X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=scheduler%2Fauth.c;h=171dccb052290c757dc4b159be69b3f197865280;hb=4a78452e736a2fc3b0dcf7f5c45232b2db203167;hp=405c064a20a57d56df298d932de4628a27c6559c;hpb=ef416fc25c4af449e930416117bedb12fc9924ba;p=thirdparty%2Fcups.git diff --git a/scheduler/auth.c b/scheduler/auth.c index 405c064a2..171dccb05 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -1,54 +1,19 @@ -;/* - * "$Id: auth.c 4906 2006-01-10 20:53:28Z mike $" - * - * Authorization routines for the Common UNIX Printing System (CUPS). - * - * Copyright 1997-2006 by Easy Software Products, all rights reserved. - * - * These coded instructions, statements, and computer programs are the - * property of Easy Software Products and are protected by Federal - * copyright law. Distribution and use rights are outlined in the file - * "LICENSE.txt" which should have been included with this file. If this - * file is missing or damaged please contact Easy Software Products - * at: +/* + * "$Id$" * - * Attn: CUPS Licensing Information - * Easy Software Products - * 44141 Airport View Drive, Suite 204 - * Hollywood, Maryland 20636 USA + * Authorization routines for the CUPS scheduler. * - * Voice: (301) 373-9600 - * EMail: cups-info@cups.org - * WWW: http://www.cups.org + * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. * - * Contents: + * This file contains Kerberos support code, copyright 2006 by + * Jelmer Vernooij. * - * cupsdAddLocation() - Add a location for authorization. - * cupsdAddName() - Add a name to a location... - * cupsdAllowHost() - Add a host name that is allowed to access the - * location. - * cupsdAllowIP() - Add an IP address or network that is allowed to - * access the location. - * cupsdCheckAuth() - Check authorization masks. - * cupsdCheckGroup() - Check for a user's group membership. - * cupsdCopyLocation() - Make a copy of a location... - * cupsdDeleteAllLocations() - Free all memory used for location authorization. - * cupsdDeleteLocation() - Free all memory used by a location. - * cupsdDenyHost() - Add a host name that is not allowed to access the - * location. - * cupsdDenyIP() - Add an IP address or network that is not allowed - * to access the location. - * cupsdFindBest() - Find the location entry that best matches the - * resource. - * cupsdFindLocation() - Find the named location. - * cupsdGetMD5Passwd() - Get an MD5 password. - * cupsdIsAuthorized() - Check to see if the user is authorized... - * add_allow() - Add an allow mask to the location. - * add_deny() - Add a deny mask to the location. - * cups_crypt() - Encrypt the password using the DES or MD5 - * algorithms, as needed. - * pam_func() - PAM conversation function. - * to64() - Base64-encode an integer value... + * These coded instructions, statements, and computer programs are the + * property of Apple Inc. and are protected by Federal copyright + * law. Distribution and use rights are outlined in the file "LICENSE.txt" + * which should have been included with this file. If this file is + * file is missing or damaged, see the license at "http://www.cups.org/". */ /* @@ -70,20 +35,48 @@ # include # endif /* HAVE_PAM_PAM_APPL_H */ #endif /* HAVE_LIBPAM */ -#ifdef HAVE_USERSEC_H -# include -#endif /* HAVE_USERSEC_H */ +#ifdef HAVE_MEMBERSHIP_H +# include +#endif /* HAVE_MEMBERSHIP_H */ +#ifdef HAVE_AUTHORIZATION_H +# include +# ifdef HAVE_SECBASEPRIV_H +# include +# else +extern const char *cssmErrorString(int error); +# endif /* HAVE_SECBASEPRIV_H */ +#endif /* HAVE_AUTHORIZATION_H */ +#ifdef HAVE_SYS_PARAM_H +# include +#endif /* HAVE_SYS_PARAM_H */ +#ifdef HAVE_SYS_UCRED_H +# include +typedef struct xucred cupsd_ucred_t; +# define CUPSD_UCRED_UID(c) (c).cr_uid +#else +# ifndef __OpenBSD__ +typedef struct ucred cupsd_ucred_t; +# else +typedef struct sockpeercred cupsd_ucred_t; +# endif +# define CUPSD_UCRED_UID(c) (c).uid +#endif /* HAVE_SYS_UCRED_H */ /* * Local functions... */ -static cupsd_authmask_t *add_allow(cupsd_location_t *loc); -static cupsd_authmask_t *add_deny(cupsd_location_t *loc); +#ifdef HAVE_AUTHORIZATION_H +static int check_authref(cupsd_client_t *con, const char *right); +#endif /* HAVE_AUTHORIZATION_H */ +static int compare_locations(cupsd_location_t *a, + cupsd_location_t *b); +static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data); #if !HAVE_LIBPAM static char *cups_crypt(const char *pw, const char *salt); #endif /* !HAVE_LIBPAM */ +static void free_authmask(cupsd_authmask_t *am, void *data); #if HAVE_LIBPAM static int pam_func(int, const struct pam_message **, struct pam_response **, void *); @@ -99,63 +92,67 @@ static void to64(char *s, unsigned long v, int n); #if HAVE_LIBPAM typedef struct cupsd_authdata_s /**** Authentication data ****/ { - char username[33], /* Username string */ - password[33]; /* Password string */ + char username[HTTP_MAX_VALUE], /* Username string */ + password[HTTP_MAX_VALUE]; /* Password string */ } cupsd_authdata_t; #endif /* HAVE_LIBPAM */ /* - * Local globals... + * 'cupsdAddIPMask()' - Add an IP address authorization mask. */ -#if defined(__hpux) && defined(HAVE_LIBPAM) -static cupsd_authdata_t *auth_datat; /* Current client being authenticated */ -#endif /* __hpux && HAVE_LIBPAM */ - +int /* O - 1 on success, 0 on failure */ +cupsdAddIPMask( + cups_array_t **masks, /* IO - Masks array (created as needed) */ + const unsigned address[4], /* I - IP address */ + const unsigned netmask[4]) /* I - IP netmask */ +{ + cupsd_authmask_t temp; /* New host/domain mask */ -/* - * 'cupsdAddLocation()' - Add a location for authorization. - */ -cupsd_location_t * /* O - Pointer to new location record */ -cupsdAddLocation(const char *location) /* I - Location path */ -{ - cupsd_location_t *temp; /* New location */ + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", masks, *masks, address[0], address[1], address[2], address[3], netmask[0], netmask[1], netmask[2], netmask[3]); + temp.type = CUPSD_AUTH_IP; + memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address)); + memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask)); /* - * Try to allocate memory for the new location. + * Create the masks array as needed and add... */ - if (NumLocations == 0) - temp = malloc(sizeof(cupsd_location_t)); - else - temp = realloc(Locations, sizeof(cupsd_location_t) * (NumLocations + 1)); + if (!*masks) + *masks = cupsArrayNew3(NULL, NULL, NULL, 0, + (cups_acopy_func_t)copy_authmask, + (cups_afree_func_t)free_authmask); - if (temp == NULL) - return (NULL); + return (cupsArrayAdd(*masks, &temp)); +} - Locations = temp; - temp += NumLocations; - NumLocations ++; +/* + * 'cupsdAddLocation()' - Add a location for authorization. + */ + +void +cupsdAddLocation(cupsd_location_t *loc) /* I - Location to add */ +{ /* - * Initialize the record and copy the name over... + * Make sure the locations array is created... */ - memset(temp, 0, sizeof(cupsd_location_t)); - strlcpy(temp->location, location, sizeof(temp->location)); - temp->length = strlen(temp->location); - - cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAddLocation: added location \'%s\'", - location); + if (!Locations) + Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL, + (cups_ahash_func_t)NULL, 0, + (cups_acopy_func_t)NULL, + (cups_afree_func_t)cupsdFreeLocation); - /* - * Return the new record... - */ + if (Locations) + { + cupsArrayAdd(Locations, loc); - return (temp); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"", loc->location ? loc->location : "(null)"); + } } @@ -167,125 +164,95 @@ void cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */ char *name) /* I - Name to add */ { - char **temp; /* Pointer to names array */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", - loc, name); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", loc, name); - if (loc->num_names == 0) - temp = malloc(sizeof(char *)); - else - temp = realloc(loc->names, (loc->num_names + 1) * sizeof(char *)); + if (!loc->names) + loc->names = cupsArrayNew3(NULL, NULL, NULL, 0, + (cups_acopy_func_t)_cupsStrAlloc, + (cups_afree_func_t)_cupsStrFree); - if (temp == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to add name to location %s: %s", - loc->location, strerror(errno)); - return; - } - - loc->names = temp; - - if ((temp[loc->num_names] = strdup(name)) == NULL) + if (!cupsArrayAdd(loc->names, name)) { cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to duplicate name for location %s: %s", - loc->location, strerror(errno)); + loc->location ? loc->location : "nil", strerror(errno)); return; } - - loc->num_names ++; } /* - * 'cupsdAllowHost()' - Add a host name that is allowed to access the location. + * 'cupsdAddNameMask()' - Add a host or interface name authorization mask. */ -void -cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */ - char *name) /* I - Name of host or domain to add */ +int /* O - 1 on success, 0 on failure */ +cupsdAddNameMask(cups_array_t **masks, /* IO - Masks array (created as needed) */ + char *name) /* I - Host or interface name */ { - cupsd_authmask_t *temp; /* New host/domain mask */ + cupsd_authmask_t temp; /* New host/domain mask */ char ifname[32], /* Interface name */ *ifptr; /* Pointer to end of name */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAllowHost(loc=%p(%s), name=\"%s\")", - loc, loc->location, name); - - if ((temp = add_allow(loc)) == NULL) - return; + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddNameMask(masks=%p(%p), name=\"%s\")", masks, *masks, name); - if (strcasecmp(name, "@LOCAL") == 0) + if (!_cups_strcasecmp(name, "@LOCAL")) { /* - * Allow *interface*... + * Deny *interface*... */ - temp->type = AUTH_INTERFACE; - temp->mask.name.name = strdup("*"); - temp->mask.name.length = 1; + temp.type = CUPSD_AUTH_INTERFACE; + temp.mask.name.name = (char *)"*"; } - else if (strncasecmp(name, "@IF(", 4) == 0) + else if (!_cups_strncasecmp(name, "@IF(", 4)) { /* - * Allow *interface*... + * Deny *interface*... */ strlcpy(ifname, name + 4, sizeof(ifname)); - ifptr = ifname + strlen(ifname); + ifptr = ifname + strlen(ifname) - 1; - if (ifptr[-1] == ')') + if (ifptr >= ifname && *ifptr == ')') { ifptr --; *ifptr = '\0'; } - temp->type = AUTH_INTERFACE; - temp->mask.name.name = strdup(ifname); - temp->mask.name.length = ifptr - ifname; + temp.type = CUPSD_AUTH_INTERFACE; + temp.mask.name.name = ifname; } else { /* - * Allow name... + * Deny name... */ - temp->type = AUTH_NAME; - temp->mask.name.name = strdup(name); - temp->mask.name.length = strlen(name); - } -} + if (*name == '*') + name ++; + temp.type = CUPSD_AUTH_NAME; + temp.mask.name.name = (char *)name; + } -/* - * 'cupsdAllowIP()' - Add an IP address or network that is allowed to access - * the location. - */ - -void -cupsdAllowIP(cupsd_location_t *loc, /* I - Location to add to */ - unsigned address[4], /* I - IP address to add */ - unsigned netmask[4]) /* I - Netmask of address */ -{ - cupsd_authmask_t *temp; /* New host/domain mask */ + /* + * Set the name length... + */ + temp.mask.name.length = strlen(temp.mask.name.name); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAllowIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", - loc, loc->location, address[0], address[1], address[2], - address[3], netmask[0], netmask[1], netmask[2], - netmask[3]); + /* + * Create the masks array as needed and add... + */ - if ((temp = add_allow(loc)) == NULL) - return; + if (!*masks) + *masks = cupsArrayNew3(NULL, NULL, NULL, 0, + (cups_acopy_func_t)copy_authmask, + (cups_afree_func_t)free_authmask); - temp->type = AUTH_IP; - memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address)); - memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask)); + return (cupsArrayAdd(*masks, &temp)); } @@ -297,31 +264,13 @@ void cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ { int type; /* Authentication type */ - char *authorization, /* Pointer into Authorization string */ - *ptr, /* Pointer into string */ - username[65], /* Username string */ - password[33]; /* Password string */ - const char *localuser; /* Certificate username */ - char nonce[HTTP_MAX_VALUE], /* Nonce value from client */ - md5[33], /* MD5 password */ - basicmd5[33]; /* MD5 of Basic password */ - static const char * const states[] = /* HTTP client states... */ - { - "WAITING", - "OPTIONS", - "GET", - "GET", - "HEAD", - "POST", - "POST", - "POST", - "PUT", - "PUT", - "DELETE", - "TRACE", - "CLOSE", - "STATUS" - }; + const char *authorization; /* Pointer into Authorization string */ + char *ptr, /* Pointer into string */ + username[HTTP_MAX_VALUE], + /* Username string */ + password[HTTP_MAX_VALUE]; + /* Password string */ + cupsd_cert_t *localuser; /* Certificate username */ /* @@ -329,72 +278,240 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * authentication to expect... */ - con->best = cupsdFindBest(con->uri, con->http.state); + con->best = cupsdFindBest(con->uri, httpGetState(con->http)); + con->type = CUPSD_AUTH_NONE; - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)", - con->uri, con->best, con->best ? con->best->location : ""); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : ""); - if (con->best && con->best->type != AUTH_NONE) - type = con->best->type; + if (con->best && con->best->type != CUPSD_AUTH_NONE) + { + if (con->best->type == CUPSD_AUTH_DEFAULT) + type = cupsdDefaultAuthType(); + else + type = con->best->type; + } else - type = DefaultAuthType; + type = cupsdDefaultAuthType(); /* * Decode the Authorization string... */ - authorization = con->http.fields[HTTP_FIELD_AUTHORIZATION]; - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: Authorization=\"%s\"", - authorization); + authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION); username[0] = '\0'; password[0] = '\0'; - if (type == AUTH_NONE) +#ifdef HAVE_GSSAPI + con->gss_uid = 0; +#endif /* HAVE_GSSAPI */ + +#ifdef HAVE_AUTHORIZATION_H + if (con->authref) + { + AuthorizationFree(con->authref, kAuthorizationFlagDefaults); + con->authref = NULL; + } +#endif /* HAVE_AUTHORIZATION_H */ + + if (!*authorization) { /* - * No authorization required, return early... + * No authorization data provided, return early... */ - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: No authentication required."); + cupsdLogClient(con, CUPSD_LOG_DEBUG, "No authentication data provided."); return; } - else if (!*authorization) +#ifdef HAVE_AUTHORIZATION_H + else if (!strncmp(authorization, "AuthRef ", 8) && + httpAddrLocalhost(httpGetAddress(con->http))) { + OSStatus status; /* Status */ + char authdata[HTTP_MAX_VALUE]; + /* Nonce value from client */ + int authlen; /* Auth string length */ + AuthorizationItemSet *authinfo; /* Authorization item set */ + /* - * No authorization data provided, return early... + * Get the Authorization Services data... */ - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: No authentication data provided."); - return; + authorization += 8; + while (isspace(*authorization & 255)) + authorization ++; + + authlen = sizeof(authdata); + httpDecode64_2(authdata, &authlen, authorization); + + if (authlen != kAuthorizationExternalFormLength) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "External Authorization reference size is incorrect."); + return; + } + + if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "AuthorizationCreateFromExternalForm returned %d (%s)", (int)status, cssmErrorString(status)); + return; + } + + username[0] = '\0'; + + if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername, + &authinfo)) + { + if (authinfo->count == 1 && authinfo->items[0].value && + authinfo->items[0].valueLength >= 2) + { + strlcpy(username, authinfo->items[0].value, sizeof(username)); + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef.", username); + } + + AuthorizationFreeItemSet(authinfo); + } + + if (!username[0]) + { + /* + * No username in AuthRef, grab username using peer credentials... + */ + + struct passwd *pwd; /* Password entry for this user */ + cupsd_ucred_t peercred; /* Peer credentials */ + socklen_t peersize; /* Size of peer credentials */ + + peersize = sizeof(peercred); + + if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize)) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno)); + return; + } + + if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to find UID %d for peer credentials.", (int)CUPSD_UCRED_UID(peercred)); + return; + } + + strlcpy(username, pwd->pw_name, sizeof(username)); + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef + PeerCred.", username); + } + + con->type = CUPSD_AUTH_BASIC; } +#endif /* HAVE_AUTHORIZATION_H */ +#if defined(SO_PEERCRED) && defined(AF_LOCAL) + else if (!strncmp(authorization, "PeerCred ", 9) && + con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) + { + /* + * Use peer credentials from domain socket connection... + */ + + struct passwd *pwd; /* Password entry for this user */ + cupsd_ucred_t peercred; /* Peer credentials */ + socklen_t peersize; /* Size of peer credentials */ +#ifdef HAVE_AUTHORIZATION_H + const char *name; /* Authorizing name */ + int no_peer = 0; /* Don't allow peer credentials? */ + + /* + * See if we should allow peer credentials... + */ + + for (name = (char *)cupsArrayFirst(con->best->names); + name; + name = (char *)cupsArrayNext(con->best->names)) + { + if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) || + !_cups_strcasecmp(name, "@SYSTEM")) + { + /* Normally don't want peer credentials if we need an auth key... */ + no_peer = 1; + } + else if (!_cups_strcasecmp(name, "@OWNER")) + { + /* but if @OWNER is present then we allow it... */ + no_peer = 0; + break; + } + } + + if (no_peer) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "PeerCred authentication not allowed for resource per AUTHKEY policy."); + return; + } +#endif /* HAVE_AUTHORIZATION_H */ + + if ((pwd = getpwnam(authorization + 9)) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); + return; + } + + peersize = sizeof(peercred); + +# ifdef __APPLE__ + if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize)) +# else + if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize)) +# endif /* __APPLE__ */ + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno)); + return; + } + + if (pwd->pw_uid != CUPSD_UCRED_UID(peercred)) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Invalid peer credentials for \"%s\" - got %d, expected %d.", authorization + 9, CUPSD_UCRED_UID(peercred), pwd->pw_uid); +# ifdef HAVE_SYS_UCRED_H + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_version=%d", peercred.cr_version); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_uid=%d", peercred.cr_uid); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_ngroups=%d", peercred.cr_ngroups); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_groups[0]=%d", peercred.cr_groups[0]); +# endif /* HAVE_SYS_UCRED_H */ + return; + } + + strlcpy(username, authorization + 9, sizeof(username)); + +# ifdef HAVE_GSSAPI + con->gss_uid = CUPSD_UCRED_UID(peercred); +# endif /* HAVE_GSSAPI */ + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using PeerCred.", username); + + con->type = CUPSD_AUTH_BASIC; + } +#endif /* SO_PEERCRED && AF_LOCAL */ else if (!strncmp(authorization, "Local", 5) && - !strcasecmp(con->http.hostname, "localhost")) + httpAddrLocalhost(httpGetAddress(con->http))) { /* * Get Local certificate authentication data... */ authorization += 5; - while (isspace(*authorization)) + while (isspace(*authorization & 255)) authorization ++; - if ((localuser = cupsdFindCert(authorization)) != NULL) - strlcpy(username, localuser, sizeof(username)); - else + if ((localuser = cupsdFindCert(authorization)) == NULL) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Local authentication certificate not " - "found!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Local authentication certificate not found."); return; } + + strlcpy(username, localuser->username, sizeof(username)); + con->type = localuser->type; + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using Local.", username); } - else if (!strncmp(authorization, "Basic", 5) && - (type == AUTH_BASIC || type == AUTH_BASICDIGEST)) + else if (!strncmp(authorization, "Basic", 5)) { /* * Get the Basic authentication data... @@ -404,7 +521,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ authorization += 5; - while (isspace(*authorization)) + while (isspace(*authorization & 255)) authorization ++; userlen = sizeof(username); @@ -416,8 +533,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ if ((ptr = strchr(username, ':')) == NULL) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Missing Basic password!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Basic password."); return; } @@ -429,8 +545,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Username must not be empty... */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty Basic username!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic username."); return; } @@ -440,8 +555,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Password must not be empty... */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty Basic password!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic password."); return; } @@ -453,7 +567,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ switch (type) { - case AUTH_BASIC : + default : + case CUPSD_AUTH_BASIC : { #if HAVE_LIBPAM /* @@ -470,76 +585,60 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ strlcpy(data.username, username, sizeof(data.username)); strlcpy(data.password, password, sizeof(data.password)); +# ifdef __sun + pamdata.conv = (int (*)(int, struct pam_message **, + struct pam_response **, + void *))pam_func; +# else pamdata.conv = pam_func; +# endif /* __sun */ pamdata.appdata_ptr = &data; -# ifdef __hpux - /* - * Workaround for HP-UX bug in pam_unix; see pam_func() below for - * more info... - */ - - auth_data = &data; -# endif /* __hpux */ - pamerr = pam_start("cups", username, &pamdata, &pamh); if (pamerr != PAM_SUCCESS) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: pam_start() returned %d (%s)!\n", - pamerr, pam_strerror(pamh, pamerr)); - pam_end(pamh, 0); + cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); return; } +# ifdef HAVE_PAM_SET_ITEM +# ifdef PAM_RHOST + pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname); + if (pamerr != PAM_SUCCESS) + cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +# endif /* PAM_RHOST */ + +# ifdef PAM_TTY + pamerr = pam_set_item(pamh, PAM_TTY, "cups"); + if (pamerr != PAM_SUCCESS) + cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +# endif /* PAM_TTY */ +# endif /* HAVE_PAM_SET_ITEM */ + pamerr = pam_authenticate(pamh, PAM_SILENT); if (pamerr != PAM_SUCCESS) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: pam_authenticate() returned %d " - "(%s)!\n", - pamerr, pam_strerror(pamh, pamerr)); + cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); pam_end(pamh, 0); return; } +# ifdef HAVE_PAM_SETCRED + pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); + if (pamerr != PAM_SUCCESS) + cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +# endif /* HAVE_PAM_SETCRED */ + pamerr = pam_acct_mgmt(pamh, PAM_SILENT); if (pamerr != PAM_SUCCESS) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: pam_acct_mgmt() returned %d " - "(%s)!\n", - pamerr, pam_strerror(pamh, pamerr)); + cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); pam_end(pamh, 0); return; } pam_end(pamh, PAM_SUCCESS); -#elif defined(HAVE_USERSEC_H) - /* - * Use AIX authentication interface... - */ - - char *authmsg; /* Authentication message */ - char *loginmsg; /* Login message */ - int reenter; /* ??? */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: AIX authenticate of username \"%s\"", - username); - - reenter = 1; - if (authenticate(username, password, &reenter, &authmsg) != 0) - { - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Unable to authenticate username " - "\"%s\": %s", - username, strerror(errno)); - return; - } - #else /* * Use normal UNIX password file-based authentication... @@ -561,10 +660,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * No such user... */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Unknown username \"%s\"!", - username); - return (HTTP_UNAUTHORIZED); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username); + return; } # ifdef HAVE_SHADOW_H @@ -577,9 +674,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Don't allow blank passwords! */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Username \"%s\" has no shadow " - "password!", username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username); return; } @@ -592,9 +687,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Don't allow blank passwords! */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Username \"%s\" has no password!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username); return; } @@ -605,10 +698,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ pass = cups_crypt(password, pw->pw_passwd); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: pw_passwd=\"%s\", crypt=\"%s\"", - pw->pw_passwd, pass); - if (!pass || strcmp(pw->pw_passwd, pass)) { # ifdef HAVE_SHADOW_H @@ -616,131 +705,182 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ { pass = cups_crypt(password, spw->sp_pwdp); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: sp_pwdp=\"%s\", crypt=\"%s\"", - spw->sp_pwdp, pass); - if (pass == NULL || strcmp(spw->sp_pwdp, pass)) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for " - "user \"%s\"!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); return; } } else # endif /* HAVE_SHADOW_H */ { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for " - "user \"%s\"!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); return; } } #endif /* HAVE_LIBPAM */ } - break; - - case AUTH_BASICDIGEST : - /* - * Do Basic authentication with the Digest password file... - */ - if (!cupsdGetMD5Passwd(username, NULL, md5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Unknown MD5 username \"%s\"!", - username); - return; - } - - httpMD5(username, "CUPS", password, basicmd5); - - if (strcmp(md5, basicmd5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for \"%s\"!", - username); - return; - } - break; + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username); + break; } + + con->type = type; } - else if (!strncmp(authorization, "Digest", 6) && type == AUTH_DIGEST) +#ifdef HAVE_GSSAPI + else if (!strncmp(authorization, "Negotiate", 9)) { + int len; /* Length of authorization string */ + gss_ctx_id_t context; /* Authorization context */ + OM_uint32 major_status, /* Major status code */ + minor_status; /* Minor status code */ + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER, + /* Input token from string */ + output_token = GSS_C_EMPTY_BUFFER; + /* Output token for username */ + gss_name_t client_name; /* Client name */ + + +# ifdef __APPLE__ /* - * Get the username, password, and nonce from the Digest attributes... + * If the weak-linked GSSAPI/Kerberos library is not present, don't try + * to use it... */ - if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username", - username, sizeof(username)) || !username[0]) + if (&gss_init_sec_context == NULL) { - /* - * Username must not be empty... - */ - - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty or missing Digest username!"); + cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present."); return; } +# endif /* __APPLE__ */ - if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response", - password, sizeof(password)) || !password[0]) - { - /* - * Password must not be empty... - */ + /* + * Find the start of the Kerberos input token... + */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty or missing Digest password!"); - return; - } + authorization += 9; + while (isspace(*authorization & 255)) + authorization ++; - if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce", - nonce)) + if (!*authorization) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: No nonce value for Digest " - "authentication!"); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "No authentication data specified."); return; } - if (strcmp(con->http.hostname, nonce)) + /* + * Decode the authorization string to get the input token... + */ + + len = (int)strlen(authorization); + input_token.value = malloc((size_t)len); + input_token.value = httpDecode64_2(input_token.value, &len, + authorization); + input_token.length = (size_t)len; + + /* + * Accept the input token to get the authorization info... + */ + + context = GSS_C_NO_CONTEXT; + client_name = GSS_C_NO_NAME; + major_status = gss_accept_sec_context(&minor_status, + &context, + ServerCreds, + &input_token, + GSS_C_NO_CHANNEL_BINDINGS, + &client_name, + NULL, + &output_token, + NULL, + NULL, + NULL); + + if (output_token.length > 0) + gss_release_buffer(&minor_status, &output_token); + + if (GSS_ERROR(major_status)) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Bad nonce value, expected \"%s\", " - "got \"%s\"!", con->http.hostname, nonce); + cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error accepting GSSAPI security context.", con->number); + + if (context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); return; } + con->have_gss = 1; + /* - * Validate the username and password... + * Get the username associated with the client's credentials... */ - if (!cupsdGetMD5Passwd(username, NULL, md5)) + if (major_status == GSS_S_CONTINUE_NEEDED) + cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Credentials not complete.", con->number); + else if (major_status == GSS_S_COMPLETE) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Unknown MD5 username \"%s\"!", - username); - return; + major_status = gss_display_name(&minor_status, client_name, + &output_token, NULL); + + if (GSS_ERROR(major_status)) + { + cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error getting username.", con->number); + gss_release_name(&minor_status, &client_name); + gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); + return; + } + + strlcpy(username, output_token.value, sizeof(username)); + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Negotiate.", username); + + gss_release_name(&minor_status, &client_name); + gss_release_buffer(&minor_status, &output_token); + + con->type = CUPSD_AUTH_NEGOTIATE; } - httpMD5Final(nonce, states[con->http.state], con->uri, md5); + gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); - if (strcmp(md5, password)) +# if defined(SO_PEERCRED) && defined(AF_LOCAL) + /* + * Get the client's UID if we are printing locally - that allows a backend + * to run as the correct user to get Kerberos credentials of its own. + */ + + if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for \"%s\"!", - username); - return; + cupsd_ucred_t peercred; /* Peer credentials */ + socklen_t peersize; /* Size of peer credentials */ + + peersize = sizeof(peercred); + +# ifdef __APPLE__ + if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize)) +# else + if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, + &peersize)) +# endif /* __APPLE__ */ + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno)); + } + else + { + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Using credentials for UID %d.", CUPSD_UCRED_UID(peercred)); + con->gss_uid = CUPSD_UCRED_UID(peercred); + } } +# endif /* SO_PEERCRED && AF_LOCAL */ } +#endif /* HAVE_GSSAPI */ else { - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Bad authentication data."); + char scheme[256]; /* Auth scheme... */ + + + if (sscanf(authorization, "%255s", scheme) != 1) + strlcpy(scheme, "UNKNOWN", sizeof(scheme)); + + cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\".", scheme); return; } @@ -752,9 +892,67 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ strlcpy(con->username, username, sizeof(con->username)); strlcpy(con->password, password, sizeof(con->password)); +} - cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: username=\"%s\"", - con->username); + +/* + * 'cupsdCheckAccess()' - Check whether the given address is allowed to + * access a location. + */ + +int /* O - 1 if allowed, 0 otherwise */ +cupsdCheckAccess( + unsigned ip[4], /* I - Client address */ + const char *name, /* I - Client hostname */ + size_t namelen, /* I - Length of hostname */ + cupsd_location_t *loc) /* I - Location to check */ +{ + int allow; /* 1 if allowed, 0 otherwise */ + + + if (!_cups_strcasecmp(name, "localhost")) + { + /* + * Access from localhost (127.0.0.1 or ::1) is always allowed... + */ + + return (1); + } + else + { + /* + * Do authorization checks on the domain/address... + */ + + switch (loc->order_type) + { + default : + allow = 0; /* anti-compiler-warning-code */ + break; + + case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */ + allow = 1; + + if (cupsdCheckAuth(ip, name, namelen, loc->deny)) + allow = 0; + + if (cupsdCheckAuth(ip, name, namelen, loc->allow)) + allow = 1; + break; + + case CUPSD_AUTH_DENY : /* Order Allow,Deny */ + allow = 0; + + if (cupsdCheckAuth(ip, name, namelen, loc->allow)) + allow = 1; + + if (cupsdCheckAuth(ip, name, namelen, loc->deny)) + allow = 0; + break; + } + } + + return (allow); } @@ -763,25 +961,27 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ */ int /* O - 1 if mask matches, 0 otherwise */ -cupsdCheckAuth( - unsigned ip[4], /* I - Client address */ - char *name, /* I - Client hostname */ - int name_len, /* I - Length of hostname */ - int num_masks, /* I - Number of masks */ - cupsd_authmask_t *masks) /* I - Masks */ +cupsdCheckAuth(unsigned ip[4], /* I - Client address */ + const char *name, /* I - Client hostname */ + size_t name_len, /* I - Length of hostname */ + cups_array_t *masks) /* I - Masks */ { - int i; /* Looping var */ - cupsd_netif_t *iface; /* Network interface */ - unsigned netip4; /* IPv4 network address */ + int i; /* Looping var */ + cupsd_authmask_t *mask; /* Current mask */ + cupsd_netif_t *iface; /* Network interface */ + unsigned netip4; /* IPv4 network address */ #ifdef AF_INET6 - unsigned netip6[4]; /* IPv6 network address */ + unsigned netip6[4]; /* IPv6 network address */ #endif /* AF_INET6 */ - while (num_masks > 0) + + for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks); + mask; + mask = (cupsd_authmask_t *)cupsArrayNext(masks)) { - switch (masks->type) + switch (mask->type) { - case AUTH_INTERFACE : + case CUPSD_AUTH_INTERFACE : /* * Check for a match with a network interface... */ @@ -795,15 +995,26 @@ cupsdCheckAuth( netip6[3] = htonl(ip[3]); #endif /* AF_INET6 */ - if (!strcmp(masks->mask.name.name, "*")) + cupsdNetIFUpdate(); + + if (!strcmp(mask->mask.name.name, "*")) { +#ifdef __APPLE__ + /* + * Allow Back-to-My-Mac addresses... + */ + + if ((ip[0] & 0xff000000) == 0xfd000000) + return (1); +#endif /* __APPLE__ */ + /* * Check against all local interfaces... */ - cupsdNetIFUpdate(); - - for (iface = NetIFList; iface != NULL; iface = iface->next) + for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList); + iface; + iface = (cupsd_netif_t *)cupsArrayNext(NetIFList)) { /* * Only check local interfaces... @@ -848,10 +1059,13 @@ cupsdCheckAuth( * Check the named interface... */ - for (iface = cupsdNetIFFind(masks->mask.name.name); - iface && !strcasecmp(masks->mask.name.name, iface->name); - iface = iface->next) + for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList); + iface; + iface = (cupsd_netif_t *)cupsArrayNext(NetIFList)) { + if (strcmp(mask->mask.name.name, iface->name)) + continue; + if (iface->address.addr.sa_family == AF_INET) { /* @@ -884,42 +1098,39 @@ cupsdCheckAuth( } break; - case AUTH_NAME : + case CUPSD_AUTH_NAME : /* * Check for exact name match... */ - if (!strcasecmp(name, masks->mask.name.name)) + if (!_cups_strcasecmp(name, mask->mask.name.name)) return (1); /* * Check for domain match... */ - if (name_len >= masks->mask.name.length && - masks->mask.name.name[0] == '.' && - strcasecmp(name + name_len - masks->mask.name.length, - masks->mask.name.name) == 0) + if (name_len >= mask->mask.name.length && + mask->mask.name.name[0] == '.' && + !_cups_strcasecmp(name + name_len - mask->mask.name.length, + mask->mask.name.name)) return (1); break; - case AUTH_IP : + case CUPSD_AUTH_IP : /* * Check for IP/network address match... */ for (i = 0; i < 4; i ++) - if ((ip[i] & masks->mask.ip.netmask[i]) != - masks->mask.ip.address[i]) + if ((ip[i] & mask->mask.ip.netmask[i]) != + mask->mask.ip.address[i]) break; if (i == 4) return (1); break; } - - masks ++; - num_masks --; } return (0); @@ -936,14 +1147,16 @@ cupsdCheckGroup( struct passwd *user, /* I - System user info */ const char *groupname) /* I - Group name */ { - int i; /* Looping var */ - struct group *group; /* System group info */ - char junk[33]; /* MD5 password (not used) */ + int i; /* Looping var */ + struct group *group; /* System group info */ +#ifdef HAVE_MBR_UID_TO_UUID + uuid_t useruuid, /* UUID for username */ + groupuuid; /* UUID for groupname */ + int is_member; /* True if user is a member of group */ +#endif /* HAVE_MBR_UID_TO_UUID */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", - username, user, groupname); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", username, user, groupname); /* * Validate input... @@ -966,7 +1179,7 @@ cupsdCheckGroup( */ for (i = 0; group->gr_mem[i]; i ++) - if (!strcasecmp(username, group->gr_mem[i])) + if (!_cups_strcasecmp(username, group->gr_mem[i])) return (1); } @@ -975,330 +1188,156 @@ cupsdCheckGroup( * against the user's group ID... */ - if (user && group && group->gr_gid == user->pw_gid) - return (1); - - /* - * Username not found, group not found, or user is not part of the - * system group... Check for a user and group in the MD5 password - * file... - */ - - if (cupsdGetMD5Passwd(username, groupname, junk) != NULL) - return (1); - - /* - * If we get this far, then the user isn't part of the named group... - */ - - return (0); -} - - -/* - * 'cupsdCopyLocation()' - Make a copy of a location... - */ - -cupsd_location_t * /* O - New location */ -cupsdCopyLocation( - cupsd_location_t **loc) /* IO - Original location */ -{ - int i; /* Looping var */ - int locindex; /* Index into Locations array */ - cupsd_location_t *temp; /* New location */ - char location[HTTP_MAX_URI]; - /* Location of resource */ - - - /* - * Add the new location, updating the original location - * pointer as needed... - */ - - locindex = *loc - Locations; - - /* - * Use a local copy of location because cupsdAddLocation may cause - * this memory to be moved... - */ - - strlcpy(location, (*loc)->location, sizeof(location)); - - if ((temp = cupsdAddLocation(location)) == NULL) - return (NULL); - - *loc = Locations + locindex; - - /* - * Copy the information from the original location to the new one. - */ - - temp->limit = (*loc)->limit; - temp->order_type = (*loc)->order_type; - temp->type = (*loc)->type; - temp->level = (*loc)->level; - temp->satisfy = (*loc)->satisfy; - temp->encryption = (*loc)->encryption; - - if ((temp->num_names = (*loc)->num_names) > 0) - { - /* - * Copy the names array... - */ - - if ((temp->names = calloc(temp->num_names, sizeof(char *))) == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to allocate memory for %d names: %s", - temp->num_names, strerror(errno)); - NumLocations --; - return (NULL); - } - - for (i = 0; i < temp->num_names; i ++) - if ((temp->names[i] = strdup((*loc)->names[i])) == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to copy name \"%s\": %s", - (*loc)->names[i], strerror(errno)); - - NumLocations --; - return (NULL); - } - } - - if ((temp->num_allow = (*loc)->num_allow) > 0) - { - /* - * Copy allow rules... - */ - - if ((temp->allow = calloc(temp->num_allow, sizeof(cupsd_authmask_t))) == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to allocate memory for %d allow rules: %s", - temp->num_allow, strerror(errno)); - NumLocations --; - return (NULL); - } - - for (i = 0; i < temp->num_allow; i ++) - switch (temp->allow[i].type = (*loc)->allow[i].type) - { - case AUTH_NAME : - temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length; - temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name); - - if (temp->allow[i].mask.name.name == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to copy allow name \"%s\": %s", - (*loc)->allow[i].mask.name.name, strerror(errno)); - NumLocations --; - return (NULL); - } - break; - case AUTH_IP : - memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip), - sizeof(cupsd_ipmask_t)); - break; - } - } - - if ((temp->num_deny = (*loc)->num_deny) > 0) - { - /* - * Copy deny rules... - */ - - if ((temp->deny = calloc(temp->num_deny, sizeof(cupsd_authmask_t))) == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to allocate memory for %d deny rules: %s", - temp->num_deny, strerror(errno)); - NumLocations --; - return (NULL); - } - - for (i = 0; i < temp->num_deny; i ++) - switch (temp->deny[i].type = (*loc)->deny[i].type) - { - case AUTH_NAME : - temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length; - temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name); - - if (temp->deny[i].mask.name.name == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to copy deny name \"%s\": %s", - (*loc)->deny[i].mask.name.name, strerror(errno)); - NumLocations --; - return (NULL); - } - break; - case AUTH_IP : - memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip), - sizeof(cupsd_ipmask_t)); - break; - } - } - - return (temp); -} - - -/* - * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization. - */ - -void -cupsdDeleteAllLocations(void) -{ - int i; /* Looping var */ - cupsd_location_t *loc; /* Current location */ - + if (user && group && group->gr_gid == user->pw_gid) + return (1); +#ifdef HAVE_MBR_UID_TO_UUID /* - * Free all of the allow/deny records first... + * Check group membership through MacOS X membership API... */ - for (i = NumLocations, loc = Locations; i > 0; i --, loc ++) - cupsdDeleteLocation(loc); + if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid)) + { + if (group) + { + /* + * Map group name to UUID and check membership... + */ + + if (!mbr_gid_to_uuid(group->gr_gid, groupuuid)) + if (!mbr_check_membership(useruuid, groupuuid, &is_member)) + if (is_member) + return (1); + } + else if (groupname[0] == '#') + { + /* + * Use UUID directly and check for equality (user UUID) and + * membership (group UUID)... + */ + + if (!uuid_parse((char *)groupname + 1, groupuuid)) + { + if (!uuid_compare(useruuid, groupuuid)) + return (1); + else if (!mbr_check_membership(useruuid, groupuuid, &is_member)) + if (is_member) + return (1); + } + + return (0); + } + } + else if (groupname[0] == '#') + return (0); +#endif /* HAVE_MBR_UID_TO_UUID */ /* - * Then free the location array... + * If we get this far, then the user isn't part of the named group... */ - if (NumLocations > 0) - free(Locations); - - Locations = NULL; - NumLocations = 0; + return (0); } /* - * 'cupsdDeleteLocation()' - Free all memory used by a location. + * 'cupsdCopyLocation()' - Make a copy of a location... */ -void -cupsdDeleteLocation( - cupsd_location_t *loc) /* I - Location to delete */ +cupsd_location_t * /* O - New location */ +cupsdCopyLocation( + cupsd_location_t *loc) /* I - Original location */ { - int i; /* Looping var */ - cupsd_authmask_t *mask; /* Current mask */ - - - for (i = loc->num_names - 1; i >= 0; i --) - free(loc->names[i]); - - if (loc->num_names > 0) - free(loc->names); - - for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++) - if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE) - free(mask->mask.name.name); - - if (loc->num_allow > 0) - free(loc->allow); - - for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++) - if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE) - free(mask->mask.name.name); + cupsd_location_t *temp; /* New location */ - if (loc->num_deny > 0) - free(loc->deny); -} + /* + * Make a copy of the original location... + */ -/* - * 'cupsdDenyHost()' - Add a host name that is not allowed to access the - * location. - */ + if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL) + return (NULL); -void -cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */ - char *name) /* I - Name of host or domain to add */ -{ - cupsd_authmask_t *temp; /* New host/domain mask */ - char ifname[32], /* Interface name */ - *ifptr; /* Pointer to end of name */ + /* + * Copy the information from the original location to the new one. + */ + if (!loc) + return (temp); - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDenyHost(loc=%p(%s), name=\"%s\")", - loc, loc->location, name); + if (loc->location) + temp->location = _cupsStrAlloc(loc->location); - if ((temp = add_deny(loc)) == NULL) - return; + temp->length = loc->length; + temp->limit = loc->limit; + temp->order_type = loc->order_type; + temp->type = loc->type; + temp->level = loc->level; + temp->satisfy = loc->satisfy; + temp->encryption = loc->encryption; - if (strcasecmp(name, "@LOCAL") == 0) + if (loc->names) { - /* - * Deny *interface*... - */ + if ((temp->names = cupsArrayDup(loc->names)) == NULL) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + "Unable to allocate memory for %d names: %s", + cupsArrayCount(loc->names), strerror(errno)); - temp->type = AUTH_INTERFACE; - temp->mask.name.name = strdup("*"); - temp->mask.name.length = 1; + cupsdFreeLocation(temp); + return (NULL); + } } - else if (strncasecmp(name, "@IF(", 4) == 0) + + if (loc->allow) { /* - * Deny *interface*... + * Copy allow rules... */ - strlcpy(ifname, name + 4, sizeof(ifname)); - - ifptr = ifname + strlen(ifname); - - if (ifptr[-1] == ')') + if ((temp->allow = cupsArrayDup(loc->allow)) == NULL) { - ifptr --; - *ifptr = '\0'; + cupsdLogMessage(CUPSD_LOG_ERROR, + "Unable to allocate memory for %d allow rules: %s", + cupsArrayCount(loc->allow), strerror(errno)); + cupsdFreeLocation(temp); + return (NULL); } - - temp->type = AUTH_INTERFACE; - temp->mask.name.name = strdup(ifname); - temp->mask.name.length = ifptr - ifname; } - else + + if (loc->deny) { /* - * Deny name... + * Copy deny rules... */ - temp->type = AUTH_NAME; - temp->mask.name.name = strdup(name); - temp->mask.name.length = strlen(name); + if ((temp->deny = cupsArrayDup(loc->deny)) == NULL) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + "Unable to allocate memory for %d deny rules: %s", + cupsArrayCount(loc->deny), strerror(errno)); + cupsdFreeLocation(temp); + return (NULL); + } } + + return (temp); } /* - * 'cupsdDenyIP()' - Add an IP address or network that is not allowed to - * access the location. + * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization. */ void -cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */ - unsigned address[4],/* I - IP address to add */ - unsigned netmask[4])/* I - Netmask of address */ +cupsdDeleteAllLocations(void) { - cupsd_authmask_t *temp; /* New host/domain mask */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdDenyIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", - loc, loc->location, address[0], address[1], address[2], - address[3], netmask[0], netmask[1], netmask[2], - netmask[3]); - - if ((temp = add_deny(loc)) == NULL) - return; + /* + * Free the location array, which will free all of the locations... + */ - temp->type = AUTH_IP; - memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address)); - memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask)); + cupsArrayDelete(Locations); + Locations = NULL; } @@ -1310,30 +1349,31 @@ cupsd_location_t * /* O - Location that matches */ cupsdFindBest(const char *path, /* I - Resource path */ http_state_t state) /* I - HTTP state/request */ { - int i; /* Looping var */ char uri[HTTP_MAX_URI], /* URI in request... */ *uriptr; /* Pointer into URI */ cupsd_location_t *loc, /* Current location */ *best; /* Best match for location so far */ - int bestlen; /* Length of best match */ + size_t bestlen; /* Length of best match */ int limit; /* Limit field */ - static const int limits[] = /* Map http_status_t to AUTH_LIMIT_xyz */ + static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */ { - AUTH_LIMIT_ALL, - AUTH_LIMIT_OPTIONS, - AUTH_LIMIT_GET, - AUTH_LIMIT_GET, - AUTH_LIMIT_HEAD, - AUTH_LIMIT_POST, - AUTH_LIMIT_POST, - AUTH_LIMIT_POST, - AUTH_LIMIT_PUT, - AUTH_LIMIT_PUT, - AUTH_LIMIT_DELETE, - AUTH_LIMIT_TRACE, - AUTH_LIMIT_ALL, - AUTH_LIMIT_ALL + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_OPTIONS, + CUPSD_AUTH_LIMIT_GET, + CUPSD_AUTH_LIMIT_GET, + CUPSD_AUTH_LIMIT_HEAD, + CUPSD_AUTH_LIMIT_POST, + CUPSD_AUTH_LIMIT_POST, + CUPSD_AUTH_LIMIT_POST, + CUPSD_AUTH_LIMIT_PUT, + CUPSD_AUTH_LIMIT_PUT, + CUPSD_AUTH_LIMIT_DELETE, + CUPSD_AUTH_LIMIT_TRACE, + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_ALL }; @@ -1345,6 +1385,12 @@ cupsdFindBest(const char *path, /* I - Resource path */ strlcpy(uri, path, sizeof(uri)); + if ((uriptr = strchr(uri, '?')) != NULL) + *uriptr = '\0'; /* Drop trailing query string */ + + if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/') + *uriptr = '\0'; /* Remove trailing '/' */ + if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9)) { @@ -1358,8 +1404,6 @@ cupsdFindBest(const char *path, /* I - Resource path */ *uriptr = '\0'; } - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri); - /* * Loop through the list of locations to find a match... */ @@ -1368,10 +1412,14 @@ cupsdFindBest(const char *path, /* I - Resource path */ best = NULL; bestlen = 0; - for (i = NumLocations, loc = Locations; i > 0; i --, loc ++) + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri=\"%s\", limit=%x...", uri, limit); + + + for (loc = (cupsd_location_t *)cupsArrayFirst(Locations); + loc; + loc = (cupsd_location_t *)cupsArrayNext(Locations)) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x", - loc->location, loc->limit); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit); if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9)) { @@ -1379,8 +1427,8 @@ cupsdFindBest(const char *path, /* I - Resource path */ * Use case-insensitive comparison for queue names... */ - if (loc->length > bestlen && - strncasecmp(uri, loc->location, loc->length) == 0 && + if (loc->length > bestlen && loc->location && + !_cups_strncasecmp(uri, loc->location, loc->length) && loc->location[0] == '/' && (limit & loc->limit) != 0) { @@ -1394,7 +1442,7 @@ cupsdFindBest(const char *path, /* I - Resource path */ * Use case-sensitive comparison for other URIs... */ - if (loc->length > bestlen && + if (loc->length > bestlen && loc->location && !strncmp(uri, loc->location, loc->length) && loc->location[0] == '/' && (limit & loc->limit) != 0) @@ -1409,8 +1457,7 @@ cupsdFindBest(const char *path, /* I - Resource path */ * Return the match, if any... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best = %s", - best ? best->location : "NONE"); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best=%s", best ? best->location : "NONE"); return (best); } @@ -1423,80 +1470,28 @@ cupsdFindBest(const char *path, /* I - Resource path */ cupsd_location_t * /* O - Location that matches */ cupsdFindLocation(const char *location) /* I - Connection */ { - int i; /* Looping var */ - + cupsd_location_t key; /* Search key */ - /* - * Loop through the list of locations to find a match... - */ - for (i = 0; i < NumLocations; i ++) - if (!strcasecmp(Locations[i].location, location)) - return (Locations + i); + key.location = (char *)location; - return (NULL); + return ((cupsd_location_t *)cupsArrayFind(Locations, &key)); } /* - * 'cupsdGetMD5Passwd()' - Get an MD5 password. + * 'cupsdFreeLocation()' - Free all memory used by a location. */ -char * /* O - MD5 password string */ -cupsdGetMD5Passwd(const char *username, /* I - Username */ - const char *group, /* I - Group */ - char passwd[33])/* O - MD5 password string */ +void +cupsdFreeLocation(cupsd_location_t *loc)/* I - Location to free */ { - cups_file_t *fp; /* passwd.md5 file */ - char filename[1024], /* passwd.md5 filename */ - line[256], /* Line from file */ - tempuser[33], /* User from file */ - tempgroup[33]; /* Group from file */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdGetMD5Passwd(username=\"%s\", group=\"%s\", passwd=%p)", - username, group ? group : "(null)", passwd); - - snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot); - if ((fp = cupsFileOpen(filename, "r")) == NULL) - { - if (errno != ENOENT) - cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename, - strerror(errno)); - - return (NULL); - } - - while (cupsFileGets(fp, line, sizeof(line)) != NULL) - { - if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3) - { - cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line); - continue; - } - - if (strcmp(username, tempuser) == 0 && - (group == NULL || strcmp(group, tempgroup) == 0)) - { - /* - * Found the password entry! - */ - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...", - username, tempgroup); - - cupsFileClose(fp); - return (passwd); - } - } - - /* - * Didn't find a password entry - return NULL! - */ + cupsArrayDelete(loc->names); + cupsArrayDelete(loc->allow); + cupsArrayDelete(loc->deny); - cupsFileClose(fp); - return (NULL); + _cupsStrFree(loc->location); + free(loc); } @@ -1508,11 +1503,20 @@ http_status_t /* O - HTTP_OK if authorized or error code */ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ const char *owner)/* I - Owner of object */ { - int i, j, /* Looping vars */ - auth; /* Authorization status */ + int i, /* Looping vars */ + auth, /* Authorization status */ + type; /* Type of authentication */ + http_addr_t *hostaddr = httpGetAddress(con->http); + /* Client address */ + const char *hostname = httpGetHostname(con->http, NULL, 0); + /* Client hostname */ unsigned address[4]; /* Authorization address */ cupsd_location_t *best; /* Best match for location so far */ - int hostlen; /* Length of hostname */ + size_t hostlen; /* Length of hostname */ + char *name, /* Current username */ + username[256], /* Username to authorize */ + ownername[256], /* Owner name to authorize */ + *ptr; /* Pointer into username */ struct passwd *pw; /* User password data */ static const char * const levels[] = /* Auth levels */ { @@ -1522,16 +1526,15 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ }; static const char * const types[] = /* Auth types */ { - "NONE", - "BASIC", - "DIGEST", - "BASICDIGEST" + "None", + "Basic", + "Negotiate" }; - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", - con->uri, con->best, con->best ? con->best->location : ""); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location ? con->best->location : "(null)" : ""); + if (owner) + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: owner=\"%s\"", owner); /* * If there is no "best" authentication rule for this request, then @@ -1541,8 +1544,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ if (!con->best) { - if (!strcmp(con->http.hostname, "localhost") || - !strcmp(con->http.hostname, ServerName)) + if (httpAddrLocalhost(httpGetAddress(con->http)) || + !strcmp(hostname, ServerName) || + cupsArrayFind(ServerAlias, (void *)hostname)) return (HTTP_OK); else return (HTTP_FORBIDDEN); @@ -1550,34 +1554,33 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ best = con->best; - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: level=AUTH_%s, type=AUTH_%s, satisfy=AUTH_SATISFY_%s, num_names=%d", - levels[best->level], types[best->type], - best->satisfy ? "ANY" : "ALL", best->num_names); + if ((type = best->type) == CUPSD_AUTH_DEFAULT) + type = cupsdDefaultAuthType(); - if (best->limit == AUTH_LIMIT_IPP) - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", - best->op, ippOpString(best->op)); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names)); + + if (best->limit == CUPSD_AUTH_LIMIT_IPP) + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op)); /* * Check host/ip-based accesses... */ #ifdef AF_INET6 - if (con->http.hostaddr->addr.sa_family == AF_INET6) + if (httpAddrFamily(hostaddr) == AF_INET6) { /* * Copy IPv6 address... */ - address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]); - address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]); - address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]); - address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]); + address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]); + address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]); + address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]); + address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]); } else #endif /* AF_INET6 */ - if (con->http.hostaddr->addr.sa_family == AF_INET) + if (con->http->hostaddr->addr.sa_family == AF_INET) { /* * Copy IPv4 address... @@ -1586,63 +1589,19 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ address[0] = 0; address[1] = 0; address[2] = 0; - address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr); + address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr); } else memset(address, 0, sizeof(address)); - hostlen = strlen(con->http.hostname); - - if (!strcasecmp(con->http.hostname, "localhost")) - { - /* - * Access from localhost (127.0.0.1 or :::1) is always allowed... - */ - - auth = AUTH_ALLOW; - } - else - { - /* - * Do authorization checks on the domain/address... - */ - - switch (best->order_type) - { - default : - auth = AUTH_DENY; /* anti-compiler-warning-code */ - break; - - case AUTH_ALLOW : /* Order Deny,Allow */ - auth = AUTH_ALLOW; - - if (cupsdCheckAuth(address, con->http.hostname, hostlen, - best->num_deny, best->deny)) - auth = AUTH_DENY; - - if (cupsdCheckAuth(address, con->http.hostname, hostlen, - best->num_allow, best->allow)) - auth = AUTH_ALLOW; - break; - - case AUTH_DENY : /* Order Allow,Deny */ - auth = AUTH_DENY; - - if (cupsdCheckAuth(address, con->http.hostname, hostlen, - best->num_allow, best->allow)) - auth = AUTH_ALLOW; + hostlen = strlen(hostname); - if (cupsdCheckAuth(address, con->http.hostname, hostlen, - best->num_deny, best->deny)) - auth = AUTH_DENY; - break; - } - } + auth = cupsdCheckAccess(address, hostname, hostlen, best) + ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY; - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=AUTH_%s...", - auth ? "DENY" : "ALLOW"); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW"); - if (auth == AUTH_DENY && best->satisfy == AUTH_SATISFY_ALL) + if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL) return (HTTP_FORBIDDEN); #ifdef HAVE_SSL @@ -1650,9 +1609,15 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * See if encryption is required... */ - if (best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls) + if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls && + _cups_strcasecmp(hostname, "localhost") && + !httpAddrLocalhost(hostaddr) && + best->satisfy == CUPSD_AUTH_SATISFY_ALL) && + !(type == CUPSD_AUTH_NEGOTIATE || + (type == CUPSD_AUTH_NONE && + cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE))) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, + cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: Need upgrade to TLS..."); return (HTTP_UPGRADE_REQUIRED); } @@ -1662,11 +1627,12 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * Now see what access level is required... */ - if (best->level == AUTH_ANON || /* Anonymous access - allow it */ - (best->type == AUTH_NONE && best->num_names == 0)) + if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */ + (type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0)) return (HTTP_OK); - if (best->type == AUTH_NONE && best->limit == AUTH_LIMIT_IPP) + if (!con->username[0] && type == CUPSD_AUTH_NONE && + best->limit == CUPSD_AUTH_LIMIT_IPP) { /* * Check for unauthenticated username... @@ -1678,47 +1644,94 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME); if (attr) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, + cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: requesting-user-name=\"%s\"", attr->values[0].string.text); - return (HTTP_OK); + strlcpy(username, attr->values[0].string.text, sizeof(username)); } - } - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: username=\"%s\"", - con->username); - - if (!con->username[0]) - { - if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY) + else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY) return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */ else return (HTTP_OK); /* unless overridden with Satisfy */ } + else + { + cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"", + con->username); + +#ifdef HAVE_AUTHORIZATION_H + if (!con->username[0] && !con->authref) +#else + if (!con->username[0]) +#endif /* HAVE_AUTHORIZATION_H */ + { + if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY) + return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */ + else + return (HTTP_OK); /* unless overridden with Satisfy */ + } + + + if (con->type != type && type != CUPSD_AUTH_NONE && +#ifdef HAVE_GSSAPI + (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) && +#endif /* HAVE_GSSAPI */ + con->type != CUPSD_AUTH_BASIC) + { + cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.", + types[con->type], types[type]); + + return (HTTP_UNAUTHORIZED); + } + + strlcpy(username, con->username, sizeof(username)); + } /* - * OK, the password is good. See if we need normal user access, or group + * OK, got a username. See if we need normal user access, or group * access... (root always matches) */ - if (!strcmp(con->username, "root")) + if (!strcmp(username, "root")) return (HTTP_OK); + /* + * Strip any @domain or @KDC from the username and owner... + */ + + if ((ptr = strchr(username, '@')) != NULL) + *ptr = '\0'; + + if (owner) + { + strlcpy(ownername, owner, sizeof(ownername)); + + if ((ptr = strchr(ownername, '@')) != NULL) + *ptr = '\0'; + } + else + ownername[0] = '\0'; + /* * Get the user info... */ - pw = getpwnam(con->username); - endpwent(); + if (username[0]) + { + pw = getpwnam(username); + endpwent(); + } + else + pw = NULL; - if (best->level == AUTH_USER) + if (best->level == CUPSD_AUTH_USER) { /* * If there are no names associated with this location, then * any valid user is OK... */ - if (best->num_names == 0) + if (cupsArrayCount(best->names) == 0) return (HTTP_OK); /* @@ -1726,56 +1739,78 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * allowed... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: Checking user membership..."); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking user membership..."); + +#ifdef HAVE_AUTHORIZATION_H + /* + * If an authorization reference was supplied it must match a right name... + */ + + if (con->authref) + { + for (name = (char *)cupsArrayFirst(best->names); + name; + name = (char *)cupsArrayNext(best->names)) + { + if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9)) + return (HTTP_OK); + else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey && + check_authref(con, SystemGroupAuthKey)) + return (HTTP_OK); + } + + return (HTTP_FORBIDDEN); + } +#endif /* HAVE_AUTHORIZATION_H */ - for (i = 0; i < best->num_names; i ++) + for (name = (char *)cupsArrayFirst(best->names); + name; + name = (char *)cupsArrayNext(best->names)) { - if (!strcasecmp(best->names[i], "@OWNER") && owner && - !strcasecmp(con->username, owner)) + if (!_cups_strcasecmp(name, "@OWNER") && owner && + !_cups_strcasecmp(username, ownername)) return (HTTP_OK); - else if (!strcasecmp(best->names[i], "@SYSTEM")) + else if (!_cups_strcasecmp(name, "@SYSTEM")) { - for (j = 0; j < NumSystemGroups; j ++) - if (cupsdCheckGroup(con->username, pw, SystemGroups[j])) + for (i = 0; i < NumSystemGroups; i ++) + if (cupsdCheckGroup(username, pw, SystemGroups[i])) return (HTTP_OK); } - else if (best->names[i][0] == '@') + else if (name[0] == '@') { - if (cupsdCheckGroup(con->username, pw, best->names[i] + 1)) + if (cupsdCheckGroup(username, pw, name + 1)) return (HTTP_OK); } - else if (!strcasecmp(con->username, best->names[i])) + else if (!_cups_strcasecmp(username, name)) return (HTTP_OK); } - return (HTTP_UNAUTHORIZED); + return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED); } /* * Check to see if this user is in any of the named groups... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: Checking group membership..."); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group membership..."); /* * Check to see if this user is in any of the named groups... */ - for (i = 0; i < best->num_names; i ++) + for (name = (char *)cupsArrayFirst(best->names); + name; + name = (char *)cupsArrayNext(best->names)) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: Checking group \"%s\" membership...", - best->names[i]); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name); - if (!strcasecmp(best->names[i], "@SYSTEM")) + if (!_cups_strcasecmp(name, "@SYSTEM")) { - for (j = 0; j < NumSystemGroups; j ++) - if (cupsdCheckGroup(con->username, pw, SystemGroups[j])) + for (i = 0; i < NumSystemGroups; i ++) + if (cupsdCheckGroup(username, pw, SystemGroups[i])) return (HTTP_OK); } - else if (cupsdCheckGroup(con->username, pw, best->names[i])) + else if (cupsdCheckGroup(username, pw, name)) return (HTTP_OK); } @@ -1783,93 +1818,150 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * The user isn't part of the specified group, so deny access... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: User not in group(s)!"); + cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: User not in group(s)."); - return (HTTP_UNAUTHORIZED); + return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED); } /* - * 'add_allow()' - Add an allow mask to the location. + * 'cupsdNewLocation()' - Create a new location for authorization. + * + * Note: Still need to call cupsdAddLocation() to add it to the list of global + * locations. */ -static cupsd_authmask_t * /* O - New mask record */ -add_allow(cupsd_location_t *loc) /* I - Location to add to */ +cupsd_location_t * /* O - Pointer to new location record */ +cupsdNewLocation(const char *location) /* I - Location path */ { - cupsd_authmask_t *temp; /* New mask record */ + cupsd_location_t *temp; /* New location */ /* - * Range-check... + * Try to allocate memory for the new location. */ - if (loc == NULL) + if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL) return (NULL); /* - * Try to allocate memory for the record... + * Initialize the record and copy the name over... */ - if (loc->num_allow == 0) - temp = malloc(sizeof(cupsd_authmask_t)); - else - temp = realloc(loc->allow, sizeof(cupsd_authmask_t) * (loc->num_allow + 1)); - - if (temp == NULL) + if ((temp->location = _cupsStrAlloc(location)) == NULL) + { + free(temp); return (NULL); + } - loc->allow = temp; - temp += loc->num_allow; - loc->num_allow ++; + temp->length = strlen(temp->location); /* - * Clear the mask record and return... + * Return the new record... */ - memset(temp, 0, sizeof(cupsd_authmask_t)); return (temp); } +#ifdef HAVE_AUTHORIZATION_H /* - * 'add_deny()' - Add a deny mask to the location. + * 'check_authref()' - Check if an authorization services reference has the + * supplied right. */ -static cupsd_authmask_t * /* O - New mask record */ -add_deny(cupsd_location_t *loc) /* I - Location to add to */ +static int /* O - 1 if right is valid, 0 otherwise */ +check_authref(cupsd_client_t *con, /* I - Connection */ + const char *right) /* I - Right name */ { - cupsd_authmask_t *temp; /* New mask record */ + OSStatus status; /* OS Status */ + AuthorizationItem authright; /* Authorization right */ + AuthorizationRights authrights; /* Authorization rights */ + AuthorizationFlags authflags; /* Authorization flags */ /* - * Range-check... + * Check to see if the user is allowed to perform the task... */ - if (loc == NULL) - return (NULL); + if (!con->authref) + return (0); - /* - * Try to allocate memory for the record... - */ + authright.name = right; + authright.valueLength = 0; + authright.value = NULL; + authright.flags = 0; - if (loc->num_deny == 0) - temp = malloc(sizeof(cupsd_authmask_t)); - else - temp = realloc(loc->deny, sizeof(cupsd_authmask_t) * (loc->num_deny + 1)); + authrights.count = 1; + authrights.items = &authright; - if (temp == NULL) - return (NULL); + authflags = kAuthorizationFlagDefaults | + kAuthorizationFlagExtendRights; + + if ((status = AuthorizationCopyRights(con->authref, &authrights, + kAuthorizationEmptyEnvironment, + authflags, NULL)) != 0) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + "AuthorizationCopyRights(\"%s\") returned %d (%s)", + authright.name, (int)status, cssmErrorString(status)); + return (0); + } - loc->deny = temp; - temp += loc->num_deny; - loc->num_deny ++; + cupsdLogMessage(CUPSD_LOG_DEBUG2, "AuthorizationCopyRights(\"%s\") succeeded.", authright.name); - /* - * Clear the mask record and return... - */ + return (1); +} +#endif /* HAVE_AUTHORIZATION_H */ + + +/* + * 'compare_locations()' - Compare two locations. + */ + +static int /* O - Result of comparison */ +compare_locations(cupsd_location_t *a, /* I - First location */ + cupsd_location_t *b) /* I - Second location */ +{ + return (strcmp(b->location, a->location)); +} + + +/* + * 'copy_authmask()' - Copy function for auth masks. + */ + +static cupsd_authmask_t * /* O - New auth mask */ +copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */ + void *data) /* I - User data (unused) */ +{ + cupsd_authmask_t *temp; /* New auth mask */ + + + (void)data; + + if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL) + { + memcpy(temp, mask, sizeof(cupsd_authmask_t)); + + if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE) + { + /* + * Make a copy of the name... + */ + + if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL) + { + /* + * Failed to make copy... + */ + + free(temp); + temp = NULL; + } + } + } - memset(temp, 0, sizeof(cupsd_authmask_t)); return (temp); } @@ -1884,7 +1976,7 @@ static char * /* O - Encrypted password */ cups_crypt(const char *pw, /* I - Password string */ const char *salt) /* I - Salt (key) string */ { - if (strncmp(salt, "$1$", 3) == 0) + if (!strncmp(salt, "$1$", 3)) { /* * Use MD5 passwords without the benefit of PAM; this is for @@ -1918,68 +2010,68 @@ cups_crypt(const char *pw, /* I - Password string */ pwlen = strlen(pw); - _cups_md5_init(&state); - _cups_md5_append(&state, (unsigned char *)pw, pwlen); - _cups_md5_append(&state, (unsigned char *)salt, salt_end - salt); + _cupsMD5Init(&state); + _cupsMD5Append(&state, (unsigned char *)pw, pwlen); + _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt); - _cups_md5_init(&state2); - _cups_md5_append(&state2, (unsigned char *)pw, pwlen); - _cups_md5_append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3); - _cups_md5_append(&state2, (unsigned char *)pw, pwlen); - _cups_md5_finish(&state2, digest); + _cupsMD5Init(&state2); + _cupsMD5Append(&state2, (unsigned char *)pw, pwlen); + _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3); + _cupsMD5Append(&state2, (unsigned char *)pw, pwlen); + _cupsMD5Finish(&state2, digest); for (i = pwlen; i > 0; i -= 16) - _cups_md5_append(&state, digest, i > 16 ? 16 : i); + _cupsMD5Append(&state, digest, i > 16 ? 16 : i); for (i = pwlen; i > 0; i >>= 1) - _cups_md5_append(&state, (unsigned char *)((i & 1) ? "" : pw), 1); + _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1); - _cups_md5_finish(&state, digest); + _cupsMD5Finish(&state, digest); for (i = 0; i < 1000; i ++) { - _cups_md5_init(&state); + _cupsMD5Init(&state); if (i & 1) - _cups_md5_append(&state, (unsigned char *)pw, pwlen); + _cupsMD5Append(&state, (unsigned char *)pw, pwlen); else - _cups_md5_append(&state, digest, 16); + _cupsMD5Append(&state, digest, 16); if (i % 3) - _cups_md5_append(&state, (unsigned char *)salt + 3, salt_end - salt - 3); + _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3); if (i % 7) - _cups_md5_append(&state, (unsigned char *)pw, pwlen); + _cupsMD5Append(&state, (unsigned char *)pw, pwlen); if (i & 1) - _cups_md5_append(&state, digest, 16); + _cupsMD5Append(&state, digest, 16); else - _cups_md5_append(&state, (unsigned char *)pw, pwlen); + _cupsMD5Append(&state, (unsigned char *)pw, pwlen); - _cups_md5_finish(&state, digest); + _cupsMD5Finish(&state, digest); } /* * Copy the final sum to the result string and return... */ - memcpy(result, salt, salt_end - salt); + memcpy(result, salt, (size_t)(salt_end - salt)); ptr = result + (salt_end - salt); *ptr++ = '$'; for (i = 0; i < 5; i ++, ptr += 4) { - n = (((digest[i] << 8) | digest[i + 6]) << 8); + n = ((((unsigned)digest[i] << 8) | (unsigned)digest[i + 6]) << 8); if (i < 4) - n |= digest[i + 12]; + n |= (unsigned)digest[i + 12]; else - n |= digest[5]; + n |= (unsigned)digest[5]; to64(ptr, n, 4); } - to64(ptr, digest[11], 2); + to64(ptr, (unsigned)digest[11], 2); ptr += 2; *ptr = '\0'; @@ -1997,6 +2089,23 @@ cups_crypt(const char *pw, /* I - Password string */ #endif /* !HAVE_LIBPAM */ +/* + * 'free_authmask()' - Free function for auth masks. + */ + +static void +free_authmask(cupsd_authmask_t *mask, /* I - Auth mask to free */ + void *data) /* I - User data (unused) */ +{ + (void)data; + + if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE) + _cupsStrFree(mask->mask.name.name); + + free(mask); +} + + #if HAVE_LIBPAM /* * 'pam_func()' - PAM conversation function. @@ -2019,7 +2128,7 @@ pam_func( * Allocate memory for the responses... */ - if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL) + if ((replies = malloc(sizeof(struct pam_response) * (size_t)num_msg)) == NULL) return (PAM_CONV_ERR); /* @@ -2028,17 +2137,7 @@ pam_func( DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr)); -#ifdef __hpux - /* - * Apparently some versions of HP-UX 11 have a broken pam_unix security - * module. This is a workaround... - */ - - data = auth_data; - (void)appdata_ptr; -#else data = (cupsd_authdata_t *)appdata_ptr; -#endif /* __hpux */ for (i = 0; i < num_msg; i ++) { @@ -2112,5 +2211,5 @@ to64(char *s, /* O - Output string */ /* - * End of "$Id: auth.c 4906 2006-01-10 20:53:28Z mike $". + * End of "$Id$". */