]> git.ipfire.org Git - thirdparty/cups.git/blame - scheduler/auth.c
projects / thirdparty / cups.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge CUPS 1.4svn-r7319.
[thirdparty/cups.git] / scheduler / auth.c
CommitLineData
b423cd4c 1/*
2e4ff8af 2 * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $"
ef416fc2 3 *
4 * Authorization routines for the Common UNIX Printing System (CUPS).
5 *
080811b1 6 * Copyright 2007-2008 by Apple Inc.
f7deaa1a 7 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
8 *
9 * This file contains Kerberos support code, copyright 2006 by
10 * Jelmer Vernooij.
ef416fc2 11 *
12 * These coded instructions, statements, and computer programs are the
bc44d920 13 * property of Apple Inc. and are protected by Federal copyright
14 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
15 * which should have been included with this file. If this file is
16 * file is missing or damaged, see the license at "http://www.cups.org/".
ef416fc2 17 *
18 * Contents:
19 *
20 * cupsdAddLocation() - Add a location for authorization.
21 * cupsdAddName() - Add a name to a location...
22 * cupsdAllowHost() - Add a host name that is allowed to access the
23 * location.
080811b1
MS		 24 * cupsdAllowIP() - Add an IP address or network that is allowed to
25 * access the location.
89d46774 26 * cupsdAuthorize() - Validate any authorization credentials.
080811b1
MS		 27 * cupsdCheckAccess() - Check whether the given address is allowed to
28 * access a location.
ef416fc2 29 * cupsdCheckAuth() - Check authorization masks.
30 * cupsdCheckGroup() - Check for a user's group membership.
31 * cupsdCopyLocation() - Make a copy of a location...
89d46774 32 * cupsdDeleteAllLocations() - Free all memory used for location
33 * authorization.
ef416fc2 34 * cupsdDeleteLocation() - Free all memory used by a location.
89d46774 35 * cupsdDenyHost() - Add a host name that is not allowed to access
36 * the location.
37 * cupsdDenyIP() - Add an IP address or network that is not
38 * allowed to access the location.
ef416fc2 39 * cupsdFindBest() - Find the location entry that best matches the
40 * resource.
41 * cupsdFindLocation() - Find the named location.
ef416fc2 42 * cupsdIsAuthorized() - Check to see if the user is authorized...
43 * add_allow() - Add an allow mask to the location.
44 * add_deny() - Add a deny mask to the location.
080811b1
MS		 45 * check_authref() - Check if an authorization services reference
46 * has the supplied right.
bd7854cb 47 * compare_locations() - Compare two locations.
ef416fc2 48 * cups_crypt() - Encrypt the password using the DES or MD5
49 * algorithms, as needed.
f7deaa1a 50 * get_gss_creds() - Obtain GSS credentials.
e1d6a774 51 * get_md5_password() - Get an MD5 password.
ef416fc2 52 * pam_func() - PAM conversation function.
53 * to64() - Base64-encode an integer value...
54 */
55
56/*
57 * Include necessary headers...
58 */
59
60#include "cupsd.h"
61#include <grp.h>
62#ifdef HAVE_SHADOW_H
63# include <shadow.h>
64#endif /* HAVE_SHADOW_H */
65#ifdef HAVE_CRYPT_H
66# include <crypt.h>
67#endif /* HAVE_CRYPT_H */
68#if HAVE_LIBPAM
69# ifdef HAVE_PAM_PAM_APPL_H
70# include <pam/pam_appl.h>
71# else
72# include <security/pam_appl.h>
73# endif /* HAVE_PAM_PAM_APPL_H */
74#endif /* HAVE_LIBPAM */
75#ifdef HAVE_USERSEC_H
76# include <usersec.h>
77#endif /* HAVE_USERSEC_H */
bd7854cb 78#ifdef HAVE_MEMBERSHIP_H
79# include <membership.h>
80#endif /* HAVE_MEMBERSHIP_H */
f7deaa1a 81#ifdef HAVE_AUTHORIZATION_H
82# include <Security/AuthorizationTags.h>
83# ifdef HAVE_SECBASEPRIV_H
84# include <Security/SecBasePriv.h>
85# else
86extern const char *cssmErrorString(int error);
87# endif /* HAVE_SECBASEPRIV_H */
88#endif /* HAVE_AUTHORIZATION_H */
db1f069b
MS		 89#ifdef HAVE_SYS_PARAM_H
90# include <sys/param.h>
91#endif /* HAVE_SYS_PARAM_H */
bc44d920 92#ifdef HAVE_SYS_UCRED_H
93# include <sys/ucred.h>
94typedef struct xucred cupsd_ucred_t;
95# define CUPSD_UCRED_UID(c) (c).cr_uid
96#else
97typedef struct ucred cupsd_ucred_t;
98# define CUPSD_UCRED_UID(c) (c).uid
99#endif /* HAVE_SYS_UCRED_H */
ef416fc2 100
101
102/*
103 * Local functions...
104 */
105
106static cupsd_authmask_t *add_allow(cupsd_location_t *loc);
107static cupsd_authmask_t *add_deny(cupsd_location_t *loc);
f7deaa1a 108#ifdef HAVE_AUTHORIZATION_H
109static int check_authref(cupsd_client_t *con, const char *right);
110#endif /* HAVE_AUTHORIZATION_H */
bd7854cb 111static int compare_locations(cupsd_location_t *a,
112 cupsd_location_t *b);
d09495fa 113#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
ef416fc2 114static char *cups_crypt(const char *pw, const char *salt);
d09495fa 115#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
f7deaa1a 116#ifdef HAVE_GSSAPI
117static gss_cred_id_t get_gss_creds(const char *service_name);
118#endif /* HAVE_GSSAPI */
e1d6a774 119static char *get_md5_password(const char *username,
120 const char *group, char passwd[33]);
ef416fc2 121#if HAVE_LIBPAM
122static int pam_func(int, const struct pam_message **,
123 struct pam_response **, void *);
f7deaa1a 124#elif !defined(HAVE_USERSEC_H)
ef416fc2 125static void to64(char *s, unsigned long v, int n);
126#endif /* HAVE_LIBPAM */
127
128
129/*
130 * Local structures...
131 */
132
133#if HAVE_LIBPAM
134typedef struct cupsd_authdata_s /**** Authentication data ****/
135{
136 char username[33], /* Username string */
137 password[33]; /* Password string */
138} cupsd_authdata_t;
139#endif /* HAVE_LIBPAM */
140
141
142/*
143 * Local globals...
144 */
145
f301802f 146#if defined(__hpux) && HAVE_LIBPAM
b423cd4c 147static cupsd_authdata_t *auth_data; /* Current client being authenticated */
ef416fc2 148#endif /* __hpux && HAVE_LIBPAM */
149
150
151/*
152 * 'cupsdAddLocation()' - Add a location for authorization.
153 */
154
155cupsd_location_t * /* O - Pointer to new location record */
156cupsdAddLocation(const char *location) /* I - Location path */
157{
158 cupsd_location_t *temp; /* New location */
159
160
161 /*
bd7854cb 162 * Make sure the locations array is created...
ef416fc2 163 */
164
bd7854cb 165 if (!Locations)
166 Locations = cupsArrayNew((cups_array_func_t)compare_locations, NULL);
ef416fc2 167
bd7854cb 168 if (!Locations)
ef416fc2 169 return (NULL);
170
bd7854cb 171 /*
172 * Try to allocate memory for the new location.
173 */
174
175 if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
176 return (NULL);
ef416fc2 177
178 /*
179 * Initialize the record and copy the name over...
180 */
181
91c84a35
MS		 182 if ((temp->location = strdup(location)) == NULL)
183 {
184 free(temp);
185 return (NULL);
186 }
187
188 temp->length = strlen(temp->location);
ef416fc2 189
bd7854cb 190 cupsArrayAdd(Locations, temp);
191
192 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: added location \'%s\'",
ef416fc2 193 location);
194
195 /*
196 * Return the new record...
197 */
198
199 return (temp);
200}
201
202
203/*
204 * 'cupsdAddName()' - Add a name to a location...
205 */
206
207void
208cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */
209 char *name) /* I - Name to add */
210{
211 char **temp; /* Pointer to names array */
212
213
214 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")",
215 loc, name);
216
217 if (loc->num_names == 0)
218 temp = malloc(sizeof(char *));
219 else
220 temp = realloc(loc->names, (loc->num_names + 1) * sizeof(char *));
221
222 if (temp == NULL)
223 {
224 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to add name to location %s: %s",
e1d6a774 225 loc->location ? loc->location : "nil", strerror(errno));
ef416fc2 226 return;
227 }
228
229 loc->names = temp;
230
231 if ((temp[loc->num_names] = strdup(name)) == NULL)
232 {
233 cupsdLogMessage(CUPSD_LOG_ERROR,
234 "Unable to duplicate name for location %s: %s",
e1d6a774 235 loc->location ? loc->location : "nil", strerror(errno));
ef416fc2 236 return;
237 }
238
239 loc->num_names ++;
240}
241
242
243/*
244 * 'cupsdAllowHost()' - Add a host name that is allowed to access the location.
245 */
246
247void
248cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */
249 char *name) /* I - Name of host or domain to add */
250{
251 cupsd_authmask_t *temp; /* New host/domain mask */
252 char ifname[32], /* Interface name */
253 *ifptr; /* Pointer to end of name */
254
255
256 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAllowHost(loc=%p(%s), name=\"%s\")",
e1d6a774 257 loc, loc->location ? loc->location : "nil", name);
ef416fc2 258
259 if ((temp = add_allow(loc)) == NULL)
260 return;
261
bd7854cb 262 if (!strcasecmp(name, "@LOCAL"))
ef416fc2 263 {
264 /*
265 * Allow *interface*...
266 */
267
5bd77a73 268 temp->type = CUPSD_AUTH_INTERFACE;
ef416fc2 269 temp->mask.name.name = strdup("*");
270 temp->mask.name.length = 1;
271 }
bd7854cb 272 else if (!strncasecmp(name, "@IF(", 4))
ef416fc2 273 {
274 /*
275 * Allow *interface*...
276 */
277
278 strlcpy(ifname, name + 4, sizeof(ifname));
279
280 ifptr = ifname + strlen(ifname);
281
282 if (ifptr[-1] == ')')
283 {
284 ifptr --;
285 *ifptr = '\0';
286 }
287
5bd77a73 288 temp->type = CUPSD_AUTH_INTERFACE;
ef416fc2 289 temp->mask.name.name = strdup(ifname);
290 temp->mask.name.length = ifptr - ifname;
291 }
292 else
293 {
294 /*
295 * Allow name...
296 */
297
5bd77a73 298 temp->type = CUPSD_AUTH_NAME;
ef416fc2 299 temp->mask.name.name = strdup(name);
300 temp->mask.name.length = strlen(name);
301 }
302}
303
304
305/*
306 * 'cupsdAllowIP()' - Add an IP address or network that is allowed to access
307 * the location.
308 */
309
310void
ac884b6a
MS		 311cupsdAllowIP(
312 cupsd_location_t *loc, /* I - Location to add to */
313 const unsigned address[4], /* I - IP address to add */
314 const unsigned netmask[4]) /* I - Netmask of address */
ef416fc2 315{
316 cupsd_authmask_t *temp; /* New host/domain mask */
317
318
319 cupsdLogMessage(CUPSD_LOG_DEBUG2,
320 "cupsdAllowIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
e1d6a774 321 loc, loc->location ? loc->location : "nil",
322 address[0], address[1], address[2], address[3],
323 netmask[0], netmask[1], netmask[2], netmask[3]);
ef416fc2 324
325 if ((temp = add_allow(loc)) == NULL)
326 return;
327
5bd77a73 328 temp->type = CUPSD_AUTH_IP;
ef416fc2 329 memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
330 memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
331}
332
333
334/*
335 * 'cupsdAuthorize()' - Validate any authorization credentials.
336 */
337
338void
339cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
340{
341 int type; /* Authentication type */
f7deaa1a 342 const char *authorization; /* Pointer into Authorization string */
343 char *ptr, /* Pointer into string */
db1f069b 344 username[256], /* Username string */
ef416fc2 345 password[33]; /* Password string */
346 const char *localuser; /* Certificate username */
347 char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
348 md5[33], /* MD5 password */
349 basicmd5[33]; /* MD5 of Basic password */
350 static const char * const states[] = /* HTTP client states... */
351 {
352 "WAITING",
353 "OPTIONS",
354 "GET",
355 "GET",
356 "HEAD",
357 "POST",
358 "POST",
359 "POST",
360 "PUT",
361 "PUT",
362 "DELETE",
363 "TRACE",
364 "CLOSE",
365 "STATUS"
366 };
367
368
369 /*
370 * Locate the best matching location so we know what kind of
371 * authentication to expect...
372 */
373
374 con->best = cupsdFindBest(con->uri, con->http.state);
5bd77a73 375 con->type = CUPSD_AUTH_NONE;
ef416fc2 376
377 cupsdLogMessage(CUPSD_LOG_DEBUG2,
378 "cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)",
379 con->uri, con->best, con->best ? con->best->location : "");
380
5bd77a73 381 if (con->best && con->best->type != CUPSD_AUTH_NONE)
7ff4fea9 382 {
5bd77a73 383 if (con->best->type == CUPSD_AUTH_DEFAULT)
7ff4fea9
MS		 384 type = DefaultAuthType;
385 else
386 type = con->best->type;
387 }
ef416fc2 388 else
389 type = DefaultAuthType;
390
391 /*
392 * Decode the Authorization string...
393 */
394
f7deaa1a 395 authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION);
ef416fc2 396
397 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: Authorization=\"%s\"",
398 authorization);
399
400 username[0] = '\0';
401 password[0] = '\0';
402
f7deaa1a 403#ifdef HAVE_AUTHORIZATION_H
404 if (con->authref)
405 {
406 AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
407 con->authref = NULL;
408 }
409#endif /* HAVE_AUTHORIZATION_H */
410
2fb76298 411 if (!*authorization)
ef416fc2 412 {
413 /*
414 * No authorization data provided, return early...
415 */
416
417 cupsdLogMessage(CUPSD_LOG_DEBUG,
418 "cupsdAuthorize: No authentication data provided.");
419 return;
420 }
f7deaa1a 421#ifdef HAVE_AUTHORIZATION_H
422 else if (!strncmp(authorization, "AuthRef", 6) &&
423 !strcasecmp(con->http.hostname, "localhost"))
424 {
425 OSStatus status; /* Status */
426 int authlen; /* Auth string length */
427 AuthorizationItemSet *authinfo; /* Authorization item set */
428
429 /*
430 * Get the Authorization Services data...
431 */
432
433 authorization += 7;
434 while (isspace(*authorization & 255))
435 authorization ++;
436
437 authlen = sizeof(nonce);
438 httpDecode64_2(nonce, &authlen, authorization);
439
440 if (authlen != kAuthorizationExternalFormLength)
441 {
442 cupsdLogMessage(CUPSD_LOG_ERROR,
bc44d920 443 "External Authorization reference size is incorrect!");
f7deaa1a 444 return;
445 }
446
447 if ((status = AuthorizationCreateFromExternalForm(
448 (AuthorizationExternalForm *)nonce, &con->authref)) != 0)
449 {
450 cupsdLogMessage(CUPSD_LOG_ERROR,
bc44d920 451 "AuthorizationCreateFromExternalForm returned %d (%s)",
f7deaa1a 452 (int)status, cssmErrorString(status));
453 return;
454 }
455
456 if ((status = AuthorizationCopyInfo(con->authref,
457 kAuthorizationEnvironmentUsername,
458 &authinfo)) != 0)
459 {
460 cupsdLogMessage(CUPSD_LOG_ERROR,
bc44d920 461 "AuthorizationCopyInfo returned %d (%s)",
f7deaa1a 462 (int)status, cssmErrorString(status));
463 return;
464 }
465
466 if (authinfo->count == 1)
467 strlcpy(username, authinfo->items[0].value, sizeof(username));
468
355e94dc
MS		 469 cupsdLogMessage(CUPSD_LOG_DEBUG,
470 "cupsdAuthorize: Authorized as %s using AuthRef",
471 username);
472
f7deaa1a 473 AuthorizationFreeItemSet(authinfo);
2fb76298 474
5bd77a73 475 con->type = CUPSD_AUTH_BASIC;
f7deaa1a 476 }
477#endif /* HAVE_AUTHORIZATION_H */
bc44d920 478#if defined(SO_PEERCRED) && defined(AF_LOCAL)
479 else if (!strncmp(authorization, "PeerCred ", 9) &&
480 con->http.hostaddr->addr.sa_family == AF_LOCAL)
481 {
482 /*
483 * Use peer credentials from domain socket connection...
484 */
485
486 struct passwd *pwd; /* Password entry for this user */
487 cupsd_ucred_t peercred; /* Peer credentials */
488 socklen_t peersize; /* Size of peer credentials */
489
490
491 if ((pwd = getpwnam(authorization + 9)) == NULL)
492 {
493 cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist!",
494 authorization + 9);
495 return;
496 }
497
498 peersize = sizeof(peercred);
499
500 if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
501 {
502 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
503 strerror(errno));
504 return;
505 }
506
507 if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
508 {
509 cupsdLogMessage(CUPSD_LOG_ERROR,
510 "Invalid peer credentials for \"%s\" - got %d, "
511 "expected %d!", authorization + 9,
512 CUPSD_UCRED_UID(peercred), pwd->pw_uid);
513# ifdef HAVE_SYS_UCRED_H
514 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_version=%d",
515 peercred.cr_version);
516 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_uid=%d",
517 peercred.cr_uid);
518 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_ngroups=%d",
519 peercred.cr_ngroups);
520 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_groups[0]=%d",
521 peercred.cr_groups[0]);
522# endif /* HAVE_SYS_UCRED_H */
523 return;
524 }
525
526 strlcpy(username, authorization + 9, sizeof(username));
355e94dc
MS		 527
528 cupsdLogMessage(CUPSD_LOG_DEBUG,
529 "cupsdAuthorize: Authorized as %s using PeerCred",
530 username);
2fb76298 531
5bd77a73 532 con->type = CUPSD_AUTH_BASIC;
bc44d920 533 }
534#endif /* SO_PEERCRED && AF_LOCAL */
ef416fc2 535 else if (!strncmp(authorization, "Local", 5) &&
536 !strcasecmp(con->http.hostname, "localhost"))
537 {
538 /*
539 * Get Local certificate authentication data...
540 */
541
542 authorization += 5;
80ca4592 543 while (isspace(*authorization & 255))
ef416fc2 544 authorization ++;
545
546 if ((localuser = cupsdFindCert(authorization)) != NULL)
355e94dc 547 {
ef416fc2 548 strlcpy(username, localuser, sizeof(username));
355e94dc
MS		 549
550 cupsdLogMessage(CUPSD_LOG_DEBUG,
551 "cupsdAuthorize: Authorized as %s using Local",
552 username);
553 }
ef416fc2 554 else
555 {
556 cupsdLogMessage(CUPSD_LOG_ERROR,
557 "cupsdAuthorize: Local authentication certificate not "
558 "found!");
559 return;
560 }
2fb76298 561
5bd77a73 562 con->type = CUPSD_AUTH_BASIC;
ef416fc2 563 }
2fb76298 564 else if (!strncmp(authorization, "Basic", 5))
ef416fc2 565 {
566 /*
567 * Get the Basic authentication data...
568 */
569
570 int userlen; /* Username:password length */
571
572
573 authorization += 5;
80ca4592 574 while (isspace(*authorization & 255))
ef416fc2 575 authorization ++;
576
577 userlen = sizeof(username);
578 httpDecode64_2(username, &userlen, authorization);
579
580 /*
581 * Pull the username and password out...
582 */
583
584 if ((ptr = strchr(username, ':')) == NULL)
585 {
586 cupsdLogMessage(CUPSD_LOG_ERROR,
587 "cupsdAuthorize: Missing Basic password!");
588 return;
589 }
590
591 *ptr++ = '\0';
592
593 if (!username[0])
594 {
595 /*
596 * Username must not be empty...
597 */
598
599 cupsdLogMessage(CUPSD_LOG_ERROR,
600 "cupsdAuthorize: Empty Basic username!");
601 return;
602 }
603
604 if (!*ptr)
605 {
606 /*
607 * Password must not be empty...
608 */
609
610 cupsdLogMessage(CUPSD_LOG_ERROR,
611 "cupsdAuthorize: Empty Basic password!");
612 return;
613 }
614
615 strlcpy(password, ptr, sizeof(password));
616
617 /*
618 * Validate the username and password...
619 */
620
621 switch (type)
622 {
2fb76298 623 default :
5bd77a73 624 case CUPSD_AUTH_BASIC :
ef416fc2 625 {
626#if HAVE_LIBPAM
627 /*
628 * Only use PAM to do authentication. This supports MD5
629 * passwords, among other things...
630 */
631
632 pam_handle_t *pamh; /* PAM authentication handle */
633 int pamerr; /* PAM error code */
634 struct pam_conv pamdata;/* PAM conversation data */
635 cupsd_authdata_t data; /* Authentication data */
636
637
638 strlcpy(data.username, username, sizeof(data.username));
639 strlcpy(data.password, password, sizeof(data.password));
640
07725fee 641# if defined(__sun) || defined(__hpux)
e1d6a774 642 pamdata.conv = (int (*)(int, struct pam_message **,
643 struct pam_response **,
644 void *))pam_func;
645# else
ef416fc2 646 pamdata.conv = pam_func;
07725fee 647# endif /* __sun || __hpux */
ef416fc2 648 pamdata.appdata_ptr = &data;
649
650# ifdef __hpux
651 /*
652 * Workaround for HP-UX bug in pam_unix; see pam_func() below for
653 * more info...
654 */
655
656 auth_data = &data;
657# endif /* __hpux */
658
659 pamerr = pam_start("cups", username, &pamdata, &pamh);
660 if (pamerr != PAM_SUCCESS)
661 {
662 cupsdLogMessage(CUPSD_LOG_ERROR,
663 "cupsdAuthorize: pam_start() returned %d (%s)!\n",
664 pamerr, pam_strerror(pamh, pamerr));
665 pam_end(pamh, 0);
666 return;
667 }
668
a4924f6c
MS		 669# if defined(HAVE_PAM_SET_ITEM) && defined(PAM_RHOST)
670 pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
671 if (pamerr != PAM_SUCCESS)
672 cupsdLogMessage(CUPSD_LOG_WARN,
673 "cupsdAuthorize: pam_set_item() returned %d "
674 "(%s)!\n", pamerr, pam_strerror(pamh, pamerr));
675# endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */
676
ef416fc2 677 pamerr = pam_authenticate(pamh, PAM_SILENT);
678 if (pamerr != PAM_SUCCESS)
679 {
680 cupsdLogMessage(CUPSD_LOG_ERROR,
681 "cupsdAuthorize: pam_authenticate() returned %d "
682 "(%s)!\n",
683 pamerr, pam_strerror(pamh, pamerr));
684 pam_end(pamh, 0);
685 return;
686 }
687
688 pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
689 if (pamerr != PAM_SUCCESS)
690 {
691 cupsdLogMessage(CUPSD_LOG_ERROR,
692 "cupsdAuthorize: pam_acct_mgmt() returned %d "
693 "(%s)!\n",
694 pamerr, pam_strerror(pamh, pamerr));
695 pam_end(pamh, 0);
696 return;
697 }
698
699 pam_end(pamh, PAM_SUCCESS);
700
701#elif defined(HAVE_USERSEC_H)
702 /*
703 * Use AIX authentication interface...
704 */
705
706 char *authmsg; /* Authentication message */
ef416fc2 707 int reenter; /* ??? */
708
709
710 cupsdLogMessage(CUPSD_LOG_DEBUG,
711 "cupsdAuthorize: AIX authenticate of username \"%s\"",
712 username);
713
714 reenter = 1;
715 if (authenticate(username, password, &reenter, &authmsg) != 0)
716 {
717 cupsdLogMessage(CUPSD_LOG_DEBUG,
718 "cupsdAuthorize: Unable to authenticate username "
719 "\"%s\": %s",
720 username, strerror(errno));
721 return;
722 }
723
724#else
725 /*
726 * Use normal UNIX password file-based authentication...
727 */
728
729 char *pass; /* Encrypted password */
730 struct passwd *pw; /* User password data */
731# ifdef HAVE_SHADOW_H
732 struct spwd *spw; /* Shadow password data */
733# endif /* HAVE_SHADOW_H */
734
735
736 pw = getpwnam(username); /* Get the current password */
737 endpwent(); /* Close the password file */
738
739 if (!pw)
740 {
741 /*
742 * No such user...
743 */
744
745 cupsdLogMessage(CUPSD_LOG_ERROR,
746 "cupsdAuthorize: Unknown username \"%s\"!",
747 username);
80ca4592 748 return;
ef416fc2 749 }
750
751# ifdef HAVE_SHADOW_H
752 spw = getspnam(username);
753 endspent();
754
755 if (!spw && !strcmp(pw->pw_passwd, "x"))
756 {
757 /*
758 * Don't allow blank passwords!
759 */
760
761 cupsdLogMessage(CUPSD_LOG_ERROR,
762 "cupsdAuthorize: Username \"%s\" has no shadow "
763 "password!", username);
764 return;
765 }
766
767 if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
768# else
769 if (!pw->pw_passwd[0])
770# endif /* HAVE_SHADOW_H */
771 {
772 /*
773 * Don't allow blank passwords!
774 */
775
776 cupsdLogMessage(CUPSD_LOG_ERROR,
777 "cupsdAuthorize: Username \"%s\" has no password!",
778 username);
779 return;
780 }
781
782 /*
783 * OK, the password isn't blank, so compare with what came from the
784 * client...
785 */
786
787 pass = cups_crypt(password, pw->pw_passwd);
788
789 cupsdLogMessage(CUPSD_LOG_DEBUG2,
790 "cupsdAuthorize: pw_passwd=\"%s\", crypt=\"%s\"",
791 pw->pw_passwd, pass);
792
793 if (!pass || strcmp(pw->pw_passwd, pass))
794 {
795# ifdef HAVE_SHADOW_H
796 if (spw)
797 {
798 pass = cups_crypt(password, spw->sp_pwdp);
799
800 cupsdLogMessage(CUPSD_LOG_DEBUG2,
801 "cupsdAuthorize: sp_pwdp=\"%s\", crypt=\"%s\"",
802 spw->sp_pwdp, pass);
803
804 if (pass == NULL || strcmp(spw->sp_pwdp, pass))
805 {
806 cupsdLogMessage(CUPSD_LOG_ERROR,
807 "cupsdAuthorize: Authentication failed for "
808 "user \"%s\"!",
809 username);
810 return;
811 }
812 }
813 else
814# endif /* HAVE_SHADOW_H */
815 {
816 cupsdLogMessage(CUPSD_LOG_ERROR,
817 "cupsdAuthorize: Authentication failed for "
818 "user \"%s\"!",
819 username);
820 return;
821 }
822 }
823#endif /* HAVE_LIBPAM */
824 }
355e94dc
MS		 825
826 cupsdLogMessage(CUPSD_LOG_DEBUG,
827 "cupsdAuthorize: Authorized as %s using Basic",
828 username);
ef416fc2 829 break;
830
5bd77a73 831 case CUPSD_AUTH_BASICDIGEST :
ef416fc2 832 /*
833 * Do Basic authentication with the Digest password file...
834 */
835
e1d6a774 836 if (!get_md5_password(username, NULL, md5))
ef416fc2 837 {
838 cupsdLogMessage(CUPSD_LOG_ERROR,
839 "cupsdAuthorize: Unknown MD5 username \"%s\"!",
840 username);
841 return;
842 }
843
844 httpMD5(username, "CUPS", password, basicmd5);
845
846 if (strcmp(md5, basicmd5))
847 {
848 cupsdLogMessage(CUPSD_LOG_ERROR,
849 "cupsdAuthorize: Authentication failed for \"%s\"!",
850 username);
851 return;
852 }
355e94dc
MS		 853
854 cupsdLogMessage(CUPSD_LOG_DEBUG,
855 "cupsdAuthorize: Authorized as %s using BasicDigest",
856 username);
ef416fc2 857 break;
858 }
2fb76298
MS		 859
860 con->type = type;
ef416fc2 861 }
2fb76298 862 else if (!strncmp(authorization, "Digest", 6))
ef416fc2 863 {
864 /*
865 * Get the username, password, and nonce from the Digest attributes...
866 */
867
868 if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username",
869 username, sizeof(username)) || !username[0])
870 {
871 /*
872 * Username must not be empty...
873 */
874
875 cupsdLogMessage(CUPSD_LOG_ERROR,
876 "cupsdAuthorize: Empty or missing Digest username!");
877 return;
878 }
879
880 if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response",
881 password, sizeof(password)) || !password[0])
882 {
883 /*
884 * Password must not be empty...
885 */
886
887 cupsdLogMessage(CUPSD_LOG_ERROR,
888 "cupsdAuthorize: Empty or missing Digest password!");
889 return;
890 }
891
892 if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce",
893 nonce))
894 {
895 cupsdLogMessage(CUPSD_LOG_ERROR,
896 "cupsdAuthorize: No nonce value for Digest "
897 "authentication!");
898 return;
899 }
900
901 if (strcmp(con->http.hostname, nonce))
902 {
903 cupsdLogMessage(CUPSD_LOG_ERROR,
904 "cupsdAuthorize: Bad nonce value, expected \"%s\", "
905 "got \"%s\"!", con->http.hostname, nonce);
906 return;
907 }
908
909 /*
910 * Validate the username and password...
911 */
912
e1d6a774 913 if (!get_md5_password(username, NULL, md5))
ef416fc2 914 {
915 cupsdLogMessage(CUPSD_LOG_ERROR,
916 "cupsdAuthorize: Unknown MD5 username \"%s\"!",
917 username);
918 return;
919 }
920
921 httpMD5Final(nonce, states[con->http.state], con->uri, md5);
922
923 if (strcmp(md5, password))
924 {
925 cupsdLogMessage(CUPSD_LOG_ERROR,
926 "cupsdAuthorize: Authentication failed for \"%s\"!",
927 username);
928 return;
929 }
355e94dc
MS		 930
931 cupsdLogMessage(CUPSD_LOG_DEBUG,
932 "cupsdAuthorize: Authorized as %s using Digest",
933 username);
2fb76298 934
5bd77a73 935 con->type = CUPSD_AUTH_DIGEST;
ef416fc2 936 }
f7deaa1a 937#ifdef HAVE_GSSAPI
db1f069b 938 else if (!strncmp(authorization, "Negotiate", 9))
f7deaa1a 939 {
940 int len; /* Length of authorization string */
941 gss_cred_id_t server_creds; /* Server credentials */
942 gss_ctx_id_t context; /* Authorization context */
943 OM_uint32 major_status, /* Major status code */
944 minor_status; /* Minor status code */
945 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
946 /* Input token from string */
947 output_token = GSS_C_EMPTY_BUFFER;
948 /* Output token for username */
949 gss_name_t client_name; /* Client name */
c24d2134 950 unsigned int ret_flags; /* Credential flags */
f7deaa1a 951
952
f42414bf 953# ifdef __APPLE__
954 /*
955 * If the weak-linked GSSAPI/Kerberos library is not present, don't try
956 * to use it...
957 */
958
959 if (gss_init_sec_context == NULL)
960 {
961 cupsdLogMessage(CUPSD_LOG_WARN,
962 "GSSAPI/Kerberos authentication failed because the "
963 "Kerberos framework is not present.");
964 return;
965 }
966# endif /* __APPLE__ */
967
f7deaa1a 968 con->gss_output_token.length = 0;
969
970 /*
971 * Find the start of the Kerberos input token...
972 */
973
974 authorization += 9;
975 while (isspace(*authorization & 255))
976 authorization ++;
977
978 if (!*authorization)
979 {
980 cupsdLogMessage(CUPSD_LOG_DEBUG2,
981 "cupsdAuthorize: No authentication data specified.");
982 return;
983 }
984
985 /*
986 * Get the server credentials...
987 */
988
989 if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
f7deaa1a 990 return;
f7deaa1a 991
992 /*
993 * Decode the authorization string to get the input token...
994 */
995
996 len = strlen(authorization);
997 input_token.value = malloc(len);
998 input_token.value = httpDecode64_2(input_token.value, &len,
999 authorization);
1000 input_token.length = len;
1001
1002 /*
1003 * Accept the input token to get the authorization info...
1004 */
1005
1006 context = GSS_C_NO_CONTEXT;
1007 client_name = GSS_C_NO_NAME;
1008 major_status = gss_accept_sec_context(&minor_status,
1009 &context,
1010 server_creds,
1011 &input_token,
1012 GSS_C_NO_CHANNEL_BINDINGS,
1013 &client_name,
1014 NULL,
1015 &con->gss_output_token,
c24d2134 1016 &ret_flags,
f7deaa1a 1017 NULL,
1018 &con->gss_delegated_cred);
1019
1020 if (GSS_ERROR(major_status))
1021 {
1022 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
1023 "cupsdAuthorize: Error accepting GSSAPI security "
1024 "context");
1025
1026 if (context != GSS_C_NO_CONTEXT)
1027 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
76cd9e37
MS		 1028
1029 gss_release_cred(&minor_status, &server_creds);
f7deaa1a 1030 return;
1031 }
1032
1033 /*
76cd9e37
MS		 1034 * Release our credentials...
1035 */
1036
1037 gss_release_cred(&minor_status, &server_creds);
1038
1039 /*
1040 * Get the username associated with the client's credentials...
f7deaa1a 1041 */
1042
355e94dc
MS		 1043 if (!con->gss_delegated_cred)
1044 cupsdLogMessage(CUPSD_LOG_DEBUG,
1045 "cupsdAuthorize: No delegated credentials!");
1046
1047 if (major_status == GSS_S_CONTINUE_NEEDED)
1048 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
1049 "cupsdAuthorize: Credentials not complete");
1050 else if (major_status == GSS_S_COMPLETE)
f7deaa1a 1051 {
1052 major_status = gss_display_name(&minor_status, client_name,
1053 &output_token, NULL);
1054
1055 if (GSS_ERROR(major_status))
1056 {
1057 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
1058 "cupsdAuthorize: Error getting username");
1059 gss_release_name(&minor_status, &client_name);
1060 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
f7deaa1a 1061 return;
1062 }
1063
1064 gss_release_name(&minor_status, &client_name);
1065 strlcpy(username, output_token.value, sizeof(username));
355e94dc
MS		 1066
1067 cupsdLogMessage(CUPSD_LOG_DEBUG,
1068 "cupsdAuthorize: Authorized as %s using Negotiate",
1069 username);
f7deaa1a 1070
1071 gss_release_buffer(&minor_status, &output_token);
1072 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
09a101d6 1073
1074 con->gss_have_creds = 1;
2fb76298 1075
5bd77a73 1076 con->type = CUPSD_AUTH_NEGOTIATE;
f7deaa1a 1077 }
1078 else
1079 gss_release_name(&minor_status, &client_name);
1080 }
1081#endif /* HAVE_GSSAPI */
2fb76298 1082 else
ef416fc2 1083 {
355e94dc 1084 char scheme[256]; /* Auth scheme... */
355e94dc
MS		 1085
1086
1087 if (sscanf(authorization, "%255s", scheme) != 1)
1088 strcpy(scheme, "UNKNOWN");
1089
2fb76298
MS		 1090 cupsdLogMessage(CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\"",
1091 scheme);
ef416fc2 1092 return;
1093 }
1094
1095 /*
1096 * If we get here, then we were able to validate the username and
1097 * password - copy the validated username and password to the client
1098 * data and return...
1099 */
1100
1101 strlcpy(con->username, username, sizeof(con->username));
1102 strlcpy(con->password, password, sizeof(con->password));
ef416fc2 1103}
1104
1105
080811b1
MS		 1106/*
1107 * 'cupsdCheckAccess()' - Check whether the given address is allowed to
1108 * access a location.
1109 */
1110
1111int /* O - 1 if allowed, 0 otherwise */
1112cupsdCheckAccess(
1113 unsigned ip[4], /* I - Client address */
1114 char *name, /* I - Client hostname */
1115 int namelen, /* I - Length of hostname */
1116 cupsd_location_t *loc) /* I - Location to check */
1117{
1118 int allow; /* 1 if allowed, 0 otherwise */
1119
1120
1121 if (!strcasecmp(name, "localhost"))
1122 {
1123 /*
1124 * Access from localhost (127.0.0.1 or ::1) is always allowed...
1125 */
1126
1127 return (1);
1128 }
1129 else
1130 {
1131 /*
1132 * Do authorization checks on the domain/address...
1133 */
1134
1135 switch (loc->order_type)
1136 {
1137 default :
1138 allow = 0; /* anti-compiler-warning-code */
1139 break;
1140
5bd77a73 1141 case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
080811b1
MS		 1142 allow = 1;
1143
1144 if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
1145 allow = 0;
1146
1147 if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
1148 allow = 1;
1149 break;
1150
5bd77a73 1151 case CUPSD_AUTH_DENY : /* Order Allow,Deny */
080811b1
MS		 1152 allow = 0;
1153
1154 if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
1155 allow = 1;
1156
1157 if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
1158 allow = 0;
1159 break;
1160 }
1161 }
1162
1163 return (allow);
1164}
1165
1166
ef416fc2 1167/*
1168 * 'cupsdCheckAuth()' - Check authorization masks.
1169 */
1170
1171int /* O - 1 if mask matches, 0 otherwise */
1172cupsdCheckAuth(
1173 unsigned ip[4], /* I - Client address */
1174 char *name, /* I - Client hostname */
1175 int name_len, /* I - Length of hostname */
1176 int num_masks, /* I - Number of masks */
1177 cupsd_authmask_t *masks) /* I - Masks */
1178{
1179 int i; /* Looping var */
1180 cupsd_netif_t *iface; /* Network interface */
1181 unsigned netip4; /* IPv4 network address */
1182#ifdef AF_INET6
1183 unsigned netip6[4]; /* IPv6 network address */
1184#endif /* AF_INET6 */
1185
1186 while (num_masks > 0)
1187 {
1188 switch (masks->type)
1189 {
5bd77a73 1190 case CUPSD_AUTH_INTERFACE :
ef416fc2 1191 /*
1192 * Check for a match with a network interface...
1193 */
1194
1195 netip4 = htonl(ip[3]);
1196
1197#ifdef AF_INET6
1198 netip6[0] = htonl(ip[0]);
1199 netip6[1] = htonl(ip[1]);
1200 netip6[2] = htonl(ip[2]);
1201 netip6[3] = htonl(ip[3]);
1202#endif /* AF_INET6 */
1203
1204 if (!strcmp(masks->mask.name.name, "*"))
1205 {
1206 /*
1207 * Check against all local interfaces...
1208 */
1209
1210 cupsdNetIFUpdate();
1211
e00b005a 1212 for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1213 iface;
1214 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
ef416fc2 1215 {
1216 /*
1217 * Only check local interfaces...
1218 */
1219
1220 if (!iface->is_local)
1221 continue;
1222
1223 if (iface->address.addr.sa_family == AF_INET)
1224 {
1225 /*
1226 * Check IPv4 address...
1227 */
1228
1229 if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1230 (iface->address.ipv4.sin_addr.s_addr &
1231 iface->mask.ipv4.sin_addr.s_addr))
1232 return (1);
1233 }
1234#ifdef AF_INET6
1235 else
1236 {
1237 /*
1238 * Check IPv6 address...
1239 */
1240
1241 for (i = 0; i < 4; i ++)
1242 if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1243 (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1244 iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1245 break;
1246
1247 if (i == 4)
1248 return (1);
1249 }
1250#endif /* AF_INET6 */
1251 }
1252 }
1253 else
1254 {
1255 /*
1256 * Check the named interface...
1257 */
1258
e00b005a 1259 for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
ed486911 1260 iface;
e00b005a 1261 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
ef416fc2 1262 {
ed486911 1263 if (strcmp(masks->mask.name.name, iface->name))
1264 continue;
1265
ef416fc2 1266 if (iface->address.addr.sa_family == AF_INET)
1267 {
1268 /*
1269 * Check IPv4 address...
1270 */
1271
1272 if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1273 (iface->address.ipv4.sin_addr.s_addr &
1274 iface->mask.ipv4.sin_addr.s_addr))
1275 return (1);
1276 }
1277#ifdef AF_INET6
1278 else
1279 {
1280 /*
1281 * Check IPv6 address...
1282 */
1283
1284 for (i = 0; i < 4; i ++)
1285 if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1286 (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1287 iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1288 break;
1289
1290 if (i == 4)
1291 return (1);
1292 }
1293#endif /* AF_INET6 */
1294 }
1295 }
1296 break;
1297
5bd77a73 1298 case CUPSD_AUTH_NAME :
ef416fc2 1299 /*
1300 * Check for exact name match...
1301 */
1302
1303 if (!strcasecmp(name, masks->mask.name.name))
1304 return (1);
1305
1306 /*
1307 * Check for domain match...
1308 */
1309
1310 if (name_len >= masks->mask.name.length &&
1311 masks->mask.name.name[0] == '.' &&
bd7854cb 1312 !strcasecmp(name + name_len - masks->mask.name.length,
1313 masks->mask.name.name))
ef416fc2 1314 return (1);
1315 break;
1316
5bd77a73 1317 case CUPSD_AUTH_IP :
ef416fc2 1318 /*
1319 * Check for IP/network address match...
1320 */
1321
1322 for (i = 0; i < 4; i ++)
1323 if ((ip[i] & masks->mask.ip.netmask[i]) !=
1324 masks->mask.ip.address[i])
1325 break;
1326
1327 if (i == 4)
1328 return (1);
1329 break;
1330 }
1331
1332 masks ++;
1333 num_masks --;
1334 }
1335
1336 return (0);
1337}
1338
1339
1340/*
1341 * 'cupsdCheckGroup()' - Check for a user's group membership.
1342 */
1343
1344int /* O - 1 if user is a member, 0 otherwise */
1345cupsdCheckGroup(
1346 const char *username, /* I - User name */
1347 struct passwd *user, /* I - System user info */
1348 const char *groupname) /* I - Group name */
1349{
1350 int i; /* Looping var */
1351 struct group *group; /* System group info */
1352 char junk[33]; /* MD5 password (not used) */
bd7854cb 1353#ifdef HAVE_MBR_UID_TO_UUID
1354 uuid_t useruuid, /* UUID for username */
1355 groupuuid; /* UUID for groupname */
1356 int is_member; /* True if user is a member of group */
1357#endif /* HAVE_MBR_UID_TO_UUID */
ef416fc2 1358
1359
1360 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1361 "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")",
1362 username, user, groupname);
1363
1364 /*
1365 * Validate input...
1366 */
1367
1368 if (!username || !groupname)
1369 return (0);
1370
1371 /*
1372 * Check to see if the user is a member of the named group...
1373 */
1374
1375 group = getgrnam(groupname);
1376 endgrent();
1377
1378 if (group != NULL)
1379 {
1380 /*
1381 * Group exists, check it...
1382 */
1383
1384 for (i = 0; group->gr_mem[i]; i ++)
1385 if (!strcasecmp(username, group->gr_mem[i]))
1386 return (1);
1387 }
1388
1389 /*
1390 * Group doesn't exist or user not in group list, check the group ID
1391 * against the user's group ID...
1392 */
1393
1394 if (user && group && group->gr_gid == user->pw_gid)
1395 return (1);
1396
bd7854cb 1397#ifdef HAVE_MBR_UID_TO_UUID
1398 /*
1399 * Check group membership through MacOS X membership API...
1400 */
1401
1402 if (user && group)
1403 if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
1404 if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
1405 if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1406 if (is_member)
1407 return (1);
1408#endif /* HAVE_MBR_UID_TO_UUID */
1409
ef416fc2 1410 /*
1411 * Username not found, group not found, or user is not part of the
1412 * system group... Check for a user and group in the MD5 password
1413 * file...
1414 */
1415
e1d6a774 1416 if (get_md5_password(username, groupname, junk) != NULL)
ef416fc2 1417 return (1);
1418
1419 /*
1420 * If we get this far, then the user isn't part of the named group...
1421 */
1422
1423 return (0);
1424}
1425
1426
1427/*
1428 * 'cupsdCopyLocation()' - Make a copy of a location...
1429 */
1430
1431cupsd_location_t * /* O - New location */
1432cupsdCopyLocation(
1433 cupsd_location_t **loc) /* IO - Original location */
1434{
1435 int i; /* Looping var */
ef416fc2 1436 cupsd_location_t *temp; /* New location */
1437 char location[HTTP_MAX_URI];
1438 /* Location of resource */
1439
1440
ef416fc2 1441 /*
1442 * Use a local copy of location because cupsdAddLocation may cause
1443 * this memory to be moved...
1444 */
1445
1446 strlcpy(location, (*loc)->location, sizeof(location));
1447
1448 if ((temp = cupsdAddLocation(location)) == NULL)
1449 return (NULL);
1450
ef416fc2 1451 /*
1452 * Copy the information from the original location to the new one.
1453 */
1454
1455 temp->limit = (*loc)->limit;
1456 temp->order_type = (*loc)->order_type;
1457 temp->type = (*loc)->type;
1458 temp->level = (*loc)->level;
1459 temp->satisfy = (*loc)->satisfy;
1460 temp->encryption = (*loc)->encryption;
1461
1462 if ((temp->num_names = (*loc)->num_names) > 0)
1463 {
1464 /*
1465 * Copy the names array...
1466 */
1467
1468 if ((temp->names = calloc(temp->num_names, sizeof(char *))) == NULL)
1469 {
1470 cupsdLogMessage(CUPSD_LOG_ERROR,
1471 "cupsdCopyLocation: Unable to allocate memory for %d names: %s",
1472 temp->num_names, strerror(errno));
bd7854cb 1473
1474 cupsdDeleteLocation(temp);
ef416fc2 1475 return (NULL);
1476 }
1477
1478 for (i = 0; i < temp->num_names; i ++)
1479 if ((temp->names[i] = strdup((*loc)->names[i])) == NULL)
1480 {
1481 cupsdLogMessage(CUPSD_LOG_ERROR,
1482 "cupsdCopyLocation: Unable to copy name \"%s\": %s",
1483 (*loc)->names[i], strerror(errno));
1484
bd7854cb 1485 cupsdDeleteLocation(temp);
ef416fc2 1486 return (NULL);
1487 }
1488 }
1489
1490 if ((temp->num_allow = (*loc)->num_allow) > 0)
1491 {
1492 /*
1493 * Copy allow rules...
1494 */
1495
1496 if ((temp->allow = calloc(temp->num_allow, sizeof(cupsd_authmask_t))) == NULL)
1497 {
1498 cupsdLogMessage(CUPSD_LOG_ERROR,
1499 "cupsdCopyLocation: Unable to allocate memory for %d allow rules: %s",
1500 temp->num_allow, strerror(errno));
bd7854cb 1501 cupsdDeleteLocation(temp);
ef416fc2 1502 return (NULL);
1503 }
1504
1505 for (i = 0; i < temp->num_allow; i ++)
1506 switch (temp->allow[i].type = (*loc)->allow[i].type)
1507 {
5bd77a73 1508 case CUPSD_AUTH_NAME :
ef416fc2 1509 temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length;
1510 temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name);
1511
1512 if (temp->allow[i].mask.name.name == NULL)
1513 {
1514 cupsdLogMessage(CUPSD_LOG_ERROR,
1515 "cupsdCopyLocation: Unable to copy allow name \"%s\": %s",
1516 (*loc)->allow[i].mask.name.name, strerror(errno));
bd7854cb 1517 cupsdDeleteLocation(temp);
ef416fc2 1518 return (NULL);
1519 }
1520 break;
5bd77a73 1521 case CUPSD_AUTH_IP :
ef416fc2 1522 memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip),
1523 sizeof(cupsd_ipmask_t));
1524 break;
1525 }
1526 }
1527
1528 if ((temp->num_deny = (*loc)->num_deny) > 0)
1529 {
1530 /*
1531 * Copy deny rules...
1532 */
1533
1534 if ((temp->deny = calloc(temp->num_deny, sizeof(cupsd_authmask_t))) == NULL)
1535 {
1536 cupsdLogMessage(CUPSD_LOG_ERROR,
1537 "cupsdCopyLocation: Unable to allocate memory for %d deny rules: %s",
1538 temp->num_deny, strerror(errno));
bd7854cb 1539 cupsdDeleteLocation(temp);
ef416fc2 1540 return (NULL);
1541 }
1542
1543 for (i = 0; i < temp->num_deny; i ++)
1544 switch (temp->deny[i].type = (*loc)->deny[i].type)
1545 {
5bd77a73 1546 case CUPSD_AUTH_NAME :
ef416fc2 1547 temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length;
1548 temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name);
1549
1550 if (temp->deny[i].mask.name.name == NULL)
1551 {
1552 cupsdLogMessage(CUPSD_LOG_ERROR,
1553 "cupsdCopyLocation: Unable to copy deny name \"%s\": %s",
1554 (*loc)->deny[i].mask.name.name, strerror(errno));
bd7854cb 1555 cupsdDeleteLocation(temp);
ef416fc2 1556 return (NULL);
1557 }
1558 break;
5bd77a73 1559 case CUPSD_AUTH_IP :
ef416fc2 1560 memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip),
1561 sizeof(cupsd_ipmask_t));
1562 break;
1563 }
1564 }
1565
1566 return (temp);
1567}
1568
1569
1570/*
1571 * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization.
1572 */
1573
1574void
1575cupsdDeleteAllLocations(void)
1576{
ef416fc2 1577 cupsd_location_t *loc; /* Current location */
1578
1579
1580 /*
1581 * Free all of the allow/deny records first...
1582 */
1583
bd7854cb 1584 for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1585 loc;
1586 loc = (cupsd_location_t *)cupsArrayNext(Locations))
ef416fc2 1587 cupsdDeleteLocation(loc);
1588
1589 /*
1590 * Then free the location array...
1591 */
1592
bd7854cb 1593 cupsArrayDelete(Locations);
1594 Locations = NULL;
ef416fc2 1595}
1596
1597
1598/*
1599 * 'cupsdDeleteLocation()' - Free all memory used by a location.
1600 */
1601
1602void
1603cupsdDeleteLocation(
1604 cupsd_location_t *loc) /* I - Location to delete */
1605{
1606 int i; /* Looping var */
1607 cupsd_authmask_t *mask; /* Current mask */
1608
1609
bd7854cb 1610 cupsArrayRemove(Locations, loc);
1611
ef416fc2 1612 for (i = loc->num_names - 1; i >= 0; i --)
1613 free(loc->names[i]);
1614
1615 if (loc->num_names > 0)
1616 free(loc->names);
1617
1618 for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++)
5bd77a73 1619 if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
ef416fc2 1620 free(mask->mask.name.name);
1621
1622 if (loc->num_allow > 0)
1623 free(loc->allow);
1624
1625 for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++)
5bd77a73 1626 if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
ef416fc2 1627 free(mask->mask.name.name);
1628
1629 if (loc->num_deny > 0)
1630 free(loc->deny);
bd7854cb 1631
1632 free(loc->location);
1633 free(loc);
ef416fc2 1634}
1635
1636
1637/*
1638 * 'cupsdDenyHost()' - Add a host name that is not allowed to access the
1639 * location.
1640 */
1641
1642void
1643cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */
1644 char *name) /* I - Name of host or domain to add */
1645{
1646 cupsd_authmask_t *temp; /* New host/domain mask */
1647 char ifname[32], /* Interface name */
1648 *ifptr; /* Pointer to end of name */
1649
1650
1651 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDenyHost(loc=%p(%s), name=\"%s\")",
e1d6a774 1652 loc, loc->location ? loc->location : "nil", name);
ef416fc2 1653
1654 if ((temp = add_deny(loc)) == NULL)
1655 return;
1656
bd7854cb 1657 if (!strcasecmp(name, "@LOCAL"))
ef416fc2 1658 {
1659 /*
1660 * Deny *interface*...
1661 */
1662
5bd77a73 1663 temp->type = CUPSD_AUTH_INTERFACE;
ef416fc2 1664 temp->mask.name.name = strdup("*");
1665 temp->mask.name.length = 1;
1666 }
bd7854cb 1667 else if (!strncasecmp(name, "@IF(", 4))
ef416fc2 1668 {
1669 /*
1670 * Deny *interface*...
1671 */
1672
1673 strlcpy(ifname, name + 4, sizeof(ifname));
1674
1675 ifptr = ifname + strlen(ifname);
1676
1677 if (ifptr[-1] == ')')
1678 {
1679 ifptr --;
1680 *ifptr = '\0';
1681 }
1682
5bd77a73 1683 temp->type = CUPSD_AUTH_INTERFACE;
ef416fc2 1684 temp->mask.name.name = strdup(ifname);
1685 temp->mask.name.length = ifptr - ifname;
1686 }
1687 else
1688 {
1689 /*
1690 * Deny name...
1691 */
1692
5bd77a73 1693 temp->type = CUPSD_AUTH_NAME;
ef416fc2 1694 temp->mask.name.name = strdup(name);
1695 temp->mask.name.length = strlen(name);
1696 }
1697}
1698
1699
1700/*
1701 * 'cupsdDenyIP()' - Add an IP address or network that is not allowed to
1702 * access the location.
1703 */
1704
1705void
1706cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */
ac884b6a
MS		 1707 const unsigned address[4],/* I - IP address to add */
1708 const unsigned netmask[4])/* I - Netmask of address */
ef416fc2 1709{
1710 cupsd_authmask_t *temp; /* New host/domain mask */
1711
1712
1713 cupsdLogMessage(CUPSD_LOG_DEBUG,
1714 "cupsdDenyIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
e1d6a774 1715 loc, loc->location ? loc->location : "nil",
1716 address[0], address[1], address[2], address[3],
1717 netmask[0], netmask[1], netmask[2], netmask[3]);
ef416fc2 1718
1719 if ((temp = add_deny(loc)) == NULL)
1720 return;
1721
5bd77a73 1722 temp->type = CUPSD_AUTH_IP;
ef416fc2 1723 memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
1724 memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
1725}
1726
1727
1728/*
1729 * 'cupsdFindBest()' - Find the location entry that best matches the resource.
1730 */
1731
1732cupsd_location_t * /* O - Location that matches */
1733cupsdFindBest(const char *path, /* I - Resource path */
1734 http_state_t state) /* I - HTTP state/request */
1735{
ef416fc2 1736 char uri[HTTP_MAX_URI],
1737 /* URI in request... */
1738 *uriptr; /* Pointer into URI */
1739 cupsd_location_t *loc, /* Current location */
1740 *best; /* Best match for location so far */
1741 int bestlen; /* Length of best match */
1742 int limit; /* Limit field */
5bd77a73 1743 static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
ef416fc2 1744 {
5bd77a73
MS		 1745 CUPSD_AUTH_LIMIT_ALL,
1746 CUPSD_AUTH_LIMIT_OPTIONS,
1747 CUPSD_AUTH_LIMIT_GET,
1748 CUPSD_AUTH_LIMIT_GET,
1749 CUPSD_AUTH_LIMIT_HEAD,
1750 CUPSD_AUTH_LIMIT_POST,
1751 CUPSD_AUTH_LIMIT_POST,
1752 CUPSD_AUTH_LIMIT_POST,
1753 CUPSD_AUTH_LIMIT_PUT,
1754 CUPSD_AUTH_LIMIT_PUT,
1755 CUPSD_AUTH_LIMIT_DELETE,
1756 CUPSD_AUTH_LIMIT_TRACE,
1757 CUPSD_AUTH_LIMIT_ALL,
1758 CUPSD_AUTH_LIMIT_ALL
ef416fc2 1759 };
1760
1761
1762 /*
1763 * First copy the connection URI to a local string so we have drop
1764 * any .ppd extension from the pathname in /printers or /classes
1765 * URIs...
1766 */
1767
1768 strlcpy(uri, path, sizeof(uri));
1769
1770 if (!strncmp(uri, "/printers/", 10) ||
1771 !strncmp(uri, "/classes/", 9))
1772 {
1773 /*
1774 * Check if the URI has .ppd on the end...
1775 */
1776
1777 uriptr = uri + strlen(uri) - 4; /* len > 4 if we get here... */
1778
1779 if (!strcmp(uriptr, ".ppd"))
1780 *uriptr = '\0';
1781 }
1782
1783 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri);
1784
1785 /*
1786 * Loop through the list of locations to find a match...
1787 */
1788
1789 limit = limits[state];
1790 best = NULL;
1791 bestlen = 0;
1792
bd7854cb 1793 for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1794 loc;
1795 loc = (cupsd_location_t *)cupsArrayNext(Locations))
ef416fc2 1796 {
1797 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x",
e1d6a774 1798 loc->location ? loc->location : "nil", loc->limit);
ef416fc2 1799
1800 if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
1801 {
1802 /*
1803 * Use case-insensitive comparison for queue names...
1804 */
1805
e1d6a774 1806 if (loc->length > bestlen && loc->location &&
bd7854cb 1807 !strncasecmp(uri, loc->location, loc->length) &&
ef416fc2 1808 loc->location[0] == '/' &&
1809 (limit & loc->limit) != 0)
1810 {
1811 best = loc;
1812 bestlen = loc->length;
1813 }
1814 }
1815 else
1816 {
1817 /*
1818 * Use case-sensitive comparison for other URIs...
1819 */
1820
e1d6a774 1821 if (loc->length > bestlen && loc->location &&
ef416fc2 1822 !strncmp(uri, loc->location, loc->length) &&
1823 loc->location[0] == '/' &&
1824 (limit & loc->limit) != 0)
1825 {
1826 best = loc;
1827 bestlen = loc->length;
1828 }
1829 }
1830 }
1831
1832 /*
1833 * Return the match, if any...
1834 */
1835
1836 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best = %s",
1837 best ? best->location : "NONE");
1838
1839 return (best);
1840}
1841
1842
1843/*
1844 * 'cupsdFindLocation()' - Find the named location.
1845 */
1846
1847cupsd_location_t * /* O - Location that matches */
1848cupsdFindLocation(const char *location) /* I - Connection */
1849{
bd7854cb 1850 cupsd_location_t key; /* Search key */
ef416fc2 1851
1852
bd7854cb 1853 key.location = (char *)location;
ef416fc2 1854
bd7854cb 1855 return ((cupsd_location_t *)cupsArrayFind(Locations, &key));
ef416fc2 1856}
1857
1858
ef416fc2 1859/*
1860 * 'cupsdIsAuthorized()' - Check to see if the user is authorized...
1861 */
1862
1863http_status_t /* O - HTTP_OK if authorized or error code */
1864cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
1865 const char *owner)/* I - Owner of object */
1866{
1867 int i, j, /* Looping vars */
2fb76298
MS		 1868 auth, /* Authorization status */
1869 type; /* Type of authentication */
ef416fc2 1870 unsigned address[4]; /* Authorization address */
1871 cupsd_location_t *best; /* Best match for location so far */
1872 int hostlen; /* Length of hostname */
db1f069b
MS		 1873 char username[256], /* Username to authorize */
1874 ownername[256], /* Owner name to authorize */
1875 *ptr; /* Pointer into username */
ef416fc2 1876 struct passwd *pw; /* User password data */
1877 static const char * const levels[] = /* Auth levels */
1878 {
1879 "ANON",
1880 "USER",
1881 "GROUP"
1882 };
1883 static const char * const types[] = /* Auth types */
1884 {
2fb76298
MS		 1885 "None",
1886 "Basic",
1887 "Digest",
1888 "BasicDigest",
1889 "Negotiate"
ef416fc2 1890 };
1891
1892
1893 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1894 "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)",
f301802f 1895 con->uri, con->best, con->best ? con->best->location ?
1896 con->best->location : "(null)" : "");
fa73b229 1897 if (owner)
1898 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1899 "cupsdIsAuthorized: owner=\"%s\"", owner);
ef416fc2 1900
1901 /*
1902 * If there is no "best" authentication rule for this request, then
1903 * access is allowed from the local system and denied from other
1904 * addresses...
1905 */
1906
1907 if (!con->best)
1908 {
1909 if (!strcmp(con->http.hostname, "localhost") ||
1910 !strcmp(con->http.hostname, ServerName))
1911 return (HTTP_OK);
1912 else
1913 return (HTTP_FORBIDDEN);
1914 }
1915
1916 best = con->best;
1917
5bd77a73 1918 if ((type = best->type) == CUPSD_AUTH_DEFAULT)
2fb76298
MS		 1919 type = DefaultAuthType;
1920
ef416fc2 1921 cupsdLogMessage(CUPSD_LOG_DEBUG2,
5bd77a73
MS		 1922 "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
1923 "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
2fb76298 1924 levels[best->level], types[type],
ef416fc2 1925 best->satisfy ? "ANY" : "ALL", best->num_names);
1926
5bd77a73 1927 if (best->limit == CUPSD_AUTH_LIMIT_IPP)
ef416fc2 1928 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
1929 best->op, ippOpString(best->op));
1930
1931 /*
1932 * Check host/ip-based accesses...
1933 */
1934
1935#ifdef AF_INET6
1936 if (con->http.hostaddr->addr.sa_family == AF_INET6)
1937 {
1938 /*
1939 * Copy IPv6 address...
1940 */
1941
1942 address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]);
1943 address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]);
1944 address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]);
1945 address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]);
1946 }
1947 else
1948#endif /* AF_INET6 */
1949 if (con->http.hostaddr->addr.sa_family == AF_INET)
1950 {
1951 /*
1952 * Copy IPv4 address...
1953 */
1954
1955 address[0] = 0;
1956 address[1] = 0;
1957 address[2] = 0;
1958 address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr);
1959 }
1960 else
1961 memset(address, 0, sizeof(address));
1962
1963 hostlen = strlen(con->http.hostname);
1964
080811b1 1965 auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
5bd77a73 1966 ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
ef416fc2 1967
5bd77a73 1968 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
ef416fc2 1969 auth ? "DENY" : "ALLOW");
1970
5bd77a73 1971 if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
ef416fc2 1972 return (HTTP_FORBIDDEN);
1973
1974#ifdef HAVE_SSL
1975 /*
1976 * See if encryption is required...
1977 */
1978
f7deaa1a 1979 if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
a74454a7 1980 strcasecmp(con->http.hostname, "localhost") &&
5bd77a73
MS		 1981 best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
1982 !(type == CUPSD_AUTH_NEGOTIATE ||
1983 (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
ef416fc2 1984 {
355e94dc 1985 cupsdLogMessage(CUPSD_LOG_DEBUG,
ef416fc2 1986 "cupsdIsAuthorized: Need upgrade to TLS...");
1987 return (HTTP_UPGRADE_REQUIRED);
1988 }
1989#endif /* HAVE_SSL */
1990
1991 /*
1992 * Now see what access level is required...
1993 */
1994
5bd77a73
MS		 1995 if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
1996 (type == CUPSD_AUTH_NONE && best->num_names == 0))
ef416fc2 1997 return (HTTP_OK);
1998
5bd77a73
MS		 1999 if (!con->username[0] && type == CUPSD_AUTH_NONE &&
2000 best->limit == CUPSD_AUTH_LIMIT_IPP)
ef416fc2 2001 {
2002 /*
2003 * Check for unauthenticated username...
2004 */
2005
2006 ipp_attribute_t *attr; /* requesting-user-name attribute */
2007
2008
2009 attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
2010 if (attr)
2011 {
355e94dc 2012 cupsdLogMessage(CUPSD_LOG_DEBUG,
ef416fc2 2013 "cupsdIsAuthorized: requesting-user-name=\"%s\"",
2014 attr->values[0].string.text);
db1f069b 2015 strlcpy(username, attr->values[0].string.text, sizeof(username));
ef416fc2 2016 }
5bd77a73 2017 else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
ef416fc2 2018 return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
2019 else
2020 return (HTTP_OK); /* unless overridden with Satisfy */
2021 }
fa73b229 2022 else
2023 {
355e94dc 2024 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
fa73b229 2025 con->username);
2026
f7deaa1a 2027#ifdef HAVE_AUTHORIZATION_H
2028 if (!con->username[0] && !con->authref)
2029#else
fa73b229 2030 if (!con->username[0])
f7deaa1a 2031#endif /* HAVE_AUTHORIZATION_H */
fa73b229 2032 {
5bd77a73 2033 if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
fa73b229 2034 return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
2035 else
2036 return (HTTP_OK); /* unless overridden with Satisfy */
2037 }
2038
5bd77a73
MS		 2039 if (con->type != type && type != CUPSD_AUTH_NONE &&
2040 (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
2fb76298
MS		 2041 {
2042 cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
2043 types[con->type], types[type]);
2044
2045 return (HTTP_UNAUTHORIZED);
2046 }
2047
db1f069b 2048 strlcpy(username, con->username, sizeof(username));
fa73b229 2049 }
ef416fc2 2050
2051 /*
fa73b229 2052 * OK, got a username. See if we need normal user access, or group
ef416fc2 2053 * access... (root always matches)
2054 */
2055
fa73b229 2056 if (!strcmp(username, "root"))
ef416fc2 2057 return (HTTP_OK);
2058
db1f069b
MS		 2059 /*
2060 * Strip any @domain or @KDC from the username and owner...
2061 */
2062
2063 if ((ptr = strchr(username, '@')) != NULL)
2064 *ptr = '\0';
2065
2066 if (owner)
2067 {
2068 strlcpy(ownername, owner, sizeof(ownername));
2069
2070 if ((ptr = strchr(ownername, '@')) != NULL)
2071 *ptr = '\0';
2072 }
2073 else
2074 ownername[0] = '\0';
2075
ef416fc2 2076 /*
2077 * Get the user info...
2078 */
2079
f7deaa1a 2080 if (username[0])
2081 {
2082 pw = getpwnam(username);
2083 endpwent();
2084 }
2085 else
2086 pw = NULL;
ef416fc2 2087
5bd77a73 2088 if (best->level == CUPSD_AUTH_USER)
ef416fc2 2089 {
2090 /*
2091 * If there are no names associated with this location, then
2092 * any valid user is OK...
2093 */
2094
2095 if (best->num_names == 0)
2096 return (HTTP_OK);
2097
2098 /*
2099 * Otherwise check the user list and return OK if this user is
2100 * allowed...
2101 */
2102
2103 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2104 "cupsdIsAuthorized: Checking user membership...");
2105
f7deaa1a 2106#ifdef HAVE_AUTHORIZATION_H
2107 /*
2108 * If an authorization reference was supplied it must match a right name...
2109 */
2110
2111 if (con->authref)
2112 {
2113 for (i = 0; i < best->num_names; i ++)
2114 {
2115 if (!strncasecmp(best->names[i], "@AUTHKEY(", 9) &&
2116 check_authref(con, best->names[i] + 9))
2117 return (HTTP_OK);
2118 else if (!strcasecmp(best->names[i], "@SYSTEM") &&
2119 SystemGroupAuthKey &&
2120 check_authref(con, SystemGroupAuthKey))
2121 return (HTTP_OK);
2122 }
2123
2124 return (HTTP_UNAUTHORIZED);
2125 }
2126#endif /* HAVE_AUTHORIZATION_H */
2127
ef416fc2 2128 for (i = 0; i < best->num_names; i ++)
2129 {
2130 if (!strcasecmp(best->names[i], "@OWNER") && owner &&
db1f069b 2131 !strcasecmp(username, ownername))
ef416fc2 2132 return (HTTP_OK);
2133 else if (!strcasecmp(best->names[i], "@SYSTEM"))
2134 {
2135 for (j = 0; j < NumSystemGroups; j ++)
fa73b229 2136 if (cupsdCheckGroup(username, pw, SystemGroups[j]))
ef416fc2 2137 return (HTTP_OK);
2138 }
2139 else if (best->names[i][0] == '@')
2140 {
fa73b229 2141 if (cupsdCheckGroup(username, pw, best->names[i] + 1))
ef416fc2 2142 return (HTTP_OK);
2143 }
fa73b229 2144 else if (!strcasecmp(username, best->names[i]))
ef416fc2 2145 return (HTTP_OK);
2146 }
2147
2148 return (HTTP_UNAUTHORIZED);
2149 }
2150
2151 /*
2152 * Check to see if this user is in any of the named groups...
2153 */
2154
2155 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2156 "cupsdIsAuthorized: Checking group membership...");
2157
2158 /*
2159 * Check to see if this user is in any of the named groups...
2160 */
2161
2162 for (i = 0; i < best->num_names; i ++)
2163 {
2164 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2165 "cupsdIsAuthorized: Checking group \"%s\" membership...",
2166 best->names[i]);
2167
2168 if (!strcasecmp(best->names[i], "@SYSTEM"))
2169 {
2170 for (j = 0; j < NumSystemGroups; j ++)
fa73b229 2171 if (cupsdCheckGroup(username, pw, SystemGroups[j]))
ef416fc2 2172 return (HTTP_OK);
2173 }
fa73b229 2174 else if (cupsdCheckGroup(username, pw, best->names[i]))
ef416fc2 2175 return (HTTP_OK);
2176 }
2177
2178 /*
2179 * The user isn't part of the specified group, so deny access...
2180 */
2181
355e94dc 2182 cupsdLogMessage(CUPSD_LOG_DEBUG,
ef416fc2 2183 "cupsdIsAuthorized: User not in group(s)!");
2184
2185 return (HTTP_UNAUTHORIZED);
2186}
2187
2188
2189/*
2190 * 'add_allow()' - Add an allow mask to the location.
2191 */
2192
2193static cupsd_authmask_t * /* O - New mask record */
2194add_allow(cupsd_location_t *loc) /* I - Location to add to */
2195{
2196 cupsd_authmask_t *temp; /* New mask record */
2197
2198
2199 /*
2200 * Range-check...
2201 */
2202
2203 if (loc == NULL)
2204 return (NULL);
2205
2206 /*
2207 * Try to allocate memory for the record...
2208 */
2209
2210 if (loc->num_allow == 0)
2211 temp = malloc(sizeof(cupsd_authmask_t));
2212 else
2213 temp = realloc(loc->allow, sizeof(cupsd_authmask_t) * (loc->num_allow + 1));
2214
2215 if (temp == NULL)
2216 return (NULL);
2217
2218 loc->allow = temp;
2219 temp += loc->num_allow;
2220 loc->num_allow ++;
2221
2222 /*
2223 * Clear the mask record and return...
2224 */
2225
2226 memset(temp, 0, sizeof(cupsd_authmask_t));
2227 return (temp);
2228}
2229
2230
2231/*
2232 * 'add_deny()' - Add a deny mask to the location.
2233 */
2234
2235static cupsd_authmask_t * /* O - New mask record */
2236add_deny(cupsd_location_t *loc) /* I - Location to add to */
2237{
2238 cupsd_authmask_t *temp; /* New mask record */
2239
2240
2241 /*
2242 * Range-check...
2243 */
2244
2245 if (loc == NULL)
2246 return (NULL);
2247
2248 /*
2249 * Try to allocate memory for the record...
2250 */
2251
2252 if (loc->num_deny == 0)
2253 temp = malloc(sizeof(cupsd_authmask_t));
2254 else
2255 temp = realloc(loc->deny, sizeof(cupsd_authmask_t) * (loc->num_deny + 1));
2256
2257 if (temp == NULL)
2258 return (NULL);
2259
2260 loc->deny = temp;
2261 temp += loc->num_deny;
2262 loc->num_deny ++;
2263
2264 /*
2265 * Clear the mask record and return...
2266 */
2267
2268 memset(temp, 0, sizeof(cupsd_authmask_t));
2269 return (temp);
2270}
2271
2272
f7deaa1a 2273#ifdef HAVE_AUTHORIZATION_H
2274/*
2275 * 'check_authref()' - Check if an authorization services reference has the
2276 * supplied right.
2277 */
2278
2279static int /* O - 1 if right is valid, 0 otherwise */
2280check_authref(cupsd_client_t *con, /* I - Connection */
2281 const char *right) /* I - Right name */
2282{
2283 OSStatus status; /* OS Status */
2284 AuthorizationItem authright; /* Authorization right */
2285 AuthorizationRights authrights; /* Authorization rights */
2286 AuthorizationFlags authflags; /* Authorization flags */
2287
2288
2289 /*
2290 * Check to see if the user is allowed to perform the task...
2291 */
2292
2293 if (!con->authref)
2294 return (0);
2295
2296 authright.name = right;
2297 authright.valueLength = 0;
2298 authright.value = NULL;
2299 authright.flags = 0;
2300
2301 authrights.count = 1;
2302 authrights.items = &authright;
2303
2304 authflags = kAuthorizationFlagDefaults |
2305 kAuthorizationFlagExtendRights;
2306
2307 if ((status = AuthorizationCopyRights(con->authref, &authrights,
2308 kAuthorizationEmptyEnvironment,
2309 authflags, NULL)) != 0)
2310 {
2311 cupsdLogMessage(CUPSD_LOG_ERROR,
2312 "AuthorizationCopyRights(\"%s\") returned %d (%s)",
2313 authright.name, (int)status, cssmErrorString(status));
2314 return (0);
2315 }
2316
2317 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2318 "AuthorizationCopyRights(\"%s\") succeeded!",
2319 authright.name);
2320
2321 return (1);
2322}
2323#endif /* HAVE_AUTHORIZATION_H */
2324
2325
bd7854cb 2326/*
2327 * 'compare_locations()' - Compare two locations.
2328 */
2329
2330static int /* O - Result of comparison */
2331compare_locations(cupsd_location_t *a, /* I - First location */
2332 cupsd_location_t *b) /* I - Second location */
2333{
2334 return (strcmp(b->location, a->location));
2335}
2336
2337
d09495fa 2338#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
ef416fc2 2339/*
2340 * 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
2341 * as needed.
2342 */
2343
2344static char * /* O - Encrypted password */
2345cups_crypt(const char *pw, /* I - Password string */
2346 const char *salt) /* I - Salt (key) string */
2347{
bd7854cb 2348 if (!strncmp(salt, "$1$", 3))
ef416fc2 2349 {
2350 /*
2351 * Use MD5 passwords without the benefit of PAM; this is for
2352 * Slackware Linux, and the algorithm was taken from the
2353 * old shadow-19990827/lib/md5crypt.c source code... :(
2354 */
2355
2356 int i; /* Looping var */
2357 unsigned long n; /* Output number */
2358 int pwlen; /* Length of password string */
2359 const char *salt_end; /* End of "salt" data for MD5 */
2360 char *ptr; /* Pointer into result string */
2361 _cups_md5_state_t state; /* Primary MD5 state info */
2362 _cups_md5_state_t state2; /* Secondary MD5 state info */
2363 unsigned char digest[16]; /* MD5 digest result */
2364 static char result[120]; /* Final password string */
2365
2366
2367 /*
2368 * Get the salt data between dollar signs, e.g. $1$saltdata$md5.
2369 * Get a maximum of 8 characters of salt data after $1$...
2370 */
2371
2372 for (salt_end = salt + 3; *salt_end && (salt_end - salt) < 11; salt_end ++)
2373 if (*salt_end == '$')
2374 break;
2375
2376 /*
2377 * Compute the MD5 sum we need...
2378 */
2379
2380 pwlen = strlen(pw);
2381
757d2cad 2382 _cupsMD5Init(&state);
2383 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
2384 _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt);
ef416fc2 2385
757d2cad 2386 _cupsMD5Init(&state2);
2387 _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
2388 _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
2389 _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
2390 _cupsMD5Finish(&state2, digest);
ef416fc2 2391
2392 for (i = pwlen; i > 0; i -= 16)
757d2cad 2393 _cupsMD5Append(&state, digest, i > 16 ? 16 : i);
ef416fc2 2394
2395 for (i = pwlen; i > 0; i >>= 1)
757d2cad 2396 _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
ef416fc2 2397
757d2cad 2398 _cupsMD5Finish(&state, digest);
ef416fc2 2399
2400 for (i = 0; i < 1000; i ++)
2401 {
757d2cad 2402 _cupsMD5Init(&state);
ef416fc2 2403
2404 if (i & 1)
757d2cad 2405 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
ef416fc2 2406 else
757d2cad 2407 _cupsMD5Append(&state, digest, 16);
ef416fc2 2408
2409 if (i % 3)
757d2cad 2410 _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
ef416fc2 2411
2412 if (i % 7)
757d2cad 2413 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
ef416fc2 2414
2415 if (i & 1)
757d2cad 2416 _cupsMD5Append(&state, digest, 16);
ef416fc2 2417 else
757d2cad 2418 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
ef416fc2 2419
757d2cad 2420 _cupsMD5Finish(&state, digest);
ef416fc2 2421 }
2422
2423 /*
2424 * Copy the final sum to the result string and return...
2425 */
2426
2427 memcpy(result, salt, salt_end - salt);
2428 ptr = result + (salt_end - salt);
2429 *ptr++ = '$';
2430
2431 for (i = 0; i < 5; i ++, ptr += 4)
2432 {
2433 n = (((digest[i] << 8) | digest[i + 6]) << 8);
2434
2435 if (i < 4)
2436 n |= digest[i + 12];
2437 else
2438 n |= digest[5];
2439
2440 to64(ptr, n, 4);
2441 }
2442
2443 to64(ptr, digest[11], 2);
2444 ptr += 2;
2445 *ptr = '\0';
2446
2447 return (result);
2448 }
2449 else
2450 {
2451 /*
2452 * Use the standard crypt() function...
2453 */
2454
2455 return (crypt(pw, salt));
2456 }
2457}
d09495fa 2458#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
ef416fc2 2459
2460
f7deaa1a 2461#ifdef HAVE_GSSAPI
2462/*
2463 * 'get_gss_creds()' - Obtain GSS credentials.
2464 */
2465
2466static gss_cred_id_t /* O - Server credentials */
2467get_gss_creds(const char *service_name) /* I - Service name */
2468{
2469 OM_uint32 major_status, /* Major status code */
2470 minor_status; /* Minor status code */
2471 gss_name_t server_name; /* Server name */
2472 gss_cred_id_t server_creds; /* Server credentials */
2473 gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
2474 /* Service name token */
2475 char buf[1024], /* Service name buffer */
2476 fqdn[HTTP_MAX_URI]; /* Hostname of server */
2477
2478
2479 snprintf(buf, sizeof(buf), "%s@%s", service_name,
2480 httpGetHostname(NULL, fqdn, sizeof(fqdn)));
2481
2482 token.value = buf;
2483 token.length = strlen(buf);
2484 server_name = GSS_C_NO_NAME;
2485 major_status = gss_import_name(&minor_status, &token,
2486 GSS_C_NT_HOSTBASED_SERVICE,
2487 &server_name);
2488
2489 memset(&token, 0, sizeof(token));
2490
2491 if (GSS_ERROR(major_status))
2492 {
2493 cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status,
2494 "gss_import_name() failed");
2495 return (NULL);
2496 }
2497
2498 major_status = gss_display_name(&minor_status, server_name, &token, NULL);
2499
2500 if (GSS_ERROR(major_status))
2501 {
2502 cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status,
2503 "gss_display_name() failed");
2504 return (NULL);
2505 }
2506
c24d2134
MS		 2507 cupsdLogMessage(CUPSD_LOG_DEBUG,
2508 "get_gss_creds: Attempting to acquire credentials for %s...",
f7deaa1a 2509 (char *)token.value);
2510
2511 server_creds = GSS_C_NO_CREDENTIAL;
2512 major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
2513 GSS_C_NO_OID_SET, GSS_C_ACCEPT,
2514 &server_creds, NULL, NULL);
2515 if (GSS_ERROR(major_status))
2516 {
2517 cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status,
2518 "gss_acquire_cred() failed");
2519 gss_release_name(&minor_status, &server_name);
2520 gss_release_buffer(&minor_status, &token);
2521 return (NULL);
2522 }
2523
c24d2134
MS		 2524 cupsdLogMessage(CUPSD_LOG_DEBUG,
2525 "get_gss_creds: Credentials acquired successfully for %s.",
f7deaa1a 2526 (char *)token.value);
2527
2528 gss_release_name(&minor_status, &server_name);
2529 gss_release_buffer(&minor_status, &token);
2530
2531 return (server_creds);
2532}
2533#endif /* HAVE_GSSAPI */
2534
2535
e1d6a774 2536/*
2537 * 'get_md5_password()' - Get an MD5 password.
2538 */
2539
2540static char * /* O - MD5 password string */
2541get_md5_password(const char *username, /* I - Username */
2542 const char *group, /* I - Group */
2543 char passwd[33]) /* O - MD5 password string */
2544{
2545 cups_file_t *fp; /* passwd.md5 file */
2546 char filename[1024], /* passwd.md5 filename */
2547 line[256], /* Line from file */
2548 tempuser[33], /* User from file */
2549 tempgroup[33]; /* Group from file */
2550
2551
2552 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2553 "get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)",
2554 username, group ? group : "(null)", passwd);
2555
2556 snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot);
2557 if ((fp = cupsFileOpen(filename, "r")) == NULL)
2558 {
2559 if (errno != ENOENT)
2560 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename,
2561 strerror(errno));
2562
2563 return (NULL);
2564 }
2565
2566 while (cupsFileGets(fp, line, sizeof(line)) != NULL)
2567 {
2568 if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3)
2569 {
2570 cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line);
2571 continue;
2572 }
2573
2574 if (!strcmp(username, tempuser) &&
2575 (group == NULL || !strcmp(group, tempgroup)))
2576 {
2577 /*
2578 * Found the password entry!
2579 */
2580
2581 cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...",
2582 username, tempgroup);
2583
2584 cupsFileClose(fp);
2585 return (passwd);
2586 }
2587 }
2588
2589 /*
2590 * Didn't find a password entry - return NULL!
2591 */
2592
2593 cupsFileClose(fp);
2594 return (NULL);
2595}
2596
2597
ef416fc2 2598#if HAVE_LIBPAM
2599/*
2600 * 'pam_func()' - PAM conversation function.
2601 */
2602
2603static int /* O - Success or failure */
2604pam_func(
2605 int num_msg, /* I - Number of messages */
2606 const struct pam_message **msg, /* I - Messages */
2607 struct pam_response **resp, /* O - Responses */
2608 void *appdata_ptr)
2609 /* I - Pointer to connection */
2610{
2611 int i; /* Looping var */
2612 struct pam_response *replies; /* Replies */
2613 cupsd_authdata_t *data; /* Pointer to auth data */
2614
2615
2616 /*
2617 * Allocate memory for the responses...
2618 */
2619
2620 if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL)
2621 return (PAM_CONV_ERR);
2622
2623 /*
2624 * Answer all of the messages...
2625 */
2626
2627 DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr));
2628
2629#ifdef __hpux
2630 /*
2631 * Apparently some versions of HP-UX 11 have a broken pam_unix security
2632 * module. This is a workaround...
2633 */
2634
2635 data = auth_data;
2636 (void)appdata_ptr;
2637#else
2638 data = (cupsd_authdata_t *)appdata_ptr;
2639#endif /* __hpux */
2640
2641 for (i = 0; i < num_msg; i ++)
2642 {
2643 DEBUG_printf(("pam_func: Message = \"%s\"\n", msg[i]->msg));
2644
2645 switch (msg[i]->msg_style)
2646 {
2647 case PAM_PROMPT_ECHO_ON:
2648 DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_ON, returning \"%s\"...\n",
2649 data->username));
2650 replies[i].resp_retcode = PAM_SUCCESS;
2651 replies[i].resp = strdup(data->username);
2652 break;
2653
2654 case PAM_PROMPT_ECHO_OFF:
2655 DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_OFF, returning \"%s\"...\n",
2656 data->password));
2657 replies[i].resp_retcode = PAM_SUCCESS;
2658 replies[i].resp = strdup(data->password);
2659 break;
2660
2661 case PAM_TEXT_INFO:
2662 DEBUG_puts("pam_func: PAM_TEXT_INFO...");
2663 replies[i].resp_retcode = PAM_SUCCESS;
2664 replies[i].resp = NULL;
2665 break;
2666
2667 case PAM_ERROR_MSG:
2668 DEBUG_puts("pam_func: PAM_ERROR_MSG...");
2669 replies[i].resp_retcode = PAM_SUCCESS;
2670 replies[i].resp = NULL;
2671 break;
2672
2673 default:
2674 DEBUG_printf(("pam_func: Unknown PAM message %d...\n",
2675 msg[i]->msg_style));
2676 free(replies);
2677 return (PAM_CONV_ERR);
2678 }
2679 }
2680
2681 /*
2682 * Return the responses back to PAM...
2683 */
2684
2685 *resp = replies;
2686
2687 return (PAM_SUCCESS);
2688}
f7deaa1a 2689#elif !defined(HAVE_USERSEC_H)
ef416fc2 2690
2691
2692/*
2693 * 'to64()' - Base64-encode an integer value...
2694 */
2695
2696static void
2697to64(char *s, /* O - Output string */
2698 unsigned long v, /* I - Value to encode */
2699 int n) /* I - Number of digits */
2700{
2701 const char *itoa64 = "./0123456789"
2702 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
2703 "abcdefghijklmnopqrstuvwxyz";
2704
2705
2706 for (; n > 0; n --, v >>= 6)
2707 *s++ = itoa64[v & 0x3f];
2708}
2709#endif /* HAVE_LIBPAM */
2710
2711
2712/*
2e4ff8af 2713 * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $".
ef416fc2 2714 */
Unnamed repository; edit this file 'description' to name the repository.