X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=scheduler%2Fauth.c;h=171dccb052290c757dc4b159be69b3f197865280;hb=4a78452e736a2fc3b0dcf7f5c45232b2db203167;hp=ce62b7154fe9d03f475c49297c2dd43faab964e2;hpb=ac884b6a1c1c3dfe73ef7e770d91ea225002a2c3;p=thirdparty%2Fcups.git diff --git a/scheduler/auth.c b/scheduler/auth.c index ce62b7154..171dccb05 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -1,56 +1,19 @@ /* - * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $" + * "$Id$" * - * Authorization routines for the Common UNIX Printing System (CUPS). + * Authorization routines for the CUPS scheduler. * - * Copyright 2007-2008 by Apple Inc. - * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products, all rights reserved. * - * This file contains Kerberos support code, copyright 2006 by - * Jelmer Vernooij. + * This file contains Kerberos support code, copyright 2006 by + * Jelmer Vernooij. * - * These coded instructions, statements, and computer programs are the - * property of Apple Inc. and are protected by Federal copyright - * law. Distribution and use rights are outlined in the file "LICENSE.txt" - * which should have been included with this file. If this file is - * file is missing or damaged, see the license at "http://www.cups.org/". - * - * Contents: - * - * cupsdAddLocation() - Add a location for authorization. - * cupsdAddName() - Add a name to a location... - * cupsdAllowHost() - Add a host name that is allowed to access the - * location. - * cupsdAllowIP() - Add an IP address or network that is allowed to - * access the location. - * cupsdAuthorize() - Validate any authorization credentials. - * cupsdCheckAccess() - Check whether the given address is allowed to - * access a location. - * cupsdCheckAuth() - Check authorization masks. - * cupsdCheckGroup() - Check for a user's group membership. - * cupsdCopyLocation() - Make a copy of a location... - * cupsdDeleteAllLocations() - Free all memory used for location - * authorization. - * cupsdDeleteLocation() - Free all memory used by a location. - * cupsdDenyHost() - Add a host name that is not allowed to access - * the location. - * cupsdDenyIP() - Add an IP address or network that is not - * allowed to access the location. - * cupsdFindBest() - Find the location entry that best matches the - * resource. - * cupsdFindLocation() - Find the named location. - * cupsdIsAuthorized() - Check to see if the user is authorized... - * add_allow() - Add an allow mask to the location. - * add_deny() - Add a deny mask to the location. - * check_authref() - Check if an authorization services reference - * has the supplied right. - * compare_locations() - Compare two locations. - * cups_crypt() - Encrypt the password using the DES or MD5 - * algorithms, as needed. - * get_gss_creds() - Obtain GSS credentials. - * get_md5_password() - Get an MD5 password. - * pam_func() - PAM conversation function. - * to64() - Base64-encode an integer value... + * These coded instructions, statements, and computer programs are the + * property of Apple Inc. and are protected by Federal copyright + * law. Distribution and use rights are outlined in the file "LICENSE.txt" + * which should have been included with this file. If this file is + * file is missing or damaged, see the license at "http://www.cups.org/". */ /* @@ -72,9 +35,6 @@ # include # endif /* HAVE_PAM_PAM_APPL_H */ #endif /* HAVE_LIBPAM */ -#ifdef HAVE_USERSEC_H -# include -#endif /* HAVE_USERSEC_H */ #ifdef HAVE_MEMBERSHIP_H # include #endif /* HAVE_MEMBERSHIP_H */ @@ -94,7 +54,11 @@ extern const char *cssmErrorString(int error); typedef struct xucred cupsd_ucred_t; # define CUPSD_UCRED_UID(c) (c).cr_uid #else +# ifndef __OpenBSD__ typedef struct ucred cupsd_ucred_t; +# else +typedef struct sockpeercred cupsd_ucred_t; +# endif # define CUPSD_UCRED_UID(c) (c).uid #endif /* HAVE_SYS_UCRED_H */ @@ -103,25 +67,20 @@ typedef struct ucred cupsd_ucred_t; * Local functions... */ -static cupsd_authmask_t *add_allow(cupsd_location_t *loc); -static cupsd_authmask_t *add_deny(cupsd_location_t *loc); #ifdef HAVE_AUTHORIZATION_H static int check_authref(cupsd_client_t *con, const char *right); #endif /* HAVE_AUTHORIZATION_H */ static int compare_locations(cupsd_location_t *a, cupsd_location_t *b); -#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H) +static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data); +#if !HAVE_LIBPAM static char *cups_crypt(const char *pw, const char *salt); -#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */ -#ifdef HAVE_GSSAPI -static gss_cred_id_t get_gss_creds(const char *service_name); -#endif /* HAVE_GSSAPI */ -static char *get_md5_password(const char *username, - const char *group, char passwd[33]); +#endif /* !HAVE_LIBPAM */ +static void free_authmask(cupsd_authmask_t *am, void *data); #if HAVE_LIBPAM static int pam_func(int, const struct pam_message **, struct pam_response **, void *); -#elif !defined(HAVE_USERSEC_H) +#else static void to64(char *s, unsigned long v, int n); #endif /* HAVE_LIBPAM */ @@ -133,70 +92,67 @@ static void to64(char *s, unsigned long v, int n); #if HAVE_LIBPAM typedef struct cupsd_authdata_s /**** Authentication data ****/ { - char username[33], /* Username string */ - password[33]; /* Password string */ + char username[HTTP_MAX_VALUE], /* Username string */ + password[HTTP_MAX_VALUE]; /* Password string */ } cupsd_authdata_t; #endif /* HAVE_LIBPAM */ /* - * Local globals... + * 'cupsdAddIPMask()' - Add an IP address authorization mask. */ -#if defined(__hpux) && HAVE_LIBPAM -static cupsd_authdata_t *auth_data; /* Current client being authenticated */ -#endif /* __hpux && HAVE_LIBPAM */ - +int /* O - 1 on success, 0 on failure */ +cupsdAddIPMask( + cups_array_t **masks, /* IO - Masks array (created as needed) */ + const unsigned address[4], /* I - IP address */ + const unsigned netmask[4]) /* I - IP netmask */ +{ + cupsd_authmask_t temp; /* New host/domain mask */ -/* - * 'cupsdAddLocation()' - Add a location for authorization. - */ -cupsd_location_t * /* O - Pointer to new location record */ -cupsdAddLocation(const char *location) /* I - Location path */ -{ - cupsd_location_t *temp; /* New location */ + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", masks, *masks, address[0], address[1], address[2], address[3], netmask[0], netmask[1], netmask[2], netmask[3]); + temp.type = CUPSD_AUTH_IP; + memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address)); + memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask)); /* - * Make sure the locations array is created... + * Create the masks array as needed and add... */ - if (!Locations) - Locations = cupsArrayNew((cups_array_func_t)compare_locations, NULL); + if (!*masks) + *masks = cupsArrayNew3(NULL, NULL, NULL, 0, + (cups_acopy_func_t)copy_authmask, + (cups_afree_func_t)free_authmask); - if (!Locations) - return (NULL); + return (cupsArrayAdd(*masks, &temp)); +} - /* - * Try to allocate memory for the new location. - */ - if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL) - return (NULL); +/* + * 'cupsdAddLocation()' - Add a location for authorization. + */ +void +cupsdAddLocation(cupsd_location_t *loc) /* I - Location to add */ +{ /* - * Initialize the record and copy the name over... + * Make sure the locations array is created... */ - if ((temp->location = strdup(location)) == NULL) - { - free(temp); - return (NULL); - } - - temp->length = strlen(temp->location); - - cupsArrayAdd(Locations, temp); - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: added location \'%s\'", - location); + if (!Locations) + Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL, + (cups_ahash_func_t)NULL, 0, + (cups_acopy_func_t)NULL, + (cups_afree_func_t)cupsdFreeLocation); - /* - * Return the new record... - */ + if (Locations) + { + cupsArrayAdd(Locations, loc); - return (temp); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"", loc->location ? loc->location : "(null)"); + } } @@ -208,126 +164,95 @@ void cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */ char *name) /* I - Name to add */ { - char **temp; /* Pointer to names array */ - + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", loc, name); - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", - loc, name); + if (!loc->names) + loc->names = cupsArrayNew3(NULL, NULL, NULL, 0, + (cups_acopy_func_t)_cupsStrAlloc, + (cups_afree_func_t)_cupsStrFree); - if (loc->num_names == 0) - temp = malloc(sizeof(char *)); - else - temp = realloc(loc->names, (loc->num_names + 1) * sizeof(char *)); - - if (temp == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to add name to location %s: %s", - loc->location ? loc->location : "nil", strerror(errno)); - return; - } - - loc->names = temp; - - if ((temp[loc->num_names] = strdup(name)) == NULL) + if (!cupsArrayAdd(loc->names, name)) { cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to duplicate name for location %s: %s", loc->location ? loc->location : "nil", strerror(errno)); return; } - - loc->num_names ++; } /* - * 'cupsdAllowHost()' - Add a host name that is allowed to access the location. + * 'cupsdAddNameMask()' - Add a host or interface name authorization mask. */ -void -cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */ - char *name) /* I - Name of host or domain to add */ +int /* O - 1 on success, 0 on failure */ +cupsdAddNameMask(cups_array_t **masks, /* IO - Masks array (created as needed) */ + char *name) /* I - Host or interface name */ { - cupsd_authmask_t *temp; /* New host/domain mask */ + cupsd_authmask_t temp; /* New host/domain mask */ char ifname[32], /* Interface name */ *ifptr; /* Pointer to end of name */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAllowHost(loc=%p(%s), name=\"%s\")", - loc, loc->location ? loc->location : "nil", name); - - if ((temp = add_allow(loc)) == NULL) - return; + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddNameMask(masks=%p(%p), name=\"%s\")", masks, *masks, name); - if (!strcasecmp(name, "@LOCAL")) + if (!_cups_strcasecmp(name, "@LOCAL")) { /* - * Allow *interface*... + * Deny *interface*... */ - temp->type = CUPSD_AUTH_INTERFACE; - temp->mask.name.name = strdup("*"); - temp->mask.name.length = 1; + temp.type = CUPSD_AUTH_INTERFACE; + temp.mask.name.name = (char *)"*"; } - else if (!strncasecmp(name, "@IF(", 4)) + else if (!_cups_strncasecmp(name, "@IF(", 4)) { /* - * Allow *interface*... + * Deny *interface*... */ strlcpy(ifname, name + 4, sizeof(ifname)); - ifptr = ifname + strlen(ifname); + ifptr = ifname + strlen(ifname) - 1; - if (ifptr[-1] == ')') + if (ifptr >= ifname && *ifptr == ')') { ifptr --; *ifptr = '\0'; } - temp->type = CUPSD_AUTH_INTERFACE; - temp->mask.name.name = strdup(ifname); - temp->mask.name.length = ifptr - ifname; + temp.type = CUPSD_AUTH_INTERFACE; + temp.mask.name.name = ifname; } else { /* - * Allow name... + * Deny name... */ - temp->type = CUPSD_AUTH_NAME; - temp->mask.name.name = strdup(name); - temp->mask.name.length = strlen(name); - } -} - + if (*name == '*') + name ++; -/* - * 'cupsdAllowIP()' - Add an IP address or network that is allowed to access - * the location. - */ + temp.type = CUPSD_AUTH_NAME; + temp.mask.name.name = (char *)name; + } -void -cupsdAllowIP( - cupsd_location_t *loc, /* I - Location to add to */ - const unsigned address[4], /* I - IP address to add */ - const unsigned netmask[4]) /* I - Netmask of address */ -{ - cupsd_authmask_t *temp; /* New host/domain mask */ + /* + * Set the name length... + */ + temp.mask.name.length = strlen(temp.mask.name.name); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAllowIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", - loc, loc->location ? loc->location : "nil", - address[0], address[1], address[2], address[3], - netmask[0], netmask[1], netmask[2], netmask[3]); + /* + * Create the masks array as needed and add... + */ - if ((temp = add_allow(loc)) == NULL) - return; + if (!*masks) + *masks = cupsArrayNew3(NULL, NULL, NULL, 0, + (cups_acopy_func_t)copy_authmask, + (cups_afree_func_t)free_authmask); - temp->type = CUPSD_AUTH_IP; - memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address)); - memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask)); + return (cupsArrayAdd(*masks, &temp)); } @@ -341,29 +266,11 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ int type; /* Authentication type */ const char *authorization; /* Pointer into Authorization string */ char *ptr, /* Pointer into string */ - username[256], /* Username string */ - password[33]; /* Password string */ - const char *localuser; /* Certificate username */ - char nonce[HTTP_MAX_VALUE], /* Nonce value from client */ - md5[33], /* MD5 password */ - basicmd5[33]; /* MD5 of Basic password */ - static const char * const states[] = /* HTTP client states... */ - { - "WAITING", - "OPTIONS", - "GET", - "GET", - "HEAD", - "POST", - "POST", - "POST", - "PUT", - "PUT", - "DELETE", - "TRACE", - "CLOSE", - "STATUS" - }; + username[HTTP_MAX_VALUE], + /* Username string */ + password[HTTP_MAX_VALUE]; + /* Password string */ + cupsd_cert_t *localuser; /* Certificate username */ /* @@ -371,35 +278,34 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * authentication to expect... */ - con->best = cupsdFindBest(con->uri, con->http.state); + con->best = cupsdFindBest(con->uri, httpGetState(con->http)); con->type = CUPSD_AUTH_NONE; - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)", - con->uri, con->best, con->best ? con->best->location : ""); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : ""); if (con->best && con->best->type != CUPSD_AUTH_NONE) { if (con->best->type == CUPSD_AUTH_DEFAULT) - type = DefaultAuthType; + type = cupsdDefaultAuthType(); else type = con->best->type; } else - type = DefaultAuthType; + type = cupsdDefaultAuthType(); /* * Decode the Authorization string... */ - authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION); - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: Authorization=\"%s\"", - authorization); + authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION); username[0] = '\0'; password[0] = '\0'; +#ifdef HAVE_GSSAPI + con->gss_uid = 0; +#endif /* HAVE_GSSAPI */ + #ifdef HAVE_AUTHORIZATION_H if (con->authref) { @@ -414,15 +320,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * No authorization data provided, return early... */ - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: No authentication data provided."); + cupsdLogClient(con, CUPSD_LOG_DEBUG, "No authentication data provided."); return; } #ifdef HAVE_AUTHORIZATION_H - else if (!strncmp(authorization, "AuthRef", 6) && - !strcasecmp(con->http.hostname, "localhost")) + else if (!strncmp(authorization, "AuthRef ", 8) && + httpAddrLocalhost(httpGetAddress(con->http))) { OSStatus status; /* Status */ + char authdata[HTTP_MAX_VALUE]; + /* Nonce value from client */ int authlen; /* Auth string length */ AuthorizationItemSet *authinfo; /* Authorization item set */ @@ -430,54 +337,76 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Get the Authorization Services data... */ - authorization += 7; + authorization += 8; while (isspace(*authorization & 255)) authorization ++; - authlen = sizeof(nonce); - httpDecode64_2(nonce, &authlen, authorization); + authlen = sizeof(authdata); + httpDecode64_2(authdata, &authlen, authorization); if (authlen != kAuthorizationExternalFormLength) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "External Authorization reference size is incorrect!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "External Authorization reference size is incorrect."); return; } - if ((status = AuthorizationCreateFromExternalForm( - (AuthorizationExternalForm *)nonce, &con->authref)) != 0) + if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "AuthorizationCreateFromExternalForm returned %d (%s)", - (int)status, cssmErrorString(status)); + cupsdLogClient(con, CUPSD_LOG_ERROR, "AuthorizationCreateFromExternalForm returned %d (%s)", (int)status, cssmErrorString(status)); return; } - if ((status = AuthorizationCopyInfo(con->authref, - kAuthorizationEnvironmentUsername, - &authinfo)) != 0) + username[0] = '\0'; + + if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername, + &authinfo)) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "AuthorizationCopyInfo returned %d (%s)", - (int)status, cssmErrorString(status)); - return; + if (authinfo->count == 1 && authinfo->items[0].value && + authinfo->items[0].valueLength >= 2) + { + strlcpy(username, authinfo->items[0].value, sizeof(username)); + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef.", username); + } + + AuthorizationFreeItemSet(authinfo); } - - if (authinfo->count == 1) - strlcpy(username, authinfo->items[0].value, sizeof(username)); - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using AuthRef", - username); + if (!username[0]) + { + /* + * No username in AuthRef, grab username using peer credentials... + */ + + struct passwd *pwd; /* Password entry for this user */ + cupsd_ucred_t peercred; /* Peer credentials */ + socklen_t peersize; /* Size of peer credentials */ + + peersize = sizeof(peercred); - AuthorizationFreeItemSet(authinfo); + if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize)) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno)); + return; + } + + if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to find UID %d for peer credentials.", (int)CUPSD_UCRED_UID(peercred)); + return; + } + + strlcpy(username, pwd->pw_name, sizeof(username)); + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef + PeerCred.", username); + } con->type = CUPSD_AUTH_BASIC; } #endif /* HAVE_AUTHORIZATION_H */ #if defined(SO_PEERCRED) && defined(AF_LOCAL) else if (!strncmp(authorization, "PeerCred ", 9) && - con->http.hostaddr->addr.sa_family == AF_LOCAL) + con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best) { /* * Use peer credentials from domain socket connection... @@ -486,54 +415,82 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ struct passwd *pwd; /* Password entry for this user */ cupsd_ucred_t peercred; /* Peer credentials */ socklen_t peersize; /* Size of peer credentials */ +#ifdef HAVE_AUTHORIZATION_H + const char *name; /* Authorizing name */ + int no_peer = 0; /* Don't allow peer credentials? */ + /* + * See if we should allow peer credentials... + */ + + for (name = (char *)cupsArrayFirst(con->best->names); + name; + name = (char *)cupsArrayNext(con->best->names)) + { + if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) || + !_cups_strcasecmp(name, "@SYSTEM")) + { + /* Normally don't want peer credentials if we need an auth key... */ + no_peer = 1; + } + else if (!_cups_strcasecmp(name, "@OWNER")) + { + /* but if @OWNER is present then we allow it... */ + no_peer = 0; + break; + } + } + + if (no_peer) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "PeerCred authentication not allowed for resource per AUTHKEY policy."); + return; + } +#endif /* HAVE_AUTHORIZATION_H */ if ((pwd = getpwnam(authorization + 9)) == NULL) { - cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist!", - authorization + 9); + cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9); return; } peersize = sizeof(peercred); - if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize)) +# ifdef __APPLE__ + if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize)) +# else + if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize)) +# endif /* __APPLE__ */ { - cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", - strerror(errno)); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno)); return; } if (pwd->pw_uid != CUPSD_UCRED_UID(peercred)) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "Invalid peer credentials for \"%s\" - got %d, " - "expected %d!", authorization + 9, - CUPSD_UCRED_UID(peercred), pwd->pw_uid); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Invalid peer credentials for \"%s\" - got %d, expected %d.", authorization + 9, CUPSD_UCRED_UID(peercred), pwd->pw_uid); # ifdef HAVE_SYS_UCRED_H - cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_version=%d", - peercred.cr_version); - cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_uid=%d", - peercred.cr_uid); - cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_ngroups=%d", - peercred.cr_ngroups); - cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_groups[0]=%d", - peercred.cr_groups[0]); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_version=%d", peercred.cr_version); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_uid=%d", peercred.cr_uid); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_ngroups=%d", peercred.cr_ngroups); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_groups[0]=%d", peercred.cr_groups[0]); # endif /* HAVE_SYS_UCRED_H */ return; } strlcpy(username, authorization + 9, sizeof(username)); - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using PeerCred", - username); +# ifdef HAVE_GSSAPI + con->gss_uid = CUPSD_UCRED_UID(peercred); +# endif /* HAVE_GSSAPI */ + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using PeerCred.", username); con->type = CUPSD_AUTH_BASIC; } #endif /* SO_PEERCRED && AF_LOCAL */ else if (!strncmp(authorization, "Local", 5) && - !strcasecmp(con->http.hostname, "localhost")) + httpAddrLocalhost(httpGetAddress(con->http))) { /* * Get Local certificate authentication data... @@ -543,23 +500,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ while (isspace(*authorization & 255)) authorization ++; - if ((localuser = cupsdFindCert(authorization)) != NULL) + if ((localuser = cupsdFindCert(authorization)) == NULL) { - strlcpy(username, localuser, sizeof(username)); - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using Local", - username); - } - else - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Local authentication certificate not " - "found!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Local authentication certificate not found."); return; } - con->type = CUPSD_AUTH_BASIC; + strlcpy(username, localuser->username, sizeof(username)); + con->type = localuser->type; + + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using Local.", username); } else if (!strncmp(authorization, "Basic", 5)) { @@ -583,8 +533,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ if ((ptr = strchr(username, ':')) == NULL) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Missing Basic password!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Basic password."); return; } @@ -596,8 +545,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Username must not be empty... */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty Basic username!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic username."); return; } @@ -607,8 +555,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Password must not be empty... */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty Basic password!"); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic password."); return; } @@ -638,89 +585,60 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ strlcpy(data.username, username, sizeof(data.username)); strlcpy(data.password, password, sizeof(data.password)); -# if defined(__sun) || defined(__hpux) +# ifdef __sun pamdata.conv = (int (*)(int, struct pam_message **, struct pam_response **, void *))pam_func; # else pamdata.conv = pam_func; -# endif /* __sun || __hpux */ +# endif /* __sun */ pamdata.appdata_ptr = &data; -# ifdef __hpux - /* - * Workaround for HP-UX bug in pam_unix; see pam_func() below for - * more info... - */ - - auth_data = &data; -# endif /* __hpux */ - pamerr = pam_start("cups", username, &pamdata, &pamh); if (pamerr != PAM_SUCCESS) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: pam_start() returned %d (%s)!\n", - pamerr, pam_strerror(pamh, pamerr)); - pam_end(pamh, 0); + cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); return; } -# if defined(HAVE_PAM_SET_ITEM) && defined(PAM_RHOST) - pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname); +# ifdef HAVE_PAM_SET_ITEM +# ifdef PAM_RHOST + pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname); if (pamerr != PAM_SUCCESS) - cupsdLogMessage(CUPSD_LOG_WARN, - "cupsdAuthorize: pam_set_item() returned %d " - "(%s)!\n", pamerr, pam_strerror(pamh, pamerr)); -# endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */ + cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +# endif /* PAM_RHOST */ + +# ifdef PAM_TTY + pamerr = pam_set_item(pamh, PAM_TTY, "cups"); + if (pamerr != PAM_SUCCESS) + cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +# endif /* PAM_TTY */ +# endif /* HAVE_PAM_SET_ITEM */ pamerr = pam_authenticate(pamh, PAM_SILENT); if (pamerr != PAM_SUCCESS) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: pam_authenticate() returned %d " - "(%s)!\n", - pamerr, pam_strerror(pamh, pamerr)); + cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); pam_end(pamh, 0); return; } +# ifdef HAVE_PAM_SETCRED + pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT); + if (pamerr != PAM_SUCCESS) + cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); +# endif /* HAVE_PAM_SETCRED */ + pamerr = pam_acct_mgmt(pamh, PAM_SILENT); if (pamerr != PAM_SUCCESS) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: pam_acct_mgmt() returned %d " - "(%s)!\n", - pamerr, pam_strerror(pamh, pamerr)); + cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr)); pam_end(pamh, 0); return; } pam_end(pamh, PAM_SUCCESS); -#elif defined(HAVE_USERSEC_H) - /* - * Use AIX authentication interface... - */ - - char *authmsg; /* Authentication message */ - int reenter; /* ??? */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: AIX authenticate of username \"%s\"", - username); - - reenter = 1; - if (authenticate(username, password, &reenter, &authmsg) != 0) - { - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Unable to authenticate username " - "\"%s\": %s", - username, strerror(errno)); - return; - } - #else /* * Use normal UNIX password file-based authentication... @@ -742,9 +660,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * No such user... */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Unknown username \"%s\"!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username); return; } @@ -758,9 +674,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Don't allow blank passwords! */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Username \"%s\" has no shadow " - "password!", username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username); return; } @@ -773,9 +687,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Don't allow blank passwords! */ - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Username \"%s\" has no password!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username); return; } @@ -786,10 +698,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ pass = cups_crypt(password, pw->pw_passwd); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: pw_passwd=\"%s\", crypt=\"%s\"", - pw->pw_passwd, pass); - if (!pass || strcmp(pw->pw_passwd, pass)) { # ifdef HAVE_SHADOW_H @@ -797,148 +705,32 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ { pass = cups_crypt(password, spw->sp_pwdp); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: sp_pwdp=\"%s\", crypt=\"%s\"", - spw->sp_pwdp, pass); - if (pass == NULL || strcmp(spw->sp_pwdp, pass)) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for " - "user \"%s\"!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); return; } } else # endif /* HAVE_SHADOW_H */ { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for " - "user \"%s\"!", - username); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username); return; } } #endif /* HAVE_LIBPAM */ } - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using Basic", - username); + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username); break; - - case CUPSD_AUTH_BASICDIGEST : - /* - * Do Basic authentication with the Digest password file... - */ - - if (!get_md5_password(username, NULL, md5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Unknown MD5 username \"%s\"!", - username); - return; - } - - httpMD5(username, "CUPS", password, basicmd5); - - if (strcmp(md5, basicmd5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for \"%s\"!", - username); - return; - } - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using BasicDigest", - username); - break; } con->type = type; } - else if (!strncmp(authorization, "Digest", 6)) - { - /* - * Get the username, password, and nonce from the Digest attributes... - */ - - if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username", - username, sizeof(username)) || !username[0]) - { - /* - * Username must not be empty... - */ - - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty or missing Digest username!"); - return; - } - - if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response", - password, sizeof(password)) || !password[0]) - { - /* - * Password must not be empty... - */ - - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Empty or missing Digest password!"); - return; - } - - if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce", - nonce)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: No nonce value for Digest " - "authentication!"); - return; - } - - if (strcmp(con->http.hostname, nonce)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Bad nonce value, expected \"%s\", " - "got \"%s\"!", con->http.hostname, nonce); - return; - } - - /* - * Validate the username and password... - */ - - if (!get_md5_password(username, NULL, md5)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Unknown MD5 username \"%s\"!", - username); - return; - } - - httpMD5Final(nonce, states[con->http.state], con->uri, md5); - - if (strcmp(md5, password)) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdAuthorize: Authentication failed for \"%s\"!", - username); - return; - } - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using Digest", - username); - - con->type = CUPSD_AUTH_DIGEST; - } #ifdef HAVE_GSSAPI - else if (!strncmp(authorization, "Negotiate", 9)) + else if (!strncmp(authorization, "Negotiate", 9)) { int len; /* Length of authorization string */ - gss_cred_id_t server_creds; /* Server credentials */ gss_ctx_id_t context; /* Authorization context */ OM_uint32 major_status, /* Major status code */ minor_status; /* Minor status code */ @@ -947,7 +739,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ output_token = GSS_C_EMPTY_BUFFER; /* Output token for username */ gss_name_t client_name; /* Client name */ - unsigned int ret_flags; /* Credential flags */ # ifdef __APPLE__ @@ -956,17 +747,13 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * to use it... */ - if (gss_init_sec_context == NULL) + if (&gss_init_sec_context == NULL) { - cupsdLogMessage(CUPSD_LOG_WARN, - "GSSAPI/Kerberos authentication failed because the " - "Kerberos framework is not present."); + cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present."); return; } # endif /* __APPLE__ */ - con->gss_output_token.length = 0; - /* * Find the start of the Kerberos input token... */ @@ -977,27 +764,19 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ if (!*authorization) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdAuthorize: No authentication data specified."); + cupsdLogClient(con, CUPSD_LOG_DEBUG2, "No authentication data specified."); return; } - /* - * Get the server credentials... - */ - - if ((server_creds = get_gss_creds(GSSServiceName)) == NULL) - return; - /* * Decode the authorization string to get the input token... */ - len = strlen(authorization); - input_token.value = malloc(len); + len = (int)strlen(authorization); + input_token.value = malloc((size_t)len); input_token.value = httpDecode64_2(input_token.value, &len, - authorization); - input_token.length = len; + authorization); + input_token.length = (size_t)len; /* * Accept the input token to get the authorization info... @@ -1007,76 +786,90 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ client_name = GSS_C_NO_NAME; major_status = gss_accept_sec_context(&minor_status, &context, - server_creds, + ServerCreds, &input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, - &con->gss_output_token, - &ret_flags, + &output_token, NULL, - &con->gss_delegated_cred); + NULL, + NULL); + + if (output_token.length > 0) + gss_release_buffer(&minor_status, &output_token); if (GSS_ERROR(major_status)) { - cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, - "cupsdAuthorize: Error accepting GSSAPI security " - "context"); + cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error accepting GSSAPI security context.", con->number); if (context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); - - gss_release_cred(&minor_status, &server_creds); return; } - /* - * Release our credentials... - */ - - gss_release_cred(&minor_status, &server_creds); + con->have_gss = 1; /* * Get the username associated with the client's credentials... */ - if (!con->gss_delegated_cred) - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: No delegated credentials!"); - if (major_status == GSS_S_CONTINUE_NEEDED) - cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, - "cupsdAuthorize: Credentials not complete"); + cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Credentials not complete.", con->number); else if (major_status == GSS_S_COMPLETE) { - major_status = gss_display_name(&minor_status, client_name, + major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (GSS_ERROR(major_status)) { - cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, - "cupsdAuthorize: Error getting username"); + cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error getting username.", con->number); gss_release_name(&minor_status, &client_name); gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); return; } - gss_release_name(&minor_status, &client_name); strlcpy(username, output_token.value, sizeof(username)); - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdAuthorize: Authorized as %s using Negotiate", - username); + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Negotiate.", username); + gss_release_name(&minor_status, &client_name); gss_release_buffer(&minor_status, &output_token); - gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); - - con->gss_have_creds = 1; con->type = CUPSD_AUTH_NEGOTIATE; } - else - gss_release_name(&minor_status, &client_name); + + gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER); + +# if defined(SO_PEERCRED) && defined(AF_LOCAL) + /* + * Get the client's UID if we are printing locally - that allows a backend + * to run as the correct user to get Kerberos credentials of its own. + */ + + if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL) + { + cupsd_ucred_t peercred; /* Peer credentials */ + socklen_t peersize; /* Size of peer credentials */ + + peersize = sizeof(peercred); + +# ifdef __APPLE__ + if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize)) +# else + if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, + &peersize)) +# endif /* __APPLE__ */ + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno)); + } + else + { + cupsdLogClient(con, CUPSD_LOG_DEBUG, "Using credentials for UID %d.", CUPSD_UCRED_UID(peercred)); + con->gss_uid = CUPSD_UCRED_UID(peercred); + } + } +# endif /* SO_PEERCRED && AF_LOCAL */ } #endif /* HAVE_GSSAPI */ else @@ -1085,10 +878,9 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ if (sscanf(authorization, "%255s", scheme) != 1) - strcpy(scheme, "UNKNOWN"); + strlcpy(scheme, "UNKNOWN", sizeof(scheme)); - cupsdLogMessage(CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\"", - scheme); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\".", scheme); return; } @@ -1111,14 +903,14 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ int /* O - 1 if allowed, 0 otherwise */ cupsdCheckAccess( unsigned ip[4], /* I - Client address */ - char *name, /* I - Client hostname */ - int namelen, /* I - Length of hostname */ + const char *name, /* I - Client hostname */ + size_t namelen, /* I - Length of hostname */ cupsd_location_t *loc) /* I - Location to check */ { int allow; /* 1 if allowed, 0 otherwise */ - if (!strcasecmp(name, "localhost")) + if (!_cups_strcasecmp(name, "localhost")) { /* * Access from localhost (127.0.0.1 or ::1) is always allowed... @@ -1141,20 +933,20 @@ cupsdCheckAccess( case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */ allow = 1; - if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny)) + if (cupsdCheckAuth(ip, name, namelen, loc->deny)) allow = 0; - if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow)) + if (cupsdCheckAuth(ip, name, namelen, loc->allow)) allow = 1; break; case CUPSD_AUTH_DENY : /* Order Allow,Deny */ allow = 0; - if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow)) + if (cupsdCheckAuth(ip, name, namelen, loc->allow)) allow = 1; - if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny)) + if (cupsdCheckAuth(ip, name, namelen, loc->deny)) allow = 0; break; } @@ -1169,23 +961,25 @@ cupsdCheckAccess( */ int /* O - 1 if mask matches, 0 otherwise */ -cupsdCheckAuth( - unsigned ip[4], /* I - Client address */ - char *name, /* I - Client hostname */ - int name_len, /* I - Length of hostname */ - int num_masks, /* I - Number of masks */ - cupsd_authmask_t *masks) /* I - Masks */ +cupsdCheckAuth(unsigned ip[4], /* I - Client address */ + const char *name, /* I - Client hostname */ + size_t name_len, /* I - Length of hostname */ + cups_array_t *masks) /* I - Masks */ { - int i; /* Looping var */ - cupsd_netif_t *iface; /* Network interface */ - unsigned netip4; /* IPv4 network address */ + int i; /* Looping var */ + cupsd_authmask_t *mask; /* Current mask */ + cupsd_netif_t *iface; /* Network interface */ + unsigned netip4; /* IPv4 network address */ #ifdef AF_INET6 - unsigned netip6[4]; /* IPv6 network address */ + unsigned netip6[4]; /* IPv6 network address */ #endif /* AF_INET6 */ - while (num_masks > 0) + + for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks); + mask; + mask = (cupsd_authmask_t *)cupsArrayNext(masks)) { - switch (masks->type) + switch (mask->type) { case CUPSD_AUTH_INTERFACE : /* @@ -1201,14 +995,23 @@ cupsdCheckAuth( netip6[3] = htonl(ip[3]); #endif /* AF_INET6 */ - if (!strcmp(masks->mask.name.name, "*")) + cupsdNetIFUpdate(); + + if (!strcmp(mask->mask.name.name, "*")) { +#ifdef __APPLE__ + /* + * Allow Back-to-My-Mac addresses... + */ + + if ((ip[0] & 0xff000000) == 0xfd000000) + return (1); +#endif /* __APPLE__ */ + /* * Check against all local interfaces... */ - cupsdNetIFUpdate(); - for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList); iface; iface = (cupsd_netif_t *)cupsArrayNext(NetIFList)) @@ -1260,7 +1063,7 @@ cupsdCheckAuth( iface; iface = (cupsd_netif_t *)cupsArrayNext(NetIFList)) { - if (strcmp(masks->mask.name.name, iface->name)) + if (strcmp(mask->mask.name.name, iface->name)) continue; if (iface->address.addr.sa_family == AF_INET) @@ -1300,17 +1103,17 @@ cupsdCheckAuth( * Check for exact name match... */ - if (!strcasecmp(name, masks->mask.name.name)) + if (!_cups_strcasecmp(name, mask->mask.name.name)) return (1); /* * Check for domain match... */ - if (name_len >= masks->mask.name.length && - masks->mask.name.name[0] == '.' && - !strcasecmp(name + name_len - masks->mask.name.length, - masks->mask.name.name)) + if (name_len >= mask->mask.name.length && + mask->mask.name.name[0] == '.' && + !_cups_strcasecmp(name + name_len - mask->mask.name.length, + mask->mask.name.name)) return (1); break; @@ -1320,17 +1123,14 @@ cupsdCheckAuth( */ for (i = 0; i < 4; i ++) - if ((ip[i] & masks->mask.ip.netmask[i]) != - masks->mask.ip.address[i]) + if ((ip[i] & mask->mask.ip.netmask[i]) != + mask->mask.ip.address[i]) break; if (i == 4) return (1); break; } - - masks ++; - num_masks --; } return (0); @@ -1347,19 +1147,16 @@ cupsdCheckGroup( struct passwd *user, /* I - System user info */ const char *groupname) /* I - Group name */ { - int i; /* Looping var */ - struct group *group; /* System group info */ - char junk[33]; /* MD5 password (not used) */ + int i; /* Looping var */ + struct group *group; /* System group info */ #ifdef HAVE_MBR_UID_TO_UUID - uuid_t useruuid, /* UUID for username */ - groupuuid; /* UUID for groupname */ - int is_member; /* True if user is a member of group */ + uuid_t useruuid, /* UUID for username */ + groupuuid; /* UUID for groupname */ + int is_member; /* True if user is a member of group */ #endif /* HAVE_MBR_UID_TO_UUID */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", - username, user, groupname); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", username, user, groupname); /* * Validate input... @@ -1382,7 +1179,7 @@ cupsdCheckGroup( */ for (i = 0; group->gr_mem[i]; i ++) - if (!strcasecmp(username, group->gr_mem[i])) + if (!_cups_strcasecmp(username, group->gr_mem[i])) return (1); } @@ -1399,22 +1196,41 @@ cupsdCheckGroup( * Check group membership through MacOS X membership API... */ - if (user && group) - if (!mbr_uid_to_uuid(user->pw_uid, useruuid)) + if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid)) + { + if (group) + { + /* + * Map group name to UUID and check membership... + */ + if (!mbr_gid_to_uuid(group->gr_gid, groupuuid)) - if (!mbr_check_membership(useruuid, groupuuid, &is_member)) + if (!mbr_check_membership(useruuid, groupuuid, &is_member)) if (is_member) return (1); -#endif /* HAVE_MBR_UID_TO_UUID */ + } + else if (groupname[0] == '#') + { + /* + * Use UUID directly and check for equality (user UUID) and + * membership (group UUID)... + */ - /* - * Username not found, group not found, or user is not part of the - * system group... Check for a user and group in the MD5 password - * file... - */ + if (!uuid_parse((char *)groupname + 1, groupuuid)) + { + if (!uuid_compare(useruuid, groupuuid)) + return (1); + else if (!mbr_check_membership(useruuid, groupuuid, &is_member)) + if (is_member) + return (1); + } - if (get_md5_password(username, groupname, junk) != NULL) - return (1); + return (0); + } + } + else if (groupname[0] == '#') + return (0); +#endif /* HAVE_MBR_UID_TO_UUID */ /* * If we get this far, then the user isn't part of the named group... @@ -1430,137 +1246,79 @@ cupsdCheckGroup( cupsd_location_t * /* O - New location */ cupsdCopyLocation( - cupsd_location_t **loc) /* IO - Original location */ + cupsd_location_t *loc) /* I - Original location */ { - int i; /* Looping var */ cupsd_location_t *temp; /* New location */ - char location[HTTP_MAX_URI]; - /* Location of resource */ /* - * Use a local copy of location because cupsdAddLocation may cause - * this memory to be moved... + * Make a copy of the original location... */ - strlcpy(location, (*loc)->location, sizeof(location)); - - if ((temp = cupsdAddLocation(location)) == NULL) + if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL) return (NULL); /* * Copy the information from the original location to the new one. */ - temp->limit = (*loc)->limit; - temp->order_type = (*loc)->order_type; - temp->type = (*loc)->type; - temp->level = (*loc)->level; - temp->satisfy = (*loc)->satisfy; - temp->encryption = (*loc)->encryption; + if (!loc) + return (temp); - if ((temp->num_names = (*loc)->num_names) > 0) - { - /* - * Copy the names array... - */ + if (loc->location) + temp->location = _cupsStrAlloc(loc->location); + + temp->length = loc->length; + temp->limit = loc->limit; + temp->order_type = loc->order_type; + temp->type = loc->type; + temp->level = loc->level; + temp->satisfy = loc->satisfy; + temp->encryption = loc->encryption; - if ((temp->names = calloc(temp->num_names, sizeof(char *))) == NULL) + if (loc->names) + { + if ((temp->names = cupsArrayDup(loc->names)) == NULL) { cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to allocate memory for %d names: %s", - temp->num_names, strerror(errno)); + "Unable to allocate memory for %d names: %s", + cupsArrayCount(loc->names), strerror(errno)); - cupsdDeleteLocation(temp); + cupsdFreeLocation(temp); return (NULL); } - - for (i = 0; i < temp->num_names; i ++) - if ((temp->names[i] = strdup((*loc)->names[i])) == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to copy name \"%s\": %s", - (*loc)->names[i], strerror(errno)); - - cupsdDeleteLocation(temp); - return (NULL); - } } - if ((temp->num_allow = (*loc)->num_allow) > 0) + if (loc->allow) { /* * Copy allow rules... */ - if ((temp->allow = calloc(temp->num_allow, sizeof(cupsd_authmask_t))) == NULL) + if ((temp->allow = cupsArrayDup(loc->allow)) == NULL) { cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to allocate memory for %d allow rules: %s", - temp->num_allow, strerror(errno)); - cupsdDeleteLocation(temp); + "Unable to allocate memory for %d allow rules: %s", + cupsArrayCount(loc->allow), strerror(errno)); + cupsdFreeLocation(temp); return (NULL); } - - for (i = 0; i < temp->num_allow; i ++) - switch (temp->allow[i].type = (*loc)->allow[i].type) - { - case CUPSD_AUTH_NAME : - temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length; - temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name); - - if (temp->allow[i].mask.name.name == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to copy allow name \"%s\": %s", - (*loc)->allow[i].mask.name.name, strerror(errno)); - cupsdDeleteLocation(temp); - return (NULL); - } - break; - case CUPSD_AUTH_IP : - memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip), - sizeof(cupsd_ipmask_t)); - break; - } } - if ((temp->num_deny = (*loc)->num_deny) > 0) + if (loc->deny) { /* * Copy deny rules... */ - if ((temp->deny = calloc(temp->num_deny, sizeof(cupsd_authmask_t))) == NULL) + if ((temp->deny = cupsArrayDup(loc->deny)) == NULL) { cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to allocate memory for %d deny rules: %s", - temp->num_deny, strerror(errno)); - cupsdDeleteLocation(temp); + "Unable to allocate memory for %d deny rules: %s", + cupsArrayCount(loc->deny), strerror(errno)); + cupsdFreeLocation(temp); return (NULL); } - - for (i = 0; i < temp->num_deny; i ++) - switch (temp->deny[i].type = (*loc)->deny[i].type) - { - case CUPSD_AUTH_NAME : - temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length; - temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name); - - if (temp->deny[i].mask.name.name == NULL) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "cupsdCopyLocation: Unable to copy deny name \"%s\": %s", - (*loc)->deny[i].mask.name.name, strerror(errno)); - cupsdDeleteLocation(temp); - return (NULL); - } - break; - case CUPSD_AUTH_IP : - memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip), - sizeof(cupsd_ipmask_t)); - break; - } } return (temp); @@ -1574,20 +1332,8 @@ cupsdCopyLocation( void cupsdDeleteAllLocations(void) { - cupsd_location_t *loc; /* Current location */ - - - /* - * Free all of the allow/deny records first... - */ - - for (loc = (cupsd_location_t *)cupsArrayFirst(Locations); - loc; - loc = (cupsd_location_t *)cupsArrayNext(Locations)) - cupsdDeleteLocation(loc); - /* - * Then free the location array... + * Free the location array, which will free all of the locations... */ cupsArrayDelete(Locations); @@ -1595,136 +1341,6 @@ cupsdDeleteAllLocations(void) } -/* - * 'cupsdDeleteLocation()' - Free all memory used by a location. - */ - -void -cupsdDeleteLocation( - cupsd_location_t *loc) /* I - Location to delete */ -{ - int i; /* Looping var */ - cupsd_authmask_t *mask; /* Current mask */ - - - cupsArrayRemove(Locations, loc); - - for (i = loc->num_names - 1; i >= 0; i --) - free(loc->names[i]); - - if (loc->num_names > 0) - free(loc->names); - - for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++) - if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE) - free(mask->mask.name.name); - - if (loc->num_allow > 0) - free(loc->allow); - - for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++) - if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE) - free(mask->mask.name.name); - - if (loc->num_deny > 0) - free(loc->deny); - - free(loc->location); - free(loc); -} - - -/* - * 'cupsdDenyHost()' - Add a host name that is not allowed to access the - * location. - */ - -void -cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */ - char *name) /* I - Name of host or domain to add */ -{ - cupsd_authmask_t *temp; /* New host/domain mask */ - char ifname[32], /* Interface name */ - *ifptr; /* Pointer to end of name */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDenyHost(loc=%p(%s), name=\"%s\")", - loc, loc->location ? loc->location : "nil", name); - - if ((temp = add_deny(loc)) == NULL) - return; - - if (!strcasecmp(name, "@LOCAL")) - { - /* - * Deny *interface*... - */ - - temp->type = CUPSD_AUTH_INTERFACE; - temp->mask.name.name = strdup("*"); - temp->mask.name.length = 1; - } - else if (!strncasecmp(name, "@IF(", 4)) - { - /* - * Deny *interface*... - */ - - strlcpy(ifname, name + 4, sizeof(ifname)); - - ifptr = ifname + strlen(ifname); - - if (ifptr[-1] == ')') - { - ifptr --; - *ifptr = '\0'; - } - - temp->type = CUPSD_AUTH_INTERFACE; - temp->mask.name.name = strdup(ifname); - temp->mask.name.length = ifptr - ifname; - } - else - { - /* - * Deny name... - */ - - temp->type = CUPSD_AUTH_NAME; - temp->mask.name.name = strdup(name); - temp->mask.name.length = strlen(name); - } -} - - -/* - * 'cupsdDenyIP()' - Add an IP address or network that is not allowed to - * access the location. - */ - -void -cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */ - const unsigned address[4],/* I - IP address to add */ - const unsigned netmask[4])/* I - Netmask of address */ -{ - cupsd_authmask_t *temp; /* New host/domain mask */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdDenyIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", - loc, loc->location ? loc->location : "nil", - address[0], address[1], address[2], address[3], - netmask[0], netmask[1], netmask[2], netmask[3]); - - if ((temp = add_deny(loc)) == NULL) - return; - - temp->type = CUPSD_AUTH_IP; - memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address)); - memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask)); -} - - /* * 'cupsdFindBest()' - Find the location entry that best matches the resource. */ @@ -1738,7 +1354,7 @@ cupsdFindBest(const char *path, /* I - Resource path */ *uriptr; /* Pointer into URI */ cupsd_location_t *loc, /* Current location */ *best; /* Best match for location so far */ - int bestlen; /* Length of best match */ + size_t bestlen; /* Length of best match */ int limit; /* Limit field */ static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */ { @@ -1755,6 +1371,8 @@ cupsdFindBest(const char *path, /* I - Resource path */ CUPSD_AUTH_LIMIT_DELETE, CUPSD_AUTH_LIMIT_TRACE, CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_ALL, CUPSD_AUTH_LIMIT_ALL }; @@ -1767,6 +1385,12 @@ cupsdFindBest(const char *path, /* I - Resource path */ strlcpy(uri, path, sizeof(uri)); + if ((uriptr = strchr(uri, '?')) != NULL) + *uriptr = '\0'; /* Drop trailing query string */ + + if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/') + *uriptr = '\0'; /* Remove trailing '/' */ + if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9)) { @@ -1780,8 +1404,6 @@ cupsdFindBest(const char *path, /* I - Resource path */ *uriptr = '\0'; } - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri); - /* * Loop through the list of locations to find a match... */ @@ -1790,12 +1412,14 @@ cupsdFindBest(const char *path, /* I - Resource path */ best = NULL; bestlen = 0; + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri=\"%s\", limit=%x...", uri, limit); + + for (loc = (cupsd_location_t *)cupsArrayFirst(Locations); loc; loc = (cupsd_location_t *)cupsArrayNext(Locations)) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x", - loc->location ? loc->location : "nil", loc->limit); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit); if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9)) { @@ -1804,7 +1428,7 @@ cupsdFindBest(const char *path, /* I - Resource path */ */ if (loc->length > bestlen && loc->location && - !strncasecmp(uri, loc->location, loc->length) && + !_cups_strncasecmp(uri, loc->location, loc->length) && loc->location[0] == '/' && (limit & loc->limit) != 0) { @@ -1833,8 +1457,7 @@ cupsdFindBest(const char *path, /* I - Resource path */ * Return the match, if any... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best = %s", - best ? best->location : "NONE"); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best=%s", best ? best->location : "NONE"); return (best); } @@ -1856,6 +1479,22 @@ cupsdFindLocation(const char *location) /* I - Connection */ } +/* + * 'cupsdFreeLocation()' - Free all memory used by a location. + */ + +void +cupsdFreeLocation(cupsd_location_t *loc)/* I - Location to free */ +{ + cupsArrayDelete(loc->names); + cupsArrayDelete(loc->allow); + cupsArrayDelete(loc->deny); + + _cupsStrFree(loc->location); + free(loc); +} + + /* * 'cupsdIsAuthorized()' - Check to see if the user is authorized... */ @@ -1864,13 +1503,18 @@ http_status_t /* O - HTTP_OK if authorized or error code */ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ const char *owner)/* I - Owner of object */ { - int i, j, /* Looping vars */ + int i, /* Looping vars */ auth, /* Authorization status */ type; /* Type of authentication */ + http_addr_t *hostaddr = httpGetAddress(con->http); + /* Client address */ + const char *hostname = httpGetHostname(con->http, NULL, 0); + /* Client hostname */ unsigned address[4]; /* Authorization address */ cupsd_location_t *best; /* Best match for location so far */ - int hostlen; /* Length of hostname */ - char username[256], /* Username to authorize */ + size_t hostlen; /* Length of hostname */ + char *name, /* Current username */ + username[256], /* Username to authorize */ ownername[256], /* Owner name to authorize */ *ptr; /* Pointer into username */ struct passwd *pw; /* User password data */ @@ -1884,19 +1528,13 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ { "None", "Basic", - "Digest", - "BasicDigest", "Negotiate" }; - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", - con->uri, con->best, con->best ? con->best->location ? - con->best->location : "(null)" : ""); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location ? con->best->location : "(null)" : ""); if (owner) - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: owner=\"%s\"", owner); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: owner=\"%s\"", owner); /* * If there is no "best" authentication rule for this request, then @@ -1906,8 +1544,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ if (!con->best) { - if (!strcmp(con->http.hostname, "localhost") || - !strcmp(con->http.hostname, ServerName)) + if (httpAddrLocalhost(httpGetAddress(con->http)) || + !strcmp(hostname, ServerName) || + cupsArrayFind(ServerAlias, (void *)hostname)) return (HTTP_OK); else return (HTTP_FORBIDDEN); @@ -1916,37 +1555,32 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ best = con->best; if ((type = best->type) == CUPSD_AUTH_DEFAULT) - type = DefaultAuthType; + type = cupsdDefaultAuthType(); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, " - "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", - levels[best->level], types[type], - best->satisfy ? "ANY" : "ALL", best->num_names); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names)); if (best->limit == CUPSD_AUTH_LIMIT_IPP) - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", - best->op, ippOpString(best->op)); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op)); /* * Check host/ip-based accesses... */ #ifdef AF_INET6 - if (con->http.hostaddr->addr.sa_family == AF_INET6) + if (httpAddrFamily(hostaddr) == AF_INET6) { /* * Copy IPv6 address... */ - address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]); - address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]); - address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]); - address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]); + address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]); + address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]); + address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]); + address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]); } else #endif /* AF_INET6 */ - if (con->http.hostaddr->addr.sa_family == AF_INET) + if (con->http->hostaddr->addr.sa_family == AF_INET) { /* * Copy IPv4 address... @@ -1955,18 +1589,17 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ address[0] = 0; address[1] = 0; address[2] = 0; - address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr); + address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr); } else memset(address, 0, sizeof(address)); - hostlen = strlen(con->http.hostname); + hostlen = strlen(hostname); - auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best) + auth = cupsdCheckAccess(address, hostname, hostlen, best) ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY; - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", - auth ? "DENY" : "ALLOW"); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW"); if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL) return (HTTP_FORBIDDEN); @@ -1976,11 +1609,13 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * See if encryption is required... */ - if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls && - strcasecmp(con->http.hostname, "localhost") && + if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls && + _cups_strcasecmp(hostname, "localhost") && + !httpAddrLocalhost(hostaddr) && best->satisfy == CUPSD_AUTH_SATISFY_ALL) && - !(type == CUPSD_AUTH_NEGOTIATE || - (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE))) + !(type == CUPSD_AUTH_NEGOTIATE || + (type == CUPSD_AUTH_NONE && + cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE))) { cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: Need upgrade to TLS..."); @@ -1993,7 +1628,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ */ if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */ - (type == CUPSD_AUTH_NONE && best->num_names == 0)) + (type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0)) return (HTTP_OK); if (!con->username[0] && type == CUPSD_AUTH_NONE && @@ -2036,10 +1671,14 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ return (HTTP_OK); /* unless overridden with Satisfy */ } + if (con->type != type && type != CUPSD_AUTH_NONE && - (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST)) +#ifdef HAVE_GSSAPI + (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) && +#endif /* HAVE_GSSAPI */ + con->type != CUPSD_AUTH_BASIC) { - cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!", + cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.", types[con->type], types[type]); return (HTTP_UNAUTHORIZED); @@ -2092,7 +1731,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * any valid user is OK... */ - if (best->num_names == 0) + if (cupsArrayCount(best->names) == 0) return (HTTP_OK); /* @@ -2100,8 +1739,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * allowed... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: Checking user membership..."); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking user membership..."); #ifdef HAVE_AUTHORIZATION_H /* @@ -2110,68 +1748,69 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ if (con->authref) { - for (i = 0; i < best->num_names; i ++) + for (name = (char *)cupsArrayFirst(best->names); + name; + name = (char *)cupsArrayNext(best->names)) { - if (!strncasecmp(best->names[i], "@AUTHKEY(", 9) && - check_authref(con, best->names[i] + 9)) + if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9)) return (HTTP_OK); - else if (!strcasecmp(best->names[i], "@SYSTEM") && - SystemGroupAuthKey && + else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey && check_authref(con, SystemGroupAuthKey)) return (HTTP_OK); } - return (HTTP_UNAUTHORIZED); + return (HTTP_FORBIDDEN); } #endif /* HAVE_AUTHORIZATION_H */ - for (i = 0; i < best->num_names; i ++) + for (name = (char *)cupsArrayFirst(best->names); + name; + name = (char *)cupsArrayNext(best->names)) { - if (!strcasecmp(best->names[i], "@OWNER") && owner && - !strcasecmp(username, ownername)) + if (!_cups_strcasecmp(name, "@OWNER") && owner && + !_cups_strcasecmp(username, ownername)) return (HTTP_OK); - else if (!strcasecmp(best->names[i], "@SYSTEM")) + else if (!_cups_strcasecmp(name, "@SYSTEM")) { - for (j = 0; j < NumSystemGroups; j ++) - if (cupsdCheckGroup(username, pw, SystemGroups[j])) + for (i = 0; i < NumSystemGroups; i ++) + if (cupsdCheckGroup(username, pw, SystemGroups[i])) return (HTTP_OK); } - else if (best->names[i][0] == '@') + else if (name[0] == '@') { - if (cupsdCheckGroup(username, pw, best->names[i] + 1)) + if (cupsdCheckGroup(username, pw, name + 1)) return (HTTP_OK); } - else if (!strcasecmp(username, best->names[i])) + else if (!_cups_strcasecmp(username, name)) return (HTTP_OK); } - return (HTTP_UNAUTHORIZED); + return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED); } /* * Check to see if this user is in any of the named groups... */ - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: Checking group membership..."); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group membership..."); /* * Check to see if this user is in any of the named groups... */ - for (i = 0; i < best->num_names; i ++) + for (name = (char *)cupsArrayFirst(best->names); + name; + name = (char *)cupsArrayNext(best->names)) { - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: Checking group \"%s\" membership...", - best->names[i]); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name); - if (!strcasecmp(best->names[i], "@SYSTEM")) + if (!_cups_strcasecmp(name, "@SYSTEM")) { - for (j = 0; j < NumSystemGroups; j ++) - if (cupsdCheckGroup(username, pw, SystemGroups[j])) + for (i = 0; i < NumSystemGroups; i ++) + if (cupsdCheckGroup(username, pw, SystemGroups[i])) return (HTTP_OK); } - else if (cupsdCheckGroup(username, pw, best->names[i])) + else if (cupsdCheckGroup(username, pw, name)) return (HTTP_OK); } @@ -2179,93 +1818,48 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * The user isn't part of the specified group, so deny access... */ - cupsdLogMessage(CUPSD_LOG_DEBUG, - "cupsdIsAuthorized: User not in group(s)!"); - - return (HTTP_UNAUTHORIZED); -} - - -/* - * 'add_allow()' - Add an allow mask to the location. - */ - -static cupsd_authmask_t * /* O - New mask record */ -add_allow(cupsd_location_t *loc) /* I - Location to add to */ -{ - cupsd_authmask_t *temp; /* New mask record */ - - - /* - * Range-check... - */ - - if (loc == NULL) - return (NULL); - - /* - * Try to allocate memory for the record... - */ - - if (loc->num_allow == 0) - temp = malloc(sizeof(cupsd_authmask_t)); - else - temp = realloc(loc->allow, sizeof(cupsd_authmask_t) * (loc->num_allow + 1)); - - if (temp == NULL) - return (NULL); - - loc->allow = temp; - temp += loc->num_allow; - loc->num_allow ++; - - /* - * Clear the mask record and return... - */ + cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: User not in group(s)."); - memset(temp, 0, sizeof(cupsd_authmask_t)); - return (temp); + return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED); } /* - * 'add_deny()' - Add a deny mask to the location. + * 'cupsdNewLocation()' - Create a new location for authorization. + * + * Note: Still need to call cupsdAddLocation() to add it to the list of global + * locations. */ -static cupsd_authmask_t * /* O - New mask record */ -add_deny(cupsd_location_t *loc) /* I - Location to add to */ +cupsd_location_t * /* O - Pointer to new location record */ +cupsdNewLocation(const char *location) /* I - Location path */ { - cupsd_authmask_t *temp; /* New mask record */ + cupsd_location_t *temp; /* New location */ /* - * Range-check... + * Try to allocate memory for the new location. */ - if (loc == NULL) + if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL) return (NULL); /* - * Try to allocate memory for the record... + * Initialize the record and copy the name over... */ - if (loc->num_deny == 0) - temp = malloc(sizeof(cupsd_authmask_t)); - else - temp = realloc(loc->deny, sizeof(cupsd_authmask_t) * (loc->num_deny + 1)); - - if (temp == NULL) + if ((temp->location = _cupsStrAlloc(location)) == NULL) + { + free(temp); return (NULL); + } - loc->deny = temp; - temp += loc->num_deny; - loc->num_deny ++; + temp->length = strlen(temp->location); /* - * Clear the mask record and return... + * Return the new record... */ - memset(temp, 0, sizeof(cupsd_authmask_t)); return (temp); } @@ -2301,11 +1895,11 @@ check_authref(cupsd_client_t *con, /* I - Connection */ authrights.count = 1; authrights.items = &authright; - authflags = kAuthorizationFlagDefaults | + authflags = kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights; - if ((status = AuthorizationCopyRights(con->authref, &authrights, - kAuthorizationEmptyEnvironment, + if ((status = AuthorizationCopyRights(con->authref, &authrights, + kAuthorizationEmptyEnvironment, authflags, NULL)) != 0) { cupsdLogMessage(CUPSD_LOG_ERROR, @@ -2314,9 +1908,7 @@ check_authref(cupsd_client_t *con, /* I - Connection */ return (0); } - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "AuthorizationCopyRights(\"%s\") succeeded!", - authright.name); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "AuthorizationCopyRights(\"%s\") succeeded.", authright.name); return (1); } @@ -2335,7 +1927,46 @@ compare_locations(cupsd_location_t *a, /* I - First location */ } -#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H) +/* + * 'copy_authmask()' - Copy function for auth masks. + */ + +static cupsd_authmask_t * /* O - New auth mask */ +copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */ + void *data) /* I - User data (unused) */ +{ + cupsd_authmask_t *temp; /* New auth mask */ + + + (void)data; + + if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL) + { + memcpy(temp, mask, sizeof(cupsd_authmask_t)); + + if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE) + { + /* + * Make a copy of the name... + */ + + if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL) + { + /* + * Failed to make copy... + */ + + free(temp); + temp = NULL; + } + } + } + + return (temp); +} + + +#if !HAVE_LIBPAM /* * 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms, * as needed. @@ -2424,23 +2055,23 @@ cups_crypt(const char *pw, /* I - Password string */ * Copy the final sum to the result string and return... */ - memcpy(result, salt, salt_end - salt); + memcpy(result, salt, (size_t)(salt_end - salt)); ptr = result + (salt_end - salt); *ptr++ = '$'; for (i = 0; i < 5; i ++, ptr += 4) { - n = (((digest[i] << 8) | digest[i + 6]) << 8); + n = ((((unsigned)digest[i] << 8) | (unsigned)digest[i + 6]) << 8); if (i < 4) - n |= digest[i + 12]; + n |= (unsigned)digest[i + 12]; else - n |= digest[5]; + n |= (unsigned)digest[5]; to64(ptr, n, 4); } - to64(ptr, digest[11], 2); + to64(ptr, (unsigned)digest[11], 2); ptr += 2; *ptr = '\0'; @@ -2455,143 +2086,23 @@ cups_crypt(const char *pw, /* I - Password string */ return (crypt(pw, salt)); } } -#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */ - - -#ifdef HAVE_GSSAPI -/* - * 'get_gss_creds()' - Obtain GSS credentials. - */ - -static gss_cred_id_t /* O - Server credentials */ -get_gss_creds(const char *service_name) /* I - Service name */ -{ - OM_uint32 major_status, /* Major status code */ - minor_status; /* Minor status code */ - gss_name_t server_name; /* Server name */ - gss_cred_id_t server_creds; /* Server credentials */ - gss_buffer_desc token = GSS_C_EMPTY_BUFFER; - /* Service name token */ - char buf[1024], /* Service name buffer */ - fqdn[HTTP_MAX_URI]; /* Hostname of server */ - - - snprintf(buf, sizeof(buf), "%s@%s", service_name, - httpGetHostname(NULL, fqdn, sizeof(fqdn))); - - token.value = buf; - token.length = strlen(buf); - server_name = GSS_C_NO_NAME; - major_status = gss_import_name(&minor_status, &token, - GSS_C_NT_HOSTBASED_SERVICE, - &server_name); - - memset(&token, 0, sizeof(token)); - - if (GSS_ERROR(major_status)) - { - cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status, - "gss_import_name() failed"); - return (NULL); - } - - major_status = gss_display_name(&minor_status, server_name, &token, NULL); - - if (GSS_ERROR(major_status)) - { - cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status, - "gss_display_name() failed"); - return (NULL); - } - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "get_gss_creds: Attempting to acquire credentials for %s...", - (char *)token.value); - - server_creds = GSS_C_NO_CREDENTIAL; - major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, - &server_creds, NULL, NULL); - if (GSS_ERROR(major_status)) - { - cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status, - "gss_acquire_cred() failed"); - gss_release_name(&minor_status, &server_name); - gss_release_buffer(&minor_status, &token); - return (NULL); - } - - cupsdLogMessage(CUPSD_LOG_DEBUG, - "get_gss_creds: Credentials acquired successfully for %s.", - (char *)token.value); - - gss_release_name(&minor_status, &server_name); - gss_release_buffer(&minor_status, &token); - - return (server_creds); -} -#endif /* HAVE_GSSAPI */ +#endif /* !HAVE_LIBPAM */ /* - * 'get_md5_password()' - Get an MD5 password. + * 'free_authmask()' - Free function for auth masks. */ -static char * /* O - MD5 password string */ -get_md5_password(const char *username, /* I - Username */ - const char *group, /* I - Group */ - char passwd[33]) /* O - MD5 password string */ +static void +free_authmask(cupsd_authmask_t *mask, /* I - Auth mask to free */ + void *data) /* I - User data (unused) */ { - cups_file_t *fp; /* passwd.md5 file */ - char filename[1024], /* passwd.md5 filename */ - line[256], /* Line from file */ - tempuser[33], /* User from file */ - tempgroup[33]; /* Group from file */ - - - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)", - username, group ? group : "(null)", passwd); - - snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot); - if ((fp = cupsFileOpen(filename, "r")) == NULL) - { - if (errno != ENOENT) - cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename, - strerror(errno)); - - return (NULL); - } - - while (cupsFileGets(fp, line, sizeof(line)) != NULL) - { - if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3) - { - cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line); - continue; - } - - if (!strcmp(username, tempuser) && - (group == NULL || !strcmp(group, tempgroup))) - { - /* - * Found the password entry! - */ - - cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...", - username, tempgroup); - - cupsFileClose(fp); - return (passwd); - } - } + (void)data; - /* - * Didn't find a password entry - return NULL! - */ + if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE) + _cupsStrFree(mask->mask.name.name); - cupsFileClose(fp); - return (NULL); + free(mask); } @@ -2617,7 +2128,7 @@ pam_func( * Allocate memory for the responses... */ - if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL) + if ((replies = malloc(sizeof(struct pam_response) * (size_t)num_msg)) == NULL) return (PAM_CONV_ERR); /* @@ -2626,17 +2137,7 @@ pam_func( DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr)); -#ifdef __hpux - /* - * Apparently some versions of HP-UX 11 have a broken pam_unix security - * module. This is a workaround... - */ - - data = auth_data; - (void)appdata_ptr; -#else data = (cupsd_authdata_t *)appdata_ptr; -#endif /* __hpux */ for (i = 0; i < num_msg; i ++) { @@ -2686,7 +2187,7 @@ pam_func( return (PAM_SUCCESS); } -#elif !defined(HAVE_USERSEC_H) +#else /* @@ -2710,5 +2211,5 @@ to64(char *s, /* O - Output string */ /* - * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $". + * End of "$Id$". */