/*
- * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $"
+ * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
*
* Authorization routines for the Common UNIX Printing System (CUPS).
*
- * Copyright 2007-2008 by Apple Inc.
+ * Copyright 2007-2009 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* This file contains Kerberos support code, copyright 2006 by
static char *cups_crypt(const char *pw, const char *salt);
#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
#ifdef HAVE_GSSAPI
-static gss_cred_id_t get_gss_creds(const char *service_name);
+static gss_cred_id_t get_gss_creds(const char *service_name,
+ const char *con_server_name);
#endif /* HAVE_GSSAPI */
static char *get_md5_password(const char *username,
const char *group, char passwd[33]);
char *ptr, /* Pointer into string */
username[256], /* Username string */
password[33]; /* Password string */
- const char *localuser; /* Certificate username */
+ cupsd_cert_t *localuser; /* Certificate username */
char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
md5[33], /* MD5 password */
basicmd5[33]; /* MD5 of Basic password */
return;
}
- if ((status = AuthorizationCopyInfo(con->authref,
- kAuthorizationEnvironmentUsername,
- &authinfo)) != 0)
+ strlcpy(username, "_AUTHREF_", sizeof(username));
+
+ if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
+ &authinfo))
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "AuthorizationCopyInfo returned %d (%s)",
- (int)status, cssmErrorString(status));
- return;
+ if (authinfo->count == 1 && authinfo->items[0].value &&
+ authinfo->items[0].valueLength >= 2)
+ strlcpy(username, authinfo->items[0].value, sizeof(username));
+
+ AuthorizationFreeItemSet(authinfo);
}
-
- if (authinfo->count == 1)
- strlcpy(username, authinfo->items[0].value, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using AuthRef",
+ "cupsdAuthorize: Authorized as \"%s\" using AuthRef",
username);
-
- AuthorizationFreeItemSet(authinfo);
-
con->type = CUPSD_AUTH_BASIC;
}
#endif /* HAVE_AUTHORIZATION_H */
if ((localuser = cupsdFindCert(authorization)) != NULL)
{
- strlcpy(username, localuser, sizeof(username));
+ strlcpy(username, localuser->username, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdAuthorize: Authorized as %s using Local",
return;
}
- con->type = CUPSD_AUTH_BASIC;
+#ifdef HAVE_GSSAPI
+ if (localuser->ccache)
+ con->type = CUPSD_AUTH_NEGOTIATE;
+ else
+#endif /* HAVE_GSSAPI */
+ con->type = CUPSD_AUTH_BASIC;
}
else if (!strncmp(authorization, "Basic", 5))
{
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_start() returned %d (%s)!\n",
+ "cupsdAuthorize: pam_start() returned %d (%s)!",
pamerr, pam_strerror(pamh, pamerr));
- pam_end(pamh, 0);
return;
}
-# if defined(HAVE_PAM_SET_ITEM) && defined(PAM_RHOST)
+# ifdef HAVE_PAM_SET_ITEM
+# ifdef PAM_RHOST
pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
- "cupsdAuthorize: pam_set_item() returned %d "
- "(%s)!\n", pamerr, pam_strerror(pamh, pamerr));
-# endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */
+ "cupsdAuthorize: pam_set_item(PAM_RHOST) "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* PAM_RHOST */
+
+# ifdef PAM_TTY
+ pamerr = pam_set_item(pamh, PAM_TTY, "cups");
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_set_item(PAM_TTY) "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* PAM_TTY */
+# endif /* HAVE_PAM_SET_ITEM */
+
+# ifdef HAVE_PAM_SETCRED
+ pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_setcred() "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* HAVE_PAM_SETCRED */
pamerr = pam_authenticate(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_authenticate() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_acct_mgmt() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: AIX authenticate of username \"%s\"",
- username);
+ "cupsdAuthorize: AIX authenticate of username "
+ "\"%s\"", username);
reenter = 1;
if (authenticate(username, password, &reenter, &authmsg) != 0)
* Get the server credentials...
*/
- if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
+ if ((server_creds = get_gss_creds(GSSServiceName, con->servername)) == NULL)
return;
/*
struct passwd *user, /* I - System user info */
const char *groupname) /* I - Group name */
{
- int i; /* Looping var */
- struct group *group; /* System group info */
- char junk[33]; /* MD5 password (not used) */
+ int i; /* Looping var */
+ struct group *group; /* System group info */
+ char junk[33]; /* MD5 password (not used) */
#ifdef HAVE_MBR_UID_TO_UUID
- uuid_t useruuid, /* UUID for username */
- groupuuid; /* UUID for groupname */
- int is_member; /* True if user is a member of group */
+ uuid_t useruuid, /* UUID for username */
+ groupuuid; /* UUID for groupname */
+ int is_member; /* True if user is a member of group */
#endif /* HAVE_MBR_UID_TO_UUID */
* Check group membership through MacOS X membership API...
*/
- if (user && group)
- if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
+ if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
+ {
+ if (group)
+ {
+ /*
+ * Map group name to UUID and check membership...
+ */
+
if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
- if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (is_member)
+ return (1);
+ }
+ else if (groupname[0] == '#')
+ {
+ /*
+ * Use UUID directly and check for equality (user UUID) and
+ * membership (group UUID)...
+ */
+
+ if (!uuid_parse((char *)groupname + 1, groupuuid))
+ {
+ if (!uuid_compare(useruuid, groupuuid))
+ return (1);
+ else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
+ }
+
+ return (0);
+ }
+ }
+ else if (groupname[0] == '#')
+ return (0);
#endif /* HAVE_MBR_UID_TO_UUID */
/*
return (HTTP_OK);
}
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
#endif /* HAVE_AUTHORIZATION_H */
return (HTTP_OK);
}
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
/*
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: User not in group(s)!");
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
*/
static gss_cred_id_t /* O - Server credentials */
-get_gss_creds(const char *service_name) /* I - Service name */
+get_gss_creds(
+ const char *service_name, /* I - Service name */
+ const char *con_server_name) /* I - Hostname of server */
{
OM_uint32 major_status, /* Major status code */
minor_status; /* Minor status code */
gss_cred_id_t server_creds; /* Server credentials */
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
/* Service name token */
- char buf[1024], /* Service name buffer */
- fqdn[HTTP_MAX_URI]; /* Hostname of server */
+ char buf[1024]; /* Service name buffer */
- snprintf(buf, sizeof(buf), "%s@%s", service_name,
- httpGetHostname(NULL, fqdn, sizeof(fqdn)));
+ snprintf(buf, sizeof(buf), "%s@%s", service_name, con_server_name);
token.value = buf;
token.length = strlen(buf);
/*
- * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $".
+ * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
*/