]>
Commit | Line | Data |
---|---|---|
a4ad3a11 | 1 | /* |
c9d3f842 | 2 | * "$Id$" |
a4ad3a11 | 3 | * |
64252c8e | 4 | * Authentication certificate routines for the CUPS scheduler. |
a4ad3a11 | 5 | * |
5795dc98 | 6 | * Copyright 2007-2012 by Apple Inc. |
fd42fabb | 7 | * Copyright 1997-2006 by Easy Software Products. |
a4ad3a11 | 8 | * |
9 | * These coded instructions, statements, and computer programs are the | |
4e8d321f | 10 | * property of Apple Inc. and are protected by Federal copyright |
11 | * law. Distribution and use rights are outlined in the file "LICENSE.txt" | |
12 | * which should have been included with this file. If this file is | |
13 | * file is missing or damaged, see the license at "http://www.cups.org/". | |
a4ad3a11 | 14 | * |
15 | * Contents: | |
16 | * | |
589eb420 | 17 | * cupsdAddCert() - Add a certificate. |
18 | * cupsdDeleteCert() - Delete a single certificate. | |
19 | * cupsdDeleteAllCerts() - Delete all certificates... | |
20 | * cupsdFindCert() - Find a certificate. | |
21 | * cupsdInitCerts() - Initialize the certificate "system" and root | |
f3e786fc | 22 | * certificate. |
a4ad3a11 | 23 | */ |
24 | ||
25 | /* | |
26 | * Include necessary headers... | |
27 | */ | |
28 | ||
29 | #include "cupsd.h" | |
5c6b3ae4 | 30 | #ifdef HAVE_ACL_INIT |
31 | # include <sys/acl.h> | |
fd42fabb | 32 | # ifdef HAVE_MEMBERSHIP_H |
33 | # include <membership.h> | |
34 | # endif /* HAVE_MEMBERSHIP_H */ | |
5c6b3ae4 | 35 | #endif /* HAVE_ACL_INIT */ |
a4ad3a11 | 36 | |
37 | ||
38 | /* | |
589eb420 | 39 | * 'cupsdAddCert()' - Add a certificate. |
a4ad3a11 | 40 | */ |
41 | ||
42 | void | |
f3e786fc | 43 | cupsdAddCert(int pid, /* I - Process ID */ |
465abde2 | 44 | const char *username, /* I - Username */ |
5795dc98 | 45 | int type) /* I - AuthType for username */ |
a4ad3a11 | 46 | { |
47 | int i; /* Looping var */ | |
589eb420 | 48 | cupsd_cert_t *cert; /* Current certificate */ |
901b295d | 49 | int fd; /* Certificate file */ |
a4ad3a11 | 50 | char filename[1024]; /* Certificate filename */ |
6db7190f | 51 | static const char hex[] = "0123456789ABCDEF"; |
a4ad3a11 | 52 | /* Hex constants... */ |
53 | ||
54 | ||
f3e786fc | 55 | cupsdLogMessage(CUPSD_LOG_DEBUG2, |
7b9c0829 | 56 | "cupsdAddCert: Adding certificate for PID %d", pid); |
434ddc80 | 57 | |
a4ad3a11 | 58 | /* |
59 | * Allocate memory for the certificate... | |
60 | */ | |
61 | ||
589eb420 | 62 | if ((cert = calloc(sizeof(cupsd_cert_t), 1)) == NULL) |
a4ad3a11 | 63 | return; |
64 | ||
65 | /* | |
66 | * Fill in the certificate information... | |
67 | */ | |
68 | ||
5795dc98 | 69 | cert->pid = pid; |
70 | cert->type = type; | |
def978d5 | 71 | strlcpy(cert->username, username, sizeof(cert->username)); |
a4ad3a11 | 72 | |
73 | for (i = 0; i < 32; i ++) | |
0d34d098 | 74 | cert->certificate[i] = hex[CUPS_RAND() & 15]; |
a4ad3a11 | 75 | |
76 | /* | |
77 | * Save the certificate to a file readable only by the User and Group | |
78 | * (or root and SystemGroup for PID == 0)... | |
79 | */ | |
80 | ||
d4102150 | 81 | snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid); |
901b295d | 82 | unlink(filename); |
a4ad3a11 | 83 | |
901b295d | 84 | if ((fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400)) < 0) |
a4ad3a11 | 85 | { |
f3e786fc | 86 | cupsdLogMessage(CUPSD_LOG_ERROR, |
7b9c0829 | 87 | "Unable to create certificate file %s - %s", |
f3e786fc | 88 | filename, strerror(errno)); |
a4ad3a11 | 89 | free(cert); |
90 | return; | |
91 | } | |
92 | ||
93 | if (pid == 0) | |
94 | { | |
5c6b3ae4 | 95 | #ifdef HAVE_ACL_INIT |
96 | acl_t acl; /* ACL information */ | |
97 | acl_entry_t entry; /* ACL entry */ | |
98 | acl_permset_t permset; /* Permissions */ | |
fd42fabb | 99 | # ifdef HAVE_MBR_UID_TO_UUID |
5c6b3ae4 | 100 | uuid_t group; /* Group ID */ |
fd42fabb | 101 | # endif /* HAVE_MBR_UID_TO_UUID */ |
80ab16b2 | 102 | static int acls_not_supported = 0; |
103 | /* Only warn once */ | |
5c6b3ae4 | 104 | #endif /* HAVE_ACL_INIT */ |
105 | ||
106 | ||
a4ad3a11 | 107 | /* |
108 | * Root certificate... | |
109 | */ | |
110 | ||
901b295d | 111 | fchmod(fd, 0440); |
e9a798a1 | 112 | fchown(fd, RunUser, SystemGroupIDs[0]); |
a4ad3a11 | 113 | |
fd42fabb | 114 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d", |
115 | NumSystemGroups); | |
116 | ||
5c6b3ae4 | 117 | #ifdef HAVE_ACL_INIT |
118 | if (NumSystemGroups > 1) | |
119 | { | |
120 | /* | |
121 | * Set POSIX ACLs for the root certificate so that all system | |
122 | * groups can access it... | |
123 | */ | |
124 | ||
3bf3b66a | 125 | int j; /* Looping var */ |
126 | ||
c07e1510 | 127 | # ifdef HAVE_MBR_UID_TO_UUID |
128 | /* | |
129 | * On MacOS X, ACLs use UUIDs instead of GIDs... | |
130 | */ | |
131 | ||
5c6b3ae4 | 132 | acl = acl_init(NumSystemGroups - 1); |
133 | ||
134 | for (i = 1; i < NumSystemGroups; i ++) | |
135 | { | |
136 | /* | |
137 | * Add each group ID to the ACL... | |
138 | */ | |
139 | ||
3bf3b66a | 140 | for (j = 0; j < i; j ++) |
141 | if (SystemGroupIDs[j] == SystemGroupIDs[i]) | |
142 | break; | |
143 | ||
144 | if (j < i) | |
145 | continue; /* Skip duplicate groups */ | |
146 | ||
5c6b3ae4 | 147 | acl_create_entry(&acl, &entry); |
148 | acl_get_permset(entry, &permset); | |
149 | acl_add_perm(permset, ACL_READ_DATA); | |
150 | acl_set_tag_type(entry, ACL_EXTENDED_ALLOW); | |
151 | mbr_gid_to_uuid((gid_t)SystemGroupIDs[i], group); | |
152 | acl_set_qualifier(entry, &group); | |
c07e1510 | 153 | acl_set_permset(entry, permset); |
154 | } | |
3bf3b66a | 155 | |
c07e1510 | 156 | # else |
157 | /* | |
158 | * POSIX ACLs need permissions for owner, group, other, and mask | |
159 | * in addition to the rest of the system groups... | |
160 | */ | |
161 | ||
162 | acl = acl_init(NumSystemGroups + 3); | |
163 | ||
164 | /* Owner */ | |
165 | acl_create_entry(&acl, &entry); | |
166 | acl_get_permset(entry, &permset); | |
167 | acl_add_perm(permset, ACL_READ); | |
168 | acl_set_tag_type(entry, ACL_USER_OBJ); | |
169 | acl_set_permset(entry, permset); | |
170 | ||
171 | /* Group */ | |
172 | acl_create_entry(&acl, &entry); | |
173 | acl_get_permset(entry, &permset); | |
174 | acl_add_perm(permset, ACL_READ); | |
175 | acl_set_tag_type(entry, ACL_GROUP_OBJ); | |
176 | acl_set_permset(entry, permset); | |
177 | ||
178 | /* Others */ | |
179 | acl_create_entry(&acl, &entry); | |
180 | acl_get_permset(entry, &permset); | |
96260ef4 | 181 | acl_add_perm(permset, 0); |
c07e1510 | 182 | acl_set_tag_type(entry, ACL_OTHER); |
183 | acl_set_permset(entry, permset); | |
184 | ||
185 | /* Mask */ | |
186 | acl_create_entry(&acl, &entry); | |
187 | acl_get_permset(entry, &permset); | |
188 | acl_add_perm(permset, ACL_READ); | |
189 | acl_set_tag_type(entry, ACL_MASK); | |
190 | acl_set_permset(entry, permset); | |
191 | ||
192 | for (i = 1; i < NumSystemGroups; i ++) | |
193 | { | |
194 | /* | |
195 | * Add each group ID to the ACL... | |
196 | */ | |
197 | ||
3bf3b66a | 198 | for (j = 0; j < i; j ++) |
199 | if (SystemGroupIDs[j] == SystemGroupIDs[i]) | |
200 | break; | |
201 | ||
202 | if (j < i) | |
203 | continue; /* Skip duplicate groups */ | |
204 | ||
c07e1510 | 205 | acl_create_entry(&acl, &entry); |
206 | acl_get_permset(entry, &permset); | |
fd42fabb | 207 | acl_add_perm(permset, ACL_READ); |
208 | acl_set_tag_type(entry, ACL_GROUP); | |
c07e1510 | 209 | acl_set_qualifier(entry, SystemGroupIDs + i); |
5c6b3ae4 | 210 | acl_set_permset(entry, permset); |
211 | } | |
212 | ||
c07e1510 | 213 | if (acl_valid(acl)) |
214 | { | |
80ab16b2 | 215 | char *text, *textptr; /* Temporary string */ |
216 | ||
c07e1510 | 217 | cupsdLogMessage(CUPSD_LOG_ERROR, "ACL did not validate: %s", |
218 | strerror(errno)); | |
219 | text = acl_to_text(acl, NULL); | |
220 | for (textptr = strchr(text, '\n'); | |
221 | textptr; | |
222 | textptr = strchr(textptr + 1, '\n')) | |
223 | *textptr = ','; | |
224 | ||
225 | cupsdLogMessage(CUPSD_LOG_ERROR, "ACL: %s", text); | |
960c4658 | 226 | acl_free(text); |
c07e1510 | 227 | } |
228 | # endif /* HAVE_MBR_UID_TO_UUID */ | |
229 | ||
5c6b3ae4 | 230 | if (acl_set_fd(fd, acl)) |
80ab16b2 | 231 | { |
232 | if (errno != EOPNOTSUPP || !acls_not_supported) | |
233 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
234 | "Unable to set ACLs on root certificate \"%s\" - %s", | |
235 | filename, strerror(errno)); | |
236 | ||
237 | if (errno == EOPNOTSUPP) | |
238 | acls_not_supported = 1; | |
239 | } | |
240 | ||
5c6b3ae4 | 241 | acl_free(acl); |
242 | } | |
243 | #endif /* HAVE_ACL_INIT */ | |
244 | ||
a4ad3a11 | 245 | RootCertTime = time(NULL); |
246 | } | |
247 | else | |
248 | { | |
249 | /* | |
250 | * CGI certificate... | |
251 | */ | |
252 | ||
901b295d | 253 | fchmod(fd, 0400); |
254 | fchown(fd, User, Group); | |
a4ad3a11 | 255 | } |
256 | ||
434ddc80 | 257 | DEBUG_printf(("ADD pid=%d, username=%s, cert=%s\n", pid, username, |
258 | cert->certificate)); | |
259 | ||
901b295d | 260 | write(fd, cert->certificate, strlen(cert->certificate)); |
261 | close(fd); | |
a4ad3a11 | 262 | |
263 | /* | |
264 | * Insert the certificate at the front of the list... | |
265 | */ | |
266 | ||
267 | cert->next = Certs; | |
268 | Certs = cert; | |
269 | } | |
270 | ||
271 | ||
272 | /* | |
589eb420 | 273 | * 'cupsdDeleteCert()' - Delete a single certificate. |
a4ad3a11 | 274 | */ |
275 | ||
276 | void | |
f3e786fc | 277 | cupsdDeleteCert(int pid) /* I - Process ID */ |
a4ad3a11 | 278 | { |
589eb420 | 279 | cupsd_cert_t *cert, /* Current certificate */ |
a4ad3a11 | 280 | *prev; /* Previous certificate */ |
281 | char filename[1024]; /* Certificate file */ | |
282 | ||
283 | ||
284 | for (prev = NULL, cert = Certs; cert != NULL; prev = cert, cert = cert->next) | |
285 | if (cert->pid == pid) | |
286 | { | |
287 | /* | |
288 | * Remove this certificate from the list... | |
289 | */ | |
290 | ||
f3e786fc | 291 | cupsdLogMessage(CUPSD_LOG_DEBUG2, |
7b9c0829 | 292 | "cupsdDeleteCert: Removing certificate for PID %d", pid); |
434ddc80 | 293 | |
294 | DEBUG_printf(("DELETE pid=%d, username=%s, cert=%s\n", cert->pid, | |
295 | cert->username, cert->certificate)); | |
296 | ||
a4ad3a11 | 297 | if (prev == NULL) |
298 | Certs = cert->next; | |
299 | else | |
300 | prev->next = cert->next; | |
301 | ||
302 | free(cert); | |
303 | ||
304 | /* | |
305 | * Delete the file and return... | |
306 | */ | |
307 | ||
d4102150 | 308 | snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid); |
901b295d | 309 | if (unlink(filename)) |
7b9c0829 | 310 | cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename); |
c3c5af5e | 311 | |
a4ad3a11 | 312 | return; |
313 | } | |
314 | } | |
315 | ||
316 | ||
317 | /* | |
589eb420 | 318 | * 'cupsdDeleteAllCerts()' - Delete all certificates... |
a4ad3a11 | 319 | */ |
320 | ||
321 | void | |
589eb420 | 322 | cupsdDeleteAllCerts(void) |
a4ad3a11 | 323 | { |
589eb420 | 324 | cupsd_cert_t *cert, /* Current certificate */ |
a4ad3a11 | 325 | *next; /* Next certificate */ |
326 | char filename[1024]; /* Certificate file */ | |
327 | ||
328 | ||
329 | /* | |
330 | * Loop through each certificate, deleting them... | |
331 | */ | |
332 | ||
333 | for (cert = Certs; cert != NULL; cert = next) | |
334 | { | |
335 | /* | |
336 | * Delete the file... | |
337 | */ | |
338 | ||
d4102150 | 339 | snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, cert->pid); |
901b295d | 340 | if (unlink(filename)) |
7b9c0829 | 341 | cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename); |
a4ad3a11 | 342 | |
343 | /* | |
344 | * Free memory... | |
345 | */ | |
346 | ||
347 | next = cert->next; | |
348 | free(cert); | |
349 | } | |
350 | ||
bd58a948 | 351 | Certs = NULL; |
352 | RootCertTime = 0; | |
a4ad3a11 | 353 | } |
354 | ||
355 | ||
356 | /* | |
589eb420 | 357 | * 'cupsdFindCert()' - Find a certificate. |
a4ad3a11 | 358 | */ |
359 | ||
784d32fb | 360 | cupsd_cert_t * /* O - Matching certificate or NULL */ |
589eb420 | 361 | cupsdFindCert(const char *certificate) /* I - Certificate */ |
a4ad3a11 | 362 | { |
589eb420 | 363 | cupsd_cert_t *cert; /* Current certificate */ |
a4ad3a11 | 364 | |
365 | ||
7b9c0829 | 366 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)", |
367 | certificate); | |
a4ad3a11 | 368 | for (cert = Certs; cert != NULL; cert = cert->next) |
c6fab96f | 369 | if (!_cups_strcasecmp(certificate, cert->certificate)) |
434ddc80 | 370 | { |
7b9c0829 | 371 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning %s...", |
372 | cert->username); | |
784d32fb | 373 | return (cert); |
434ddc80 | 374 | } |
375 | ||
7b9c0829 | 376 | cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found!"); |
a4ad3a11 | 377 | |
378 | return (NULL); | |
379 | } | |
380 | ||
381 | ||
382 | /* | |
f3e786fc | 383 | * 'cupsdInitCerts()' - Initialize the certificate "system" and root |
384 | * certificate. | |
a4ad3a11 | 385 | */ |
386 | ||
387 | void | |
589eb420 | 388 | cupsdInitCerts(void) |
a4ad3a11 | 389 | { |
29aeccc8 | 390 | #ifndef HAVE_ARC4RANDOM |
7b0fde61 | 391 | cups_file_t *fp; /* /dev/random file */ |
502b2e4a | 392 | |
393 | ||
394 | /* | |
9ddb6565 | 395 | * Initialize the random number generator using the random device or |
396 | * the current time, as available... | |
502b2e4a | 397 | */ |
398 | ||
7b0fde61 | 399 | if ((fp = cupsFileOpen("/dev/urandom", "rb")) == NULL) |
9ddb6565 | 400 | { |
29aeccc8 | 401 | struct timeval tod; /* Time of day */ |
402 | ||
9ddb6565 | 403 | /* |
404 | * Get the time in usecs and use it as the initial seed... | |
405 | */ | |
406 | ||
407 | gettimeofday(&tod, NULL); | |
408 | ||
29aeccc8 | 409 | CUPS_SRAND((unsigned)(tod.tv_sec + tod.tv_usec)); |
9ddb6565 | 410 | } |
411 | else | |
412 | { | |
29aeccc8 | 413 | unsigned seed; /* Seed for random number generator */ |
414 | ||
9ddb6565 | 415 | /* |
416 | * Read 4 random characters from the random device and use | |
417 | * them as the seed... | |
418 | */ | |
419 | ||
7b0fde61 | 420 | seed = cupsFileGetChar(fp); |
421 | seed = (seed << 8) | cupsFileGetChar(fp); | |
422 | seed = (seed << 8) | cupsFileGetChar(fp); | |
29aeccc8 | 423 | CUPS_SRAND((seed << 8) | cupsFileGetChar(fp)); |
9ddb6565 | 424 | |
7b0fde61 | 425 | cupsFileClose(fp); |
9ddb6565 | 426 | } |
2256cc12 | 427 | #endif /* !HAVE_ARC4RANDOM */ |
502b2e4a | 428 | |
a4ad3a11 | 429 | /* |
430 | * Create a root certificate and return... | |
431 | */ | |
432 | ||
d9acc9ab | 433 | if (!RunUser) |
5795dc98 | 434 | cupsdAddCert(0, "root", cupsdDefaultAuthType()); |
a4ad3a11 | 435 | } |
436 | ||
437 | ||
438 | /* | |
c9d3f842 | 439 | * End of "$Id$". |
a4ad3a11 | 440 | */ |