scheduler/cert.c

   1 /*
   2  * Authentication certificate routines for the CUPS scheduler.
   3  *
   4  * Copyright 2007-2016 by Apple Inc.
   5  * Copyright 1997-2006 by Easy Software Products.
   6  *
   7  * Licensed under Apache License v2.0.  See the file "LICENSE" for more information.
   8  */
   9
  10 /*
  11  * Include necessary headers...
  12  */
  13
  14 #include "cupsd.h"
  15 #ifdef HAVE_ACL_INIT
  16 #  include <sys/acl.h>
  17 #  ifdef HAVE_MEMBERSHIP_H
  18 #    include <membership.h>
  19 #  endif /* HAVE_MEMBERSHIP_H */
  20 #endif /* HAVE_ACL_INIT */
  21
  22
  23 /*
  24  * Local functions...
  25  */
  26
  27 static int      ctcompare(const char *a, const char *b);
  28
  29
  30 /*
  31  * 'cupsdAddCert()' - Add a certificate.
  32  */
  33
  34 void
  35 cupsdAddCert(int        pid,            /* I - Process ID */
  36              const char *username,      /* I - Username */
  37              int        type)           /* I - AuthType for username */
  38 {
  39   int           i;                      /* Looping var */
  40   cupsd_cert_t  *cert;                  /* Current certificate */
  41   int           fd;                     /* Certificate file */
  42   char          filename[1024];         /* Certificate filename */
  43   static const char hex[] = "0123456789ABCDEF";
  44                                         /* Hex constants... */
  45
  46
  47   cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAddCert: Adding certificate for PID %d", pid);
  48
  49  /*
  50   * Allocate memory for the certificate...
  51   */
  52
  53   if ((cert = calloc(sizeof(cupsd_cert_t), 1)) == NULL)
  54     return;
  55
  56  /*
  57   * Fill in the certificate information...
  58   */
  59
  60   cert->pid  = pid;
  61   cert->type = type;
  62   strlcpy(cert->username, username, sizeof(cert->username));
  63
  64   for (i = 0; i < 32; i ++)
  65     cert->certificate[i] = hex[CUPS_RAND() & 15];
  66
  67  /*
  68   * Save the certificate to a file readable only by the User and Group
  69   * (or root and SystemGroup for PID == 0)...
  70   */
  71
  72   snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid);
  73   unlink(filename);
  74
  75   if ((fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400)) < 0)
  76   {
  77     cupsdLogMessage(CUPSD_LOG_ERROR,
  78                     "Unable to create certificate file %s - %s",
  79                     filename, strerror(errno));
  80     free(cert);
  81     return;
  82   }
  83
  84   if (pid == 0)
  85   {
  86 #ifdef HAVE_ACL_INIT
  87     acl_t               acl;            /* ACL information */
  88     acl_entry_t         entry;          /* ACL entry */
  89     acl_permset_t       permset;        /* Permissions */
  90 #  ifdef HAVE_MBR_UID_TO_UUID
  91     uuid_t              group;          /* Group ID */
  92 #  endif /* HAVE_MBR_UID_TO_UUID */
  93     static int          acls_not_supported = 0;
  94                                         /* Only warn once */
  95 #endif /* HAVE_ACL_INIT */
  96
  97
  98    /*
  99     * Root certificate...
 100     */
 101
 102     fchmod(fd, 0440);
 103     fchown(fd, RunUser, SystemGroupIDs[0]);
 104
 105     cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d", NumSystemGroups);
 106
 107 #ifdef HAVE_ACL_INIT
 108     if (NumSystemGroups > 1)
 109     {
 110      /*
 111       * Set POSIX ACLs for the root certificate so that all system
 112       * groups can access it...
 113       */
 114
 115       int       j;                      /* Looping var */
 116
 117 #  ifdef HAVE_MBR_UID_TO_UUID
 118      /*
 119       * On macOS, ACLs use UUIDs instead of GIDs...
 120       */
 121
 122       acl = acl_init(NumSystemGroups - 1);
 123
 124       for (i = 1; i < NumSystemGroups; i ++)
 125       {
 126        /*
 127         * Add each group ID to the ACL...
 128         */
 129
 130         for (j = 0; j < i; j ++)
 131           if (SystemGroupIDs[j] == SystemGroupIDs[i])
 132             break;
 133
 134         if (j < i)
 135           continue;                     /* Skip duplicate groups */
 136
 137         acl_create_entry(&acl, &entry);
 138         acl_get_permset(entry, &permset);
 139         acl_add_perm(permset, ACL_READ_DATA);
 140         acl_set_tag_type(entry, ACL_EXTENDED_ALLOW);
 141         mbr_gid_to_uuid((gid_t)SystemGroupIDs[i], group);
 142         acl_set_qualifier(entry, &group);
 143         acl_set_permset(entry, permset);
 144       }
 145
 146 #  else
 147      /*
 148       * POSIX ACLs need permissions for owner, group, other, and mask
 149       * in addition to the rest of the system groups...
 150       */
 151
 152       acl = acl_init(NumSystemGroups + 3);
 153
 154       /* Owner */
 155       acl_create_entry(&acl, &entry);
 156       acl_get_permset(entry, &permset);
 157       acl_add_perm(permset, ACL_READ);
 158       acl_set_tag_type(entry, ACL_USER_OBJ);
 159       acl_set_permset(entry, permset);
 160
 161       /* Group */
 162       acl_create_entry(&acl, &entry);
 163       acl_get_permset(entry, &permset);
 164       acl_add_perm(permset, ACL_READ);
 165       acl_set_tag_type(entry, ACL_GROUP_OBJ);
 166       acl_set_permset(entry, permset);
 167
 168       /* Others */
 169       acl_create_entry(&acl, &entry);
 170       acl_get_permset(entry, &permset);
 171       acl_add_perm(permset, 0);
 172       acl_set_tag_type(entry, ACL_OTHER);
 173       acl_set_permset(entry, permset);
 174
 175       /* Mask */
 176       acl_create_entry(&acl, &entry);
 177       acl_get_permset(entry, &permset);
 178       acl_add_perm(permset, ACL_READ);
 179       acl_set_tag_type(entry, ACL_MASK);
 180       acl_set_permset(entry, permset);
 181
 182       for (i = 1; i < NumSystemGroups; i ++)
 183       {
 184        /*
 185         * Add each group ID to the ACL...
 186         */
 187
 188         for (j = 0; j < i; j ++)
 189           if (SystemGroupIDs[j] == SystemGroupIDs[i])
 190             break;
 191
 192         if (j < i)
 193           continue;                     /* Skip duplicate groups */
 194
 195         acl_create_entry(&acl, &entry);
 196         acl_get_permset(entry, &permset);
 197         acl_add_perm(permset, ACL_READ);
 198         acl_set_tag_type(entry, ACL_GROUP);
 199         acl_set_qualifier(entry, SystemGroupIDs + i);
 200         acl_set_permset(entry, permset);
 201       }
 202
 203       if (acl_valid(acl))
 204       {
 205         char *text, *textptr;           /* Temporary string */
 206
 207         cupsdLogMessage(CUPSD_LOG_ERROR, "ACL did not validate: %s",
 208                         strerror(errno));
 209         text = acl_to_text(acl, NULL);
 210         for (textptr = strchr(text, '\n');
 211              textptr;
 212              textptr = strchr(textptr + 1, '\n'))
 213           *textptr = ',';
 214
 215         cupsdLogMessage(CUPSD_LOG_ERROR, "ACL: %s", text);
 216         acl_free(text);
 217       }
 218 #  endif /* HAVE_MBR_UID_TO_UUID */
 219
 220       if (acl_set_fd(fd, acl))
 221       {
 222         if (errno != EOPNOTSUPP || !acls_not_supported)
 223           cupsdLogMessage(CUPSD_LOG_ERROR,
 224                           "Unable to set ACLs on root certificate \"%s\" - %s",
 225                           filename, strerror(errno));
 226
 227         if (errno == EOPNOTSUPP)
 228           acls_not_supported = 1;
 229       }
 230
 231       acl_free(acl);
 232     }
 233 #endif /* HAVE_ACL_INIT */
 234
 235     RootCertTime = time(NULL);
 236   }
 237   else
 238   {
 239    /*
 240     * CGI certificate...
 241     */
 242
 243     fchmod(fd, 0400);
 244     fchown(fd, User, Group);
 245   }
 246
 247   write(fd, cert->certificate, strlen(cert->certificate));
 248   close(fd);
 249
 250  /*
 251   * Insert the certificate at the front of the list...
 252   */
 253
 254   cert->next = Certs;
 255   Certs      = cert;
 256 }
 257
 258
 259 /*
 260  * 'cupsdDeleteCert()' - Delete a single certificate.
 261  */
 262
 263 void
 264 cupsdDeleteCert(int pid)                /* I - Process ID */
 265 {
 266   cupsd_cert_t  *cert,                  /* Current certificate */
 267                 *prev;                  /* Previous certificate */
 268   char          filename[1024];         /* Certificate file */
 269
 270
 271   for (prev = NULL, cert = Certs; cert != NULL; prev = cert, cert = cert->next)
 272     if (cert->pid == pid)
 273     {
 274      /*
 275       * Remove this certificate from the list...
 276       */
 277
 278       cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteCert: Removing certificate for PID %d.", pid);
 279
 280       if (prev == NULL)
 281         Certs = cert->next;
 282       else
 283         prev->next = cert->next;
 284
 285       free(cert);
 286
 287      /*
 288       * Delete the file and return...
 289       */
 290
 291       snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid);
 292       if (unlink(filename))
 293         cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename);
 294
 295       return;
 296     }
 297 }
 298
 299
 300 /*
 301  * 'cupsdDeleteAllCerts()' - Delete all certificates...
 302  */
 303
 304 void
 305 cupsdDeleteAllCerts(void)
 306 {
 307   cupsd_cert_t  *cert,                  /* Current certificate */
 308                 *next;                  /* Next certificate */
 309   char          filename[1024];         /* Certificate file */
 310
 311
 312  /*
 313   * Loop through each certificate, deleting them...
 314   */
 315
 316   for (cert = Certs; cert != NULL; cert = next)
 317   {
 318    /*
 319     * Delete the file...
 320     */
 321
 322     snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, cert->pid);
 323     if (unlink(filename))
 324       cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename);
 325
 326    /*
 327     * Free memory...
 328     */
 329
 330     next = cert->next;
 331     free(cert);
 332   }
 333
 334   Certs        = NULL;
 335   RootCertTime = 0;
 336 }
 337
 338
 339 /*
 340  * 'cupsdFindCert()' - Find a certificate.
 341  */
 342
 343 cupsd_cert_t *                          /* O - Matching certificate or NULL */
 344 cupsdFindCert(const char *certificate)  /* I - Certificate */
 345 {
 346   cupsd_cert_t  *cert;                  /* Current certificate */
 347
 348
 349   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)", certificate);
 350   for (cert = Certs; cert != NULL; cert = cert->next)
 351     if (!ctcompare(certificate, cert->certificate))
 352     {
 353       cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning \"%s\".", cert->username);
 354       return (cert);
 355     }
 356
 357   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found.");
 358
 359   return (NULL);
 360 }
 361
 362
 363 /*
 364  * 'cupsdInitCerts()' - Initialize the certificate "system" and root
 365  *                      certificate.
 366  */
 367
 368 void
 369 cupsdInitCerts(void)
 370 {
 371 #ifndef HAVE_ARC4RANDOM
 372   cups_file_t   *fp;                    /* /dev/random file */
 373
 374
 375  /*
 376   * Initialize the random number generator using the random device or
 377   * the current time, as available...
 378   */
 379
 380   if ((fp = cupsFileOpen("/dev/urandom", "rb")) == NULL)
 381   {
 382     struct timeval tod;                 /* Time of day */
 383
 384    /*
 385     * Get the time in usecs and use it as the initial seed...
 386     */
 387
 388     gettimeofday(&tod, NULL);
 389
 390     CUPS_SRAND((unsigned)(tod.tv_sec + tod.tv_usec));
 391   }
 392   else
 393   {
 394     unsigned    seed;                   /* Seed for random number generator */
 395
 396    /*
 397     * Read 4 random characters from the random device and use
 398     * them as the seed...
 399     */
 400
 401     seed = (unsigned)cupsFileGetChar(fp);
 402     seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
 403     seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
 404     CUPS_SRAND((seed << 8) | (unsigned)cupsFileGetChar(fp));
 405
 406     cupsFileClose(fp);
 407   }
 408 #endif /* !HAVE_ARC4RANDOM */
 409
 410  /*
 411   * Create a root certificate and return...
 412   */
 413
 414   if (!RunUser)
 415     cupsdAddCert(0, "root", cupsdDefaultAuthType());
 416 }
 417
 418
 419 /*
 420  * 'ctcompare()' - Compare two strings in constant time.
 421  */
 422
 423 static int                              /* O - 0 on match, non-zero on non-match */
 424 ctcompare(const char *a,                /* I - First string */
 425           const char *b)                /* I - Second string */
 426 {
 427   int   result = 0;                     /* Result */
 428
 429
 430   while (*a && *b)
 431   {
 432     result |= *a ^ *b;
 433     a ++;
 434     b ++;
 435   }
 436
 437   return (result);
 438 }