ||
db0bd74a | 343 | cupsd_cert_t * /* O - Matching certificate or NULL */ |
ef416fc2 | 344 | cupsdFindCert(const char *certificate) /* I - Certificate */ |
345 | { | |
346 | cupsd_cert_t *cert; /* Current certificate */ | |
347 | ||
348 | ||
ffe32673 | 349 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)", certificate); |
ef416fc2 | 350 | for (cert = Certs; cert != NULL; cert = cert->next) |
1b6c7278 | 351 | if (!ctcompare(certificate, cert->certificate)) |
ef416fc2 | 352 | { |
ffe32673 | 353 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning \"%s\".", cert->username); |
db0bd74a | 354 | return (cert); |
ef416fc2 | 355 | } |
356 | ||
ffe32673 | 357 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found."); |
ef416fc2 | 358 | |
359 | return (NULL); | |
360 | } | |
361 | ||
362 | ||
363 | /* | |
364 | * 'cupsdInitCerts()' - Initialize the certificate "system" and root | |
365 | * certificate. | |
366 | */ | |
367 | ||
368 | void | |
369 | cupsdInitCerts(void) | |
370 | { | |
f8b3a85b | 371 | #ifndef HAVE_ARC4RANDOM |
ef416fc2 | 372 | cups_file_t *fp; /* /dev/random file */ |
ef416fc2 | 373 | |
374 | ||
375 | /* | |
376 | * Initialize the random number generator using the random device or | |
377 | * the current time, as available... | |
378 | */ | |
379 | ||
380 | if ((fp = cupsFileOpen("/dev/urandom", "rb")) == NULL) | |
381 | { | |
f8b3a85b MS |
382 | struct timeval tod; /* Time of day */ |
383 | ||
ef416fc2 | 384 | /* |
385 | * Get the time in usecs and use it as the initial seed... | |
386 | */ | |
387 | ||
388 | gettimeofday(&tod, NULL); | |
389 | ||
f8b3a85b | 390 | CUPS_SRAND((unsigned)(tod.tv_sec + tod.tv_usec)); |
ef416fc2 | 391 | } |
392 | else | |
393 | { | |
f8b3a85b MS |
394 | unsigned seed; /* Seed for random number generator */ |
395 | ||
ef416fc2 | 396 | /* |
397 | * Read 4 random characters from the random device and use | |
398 | * them as the seed... | |
399 | */ | |
400 | ||
07623986 MS |
401 | seed = (unsigned)cupsFileGetChar(fp); |
402 | seed = (seed << 8) | (unsigned)cupsFileGetChar(fp); | |
403 | seed = (seed << 8) | (unsigned)cupsFileGetChar(fp); | |
404 | CUPS_SRAND((seed << 8) | (unsigned)cupsFileGetChar(fp)); | |
ef416fc2 | 405 | |
406 | cupsFileClose(fp); | |
407 | } | |
f8b3a85b | 408 | #endif /* !HAVE_ARC4RANDOM */ |
ef416fc2 | 409 | |
410 | /* | |
411 | * Create a root certificate and return... | |
412 | */ | |
413 | ||
414 | if (!RunUser) | |
0fa6c7fa | 415 | cupsdAddCert(0, "root", cupsdDefaultAuthType()); |
ef416fc2 | 416 | } |
417 | ||
418 | ||
1b6c7278 MS |
419 | /* |
420 | * 'ctcompare()' - Compare two strings in constant time. | |
421 | */ | |
422 | ||
423 | static int /* O - 0 on match, non-zero on non-match */ | |
424 | ctcompare(const char *a, /* I - First string */ | |
425 | const char *b) /* I - Second string */ | |
426 | { | |
427 | int result = 0; /* Result */ | |
428 | ||
429 | ||
430 | while (*a && *b) | |
c1bc6894 | 431 | { |
1b6c7278 | 432 | result |= *a ^ *b; |
c1bc6894 MS |
433 | a ++; |
434 | b ++; | |
435 | } | |
1b6c7278 MS |
436 | |
437 | return (result); | |
438 | } |