]> git.ipfire.org Git - thirdparty/cups.git/blame - scheduler/cert.c
Resolve new compiler warnings.
[thirdparty/cups.git] / scheduler / cert.c
CommitLineData
ef416fc2 1/*
7e86f2f6 2 * Authentication certificate routines for the CUPS scheduler.
ef416fc2 3 *
d4874933 4 * Copyright 2007-2016 by Apple Inc.
7e86f2f6 5 * Copyright 1997-2006 by Easy Software Products.
ef416fc2 6 *
e3101897 7 * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
ef416fc2 8 */
9
10/*
11 * Include necessary headers...
12 */
13
14#include "cupsd.h"
fa73b229 15#ifdef HAVE_ACL_INIT
16# include <sys/acl.h>
bd7854cb 17# ifdef HAVE_MEMBERSHIP_H
18# include <membership.h>
19# endif /* HAVE_MEMBERSHIP_H */
fa73b229 20#endif /* HAVE_ACL_INIT */
ef416fc2 21
22
1b6c7278
MS
23/*
24 * Local functions...
25 */
26
27static int ctcompare(const char *a, const char *b);
28
29
ef416fc2 30/*
31 * 'cupsdAddCert()' - Add a certificate.
32 */
33
34void
35cupsdAddCert(int pid, /* I - Process ID */
5bd77a73 36 const char *username, /* I - Username */
0fa6c7fa 37 int type) /* I - AuthType for username */
ef416fc2 38{
39 int i; /* Looping var */
40 cupsd_cert_t *cert; /* Current certificate */
41 int fd; /* Certificate file */
42 char filename[1024]; /* Certificate filename */
43 static const char hex[] = "0123456789ABCDEF";
44 /* Hex constants... */
45
46
6c2b2b19 47 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAddCert: Adding certificate for PID %d", pid);
ef416fc2 48
49 /*
50 * Allocate memory for the certificate...
51 */
52
53 if ((cert = calloc(sizeof(cupsd_cert_t), 1)) == NULL)
54 return;
55
56 /*
57 * Fill in the certificate information...
58 */
59
0fa6c7fa
MS
60 cert->pid = pid;
61 cert->type = type;
ef416fc2 62 strlcpy(cert->username, username, sizeof(cert->username));
63
64 for (i = 0; i < 32; i ++)
41681883 65 cert->certificate[i] = hex[CUPS_RAND() & 15];
ef416fc2 66
67 /*
68 * Save the certificate to a file readable only by the User and Group
69 * (or root and SystemGroup for PID == 0)...
70 */
71
72 snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid);
73 unlink(filename);
74
75 if ((fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400)) < 0)
76 {
77 cupsdLogMessage(CUPSD_LOG_ERROR,
b9faaae1 78 "Unable to create certificate file %s - %s",
ef416fc2 79 filename, strerror(errno));
80 free(cert);
81 return;
82 }
83
84 if (pid == 0)
85 {
fa73b229 86#ifdef HAVE_ACL_INIT
87 acl_t acl; /* ACL information */
88 acl_entry_t entry; /* ACL entry */
89 acl_permset_t permset; /* Permissions */
bd7854cb 90# ifdef HAVE_MBR_UID_TO_UUID
fa73b229 91 uuid_t group; /* Group ID */
bd7854cb 92# endif /* HAVE_MBR_UID_TO_UUID */
e53920b9 93 static int acls_not_supported = 0;
94 /* Only warn once */
fa73b229 95#endif /* HAVE_ACL_INIT */
96
97
ef416fc2 98 /*
99 * Root certificate...
100 */
101
102 fchmod(fd, 0440);
103 fchown(fd, RunUser, SystemGroupIDs[0]);
104
ffe32673 105 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d", NumSystemGroups);
bd7854cb 106
fa73b229 107#ifdef HAVE_ACL_INIT
108 if (NumSystemGroups > 1)
109 {
110 /*
111 * Set POSIX ACLs for the root certificate so that all system
112 * groups can access it...
113 */
114
12f89d24
MS
115 int j; /* Looping var */
116
bd7854cb 117# ifdef HAVE_MBR_UID_TO_UUID
118 /*
d4874933 119 * On macOS, ACLs use UUIDs instead of GIDs...
bd7854cb 120 */
121
fa73b229 122 acl = acl_init(NumSystemGroups - 1);
123
124 for (i = 1; i < NumSystemGroups; i ++)
125 {
126 /*
127 * Add each group ID to the ACL...
128 */
129
12f89d24
MS
130 for (j = 0; j < i; j ++)
131 if (SystemGroupIDs[j] == SystemGroupIDs[i])
132 break;
133
134 if (j < i)
135 continue; /* Skip duplicate groups */
136
fa73b229 137 acl_create_entry(&acl, &entry);
138 acl_get_permset(entry, &permset);
139 acl_add_perm(permset, ACL_READ_DATA);
140 acl_set_tag_type(entry, ACL_EXTENDED_ALLOW);
141 mbr_gid_to_uuid((gid_t)SystemGroupIDs[i], group);
142 acl_set_qualifier(entry, &group);
143 acl_set_permset(entry, permset);
144 }
12f89d24 145
bd7854cb 146# else
147 /*
148 * POSIX ACLs need permissions for owner, group, other, and mask
149 * in addition to the rest of the system groups...
150 */
151
152 acl = acl_init(NumSystemGroups + 3);
153
154 /* Owner */
155 acl_create_entry(&acl, &entry);
156 acl_get_permset(entry, &permset);
157 acl_add_perm(permset, ACL_READ);
158 acl_set_tag_type(entry, ACL_USER_OBJ);
159 acl_set_permset(entry, permset);
160
161 /* Group */
162 acl_create_entry(&acl, &entry);
163 acl_get_permset(entry, &permset);
164 acl_add_perm(permset, ACL_READ);
165 acl_set_tag_type(entry, ACL_GROUP_OBJ);
166 acl_set_permset(entry, permset);
167
168 /* Others */
169 acl_create_entry(&acl, &entry);
170 acl_get_permset(entry, &permset);
4744bd90 171 acl_add_perm(permset, 0);
bd7854cb 172 acl_set_tag_type(entry, ACL_OTHER);
173 acl_set_permset(entry, permset);
174
175 /* Mask */
176 acl_create_entry(&acl, &entry);
177 acl_get_permset(entry, &permset);
178 acl_add_perm(permset, ACL_READ);
179 acl_set_tag_type(entry, ACL_MASK);
180 acl_set_permset(entry, permset);
181
182 for (i = 1; i < NumSystemGroups; i ++)
183 {
184 /*
185 * Add each group ID to the ACL...
186 */
187
12f89d24
MS
188 for (j = 0; j < i; j ++)
189 if (SystemGroupIDs[j] == SystemGroupIDs[i])
190 break;
191
192 if (j < i)
193 continue; /* Skip duplicate groups */
194
bd7854cb 195 acl_create_entry(&acl, &entry);
196 acl_get_permset(entry, &permset);
197 acl_add_perm(permset, ACL_READ);
198 acl_set_tag_type(entry, ACL_GROUP);
199 acl_set_qualifier(entry, SystemGroupIDs + i);
200 acl_set_permset(entry, permset);
201 }
202
203 if (acl_valid(acl))
204 {
e53920b9 205 char *text, *textptr; /* Temporary string */
206
bd7854cb 207 cupsdLogMessage(CUPSD_LOG_ERROR, "ACL did not validate: %s",
208 strerror(errno));
209 text = acl_to_text(acl, NULL);
210 for (textptr = strchr(text, '\n');
211 textptr;
212 textptr = strchr(textptr + 1, '\n'))
213 *textptr = ',';
214
215 cupsdLogMessage(CUPSD_LOG_ERROR, "ACL: %s", text);
a2326b5b 216 acl_free(text);
bd7854cb 217 }
218# endif /* HAVE_MBR_UID_TO_UUID */
fa73b229 219
220 if (acl_set_fd(fd, acl))
e53920b9 221 {
222 if (errno != EOPNOTSUPP || !acls_not_supported)
223 cupsdLogMessage(CUPSD_LOG_ERROR,
224 "Unable to set ACLs on root certificate \"%s\" - %s",
225 filename, strerror(errno));
226
227 if (errno == EOPNOTSUPP)
228 acls_not_supported = 1;
229 }
230
fa73b229 231 acl_free(acl);
232 }
233#endif /* HAVE_ACL_INIT */
234
ef416fc2 235 RootCertTime = time(NULL);
236 }
237 else
238 {
239 /*
240 * CGI certificate...
241 */
242
243 fchmod(fd, 0400);
244 fchown(fd, User, Group);
245 }
246
ef416fc2 247 write(fd, cert->certificate, strlen(cert->certificate));
248 close(fd);
249
250 /*
251 * Insert the certificate at the front of the list...
252 */
253
254 cert->next = Certs;
255 Certs = cert;
256}
257
258
259/*
260 * 'cupsdDeleteCert()' - Delete a single certificate.
261 */
262
263void
264cupsdDeleteCert(int pid) /* I - Process ID */
265{
266 cupsd_cert_t *cert, /* Current certificate */
267 *prev; /* Previous certificate */
268 char filename[1024]; /* Certificate file */
269
270
271 for (prev = NULL, cert = Certs; cert != NULL; prev = cert, cert = cert->next)
272 if (cert->pid == pid)
273 {
274 /*
275 * Remove this certificate from the list...
276 */
277
ffe32673 278 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteCert: Removing certificate for PID %d.", pid);
ef416fc2 279
ef416fc2 280 if (prev == NULL)
281 Certs = cert->next;
282 else
283 prev->next = cert->next;
284
285 free(cert);
286
287 /*
288 * Delete the file and return...
289 */
290
291 snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid);
292 if (unlink(filename))
b9faaae1 293 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename);
ef416fc2 294
295 return;
296 }
297}
298
299
300/*
301 * 'cupsdDeleteAllCerts()' - Delete all certificates...
302 */
303
304void
305cupsdDeleteAllCerts(void)
306{
307 cupsd_cert_t *cert, /* Current certificate */
308 *next; /* Next certificate */
309 char filename[1024]; /* Certificate file */
310
311
312 /*
313 * Loop through each certificate, deleting them...
314 */
315
316 for (cert = Certs; cert != NULL; cert = next)
317 {
318 /*
319 * Delete the file...
320 */
321
322 snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, cert->pid);
323 if (unlink(filename))
b9faaae1 324 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename);
ef416fc2 325
326 /*
327 * Free memory...
328 */
329
330 next = cert->next;
331 free(cert);
332 }
333
e1d6a774 334 Certs = NULL;
335 RootCertTime = 0;
ef416fc2 336}
337
338
339/*
340 * 'cupsdFindCert()' - Find a certificate.
341 */
342
db0bd74a 343cupsd_cert_t * /* O - Matching certificate or NULL */
ef416fc2 344cupsdFindCert(const char *certificate) /* I - Certificate */
345{
346 cupsd_cert_t *cert; /* Current certificate */
347
348
ffe32673 349 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)", certificate);
ef416fc2 350 for (cert = Certs; cert != NULL; cert = cert->next)
1b6c7278 351 if (!ctcompare(certificate, cert->certificate))
ef416fc2 352 {
ffe32673 353 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning \"%s\".", cert->username);
db0bd74a 354 return (cert);
ef416fc2 355 }
356
ffe32673 357 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found.");
ef416fc2 358
359 return (NULL);
360}
361
362
363/*
364 * 'cupsdInitCerts()' - Initialize the certificate "system" and root
365 * certificate.
366 */
367
368void
369cupsdInitCerts(void)
370{
f8b3a85b 371#ifndef HAVE_ARC4RANDOM
ef416fc2 372 cups_file_t *fp; /* /dev/random file */
ef416fc2 373
374
375 /*
376 * Initialize the random number generator using the random device or
377 * the current time, as available...
378 */
379
380 if ((fp = cupsFileOpen("/dev/urandom", "rb")) == NULL)
381 {
f8b3a85b
MS
382 struct timeval tod; /* Time of day */
383
ef416fc2 384 /*
385 * Get the time in usecs and use it as the initial seed...
386 */
387
388 gettimeofday(&tod, NULL);
389
f8b3a85b 390 CUPS_SRAND((unsigned)(tod.tv_sec + tod.tv_usec));
ef416fc2 391 }
392 else
393 {
f8b3a85b
MS
394 unsigned seed; /* Seed for random number generator */
395
ef416fc2 396 /*
397 * Read 4 random characters from the random device and use
398 * them as the seed...
399 */
400
07623986
MS
401 seed = (unsigned)cupsFileGetChar(fp);
402 seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
403 seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
404 CUPS_SRAND((seed << 8) | (unsigned)cupsFileGetChar(fp));
ef416fc2 405
406 cupsFileClose(fp);
407 }
f8b3a85b 408#endif /* !HAVE_ARC4RANDOM */
ef416fc2 409
410 /*
411 * Create a root certificate and return...
412 */
413
414 if (!RunUser)
0fa6c7fa 415 cupsdAddCert(0, "root", cupsdDefaultAuthType());
ef416fc2 416}
417
418
1b6c7278
MS
419/*
420 * 'ctcompare()' - Compare two strings in constant time.
421 */
422
423static int /* O - 0 on match, non-zero on non-match */
424ctcompare(const char *a, /* I - First string */
425 const char *b) /* I - Second string */
426{
427 int result = 0; /* Result */
428
429
430 while (*a && *b)
c1bc6894 431 {
1b6c7278 432 result |= *a ^ *b;
c1bc6894
MS
433 a ++;
434 b ++;
435 }
1b6c7278
MS
436
437 return (result);
438}