scheduler/cert.c

   1 /*
   2  * "$Id$"
   3  *
   4  * Authentication certificate routines for the CUPS scheduler.
   5  *
   6  * Copyright 2007-2015 by Apple Inc.
   7  * Copyright 1997-2006 by Easy Software Products.
   8  *
   9  * These coded instructions, statements, and computer programs are the
  10  * property of Apple Inc. and are protected by Federal copyright
  11  * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
  12  * which should have been included with this file.  If this file is
  13  * file is missing or damaged, see the license at "http://www.cups.org/".
  14  */
  15
  16 /*
  17  * Include necessary headers...
  18  */
  19
  20 #include "cupsd.h"
  21 #ifdef HAVE_ACL_INIT
  22 #  include <sys/acl.h>
  23 #  ifdef HAVE_MEMBERSHIP_H
  24 #    include <membership.h>
  25 #  endif /* HAVE_MEMBERSHIP_H */
  26 #endif /* HAVE_ACL_INIT */
  27
  28
  29 /*
  30  * Local functions...
  31  */
  32
  33 static int      ctcompare(const char *a, const char *b);
  34
  35
  36 /*
  37  * 'cupsdAddCert()' - Add a certificate.
  38  */
  39
  40 void
  41 cupsdAddCert(int        pid,            /* I - Process ID */
  42              const char *username,      /* I - Username */
  43              int        type)           /* I - AuthType for username */
  44 {
  45   int           i;                      /* Looping var */
  46   cupsd_cert_t  *cert;                  /* Current certificate */
  47   int           fd;                     /* Certificate file */
  48   char          filename[1024];         /* Certificate filename */
  49   static const char hex[] = "0123456789ABCDEF";
  50                                         /* Hex constants... */
  51
  52
  53   cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAddCert: Adding certificate for PID %d", pid);
  54
  55  /*
  56   * Allocate memory for the certificate...
  57   */
  58
  59   if ((cert = calloc(sizeof(cupsd_cert_t), 1)) == NULL)
  60     return;
  61
  62  /*
  63   * Fill in the certificate information...
  64   */
  65
  66   cert->pid  = pid;
  67   cert->type = type;
  68   strlcpy(cert->username, username, sizeof(cert->username));
  69
  70   for (i = 0; i < 32; i ++)
  71     cert->certificate[i] = hex[CUPS_RAND() & 15];
  72
  73  /*
  74   * Save the certificate to a file readable only by the User and Group
  75   * (or root and SystemGroup for PID == 0)...
  76   */
  77
  78   snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid);
  79   unlink(filename);
  80
  81   if ((fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, 0400)) < 0)
  82   {
  83     cupsdLogMessage(CUPSD_LOG_ERROR,
  84                     "Unable to create certificate file %s - %s",
  85                     filename, strerror(errno));
  86     free(cert);
  87     return;
  88   }
  89
  90   if (pid == 0)
  91   {
  92 #ifdef HAVE_ACL_INIT
  93     acl_t               acl;            /* ACL information */
  94     acl_entry_t         entry;          /* ACL entry */
  95     acl_permset_t       permset;        /* Permissions */
  96 #  ifdef HAVE_MBR_UID_TO_UUID
  97     uuid_t              group;          /* Group ID */
  98 #  endif /* HAVE_MBR_UID_TO_UUID */
  99     static int          acls_not_supported = 0;
 100                                         /* Only warn once */
 101 #endif /* HAVE_ACL_INIT */
 102
 103
 104    /*
 105     * Root certificate...
 106     */
 107
 108     fchmod(fd, 0440);
 109     fchown(fd, RunUser, SystemGroupIDs[0]);
 110
 111     cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d",
 112                     NumSystemGroups);
 113
 114 #ifdef HAVE_ACL_INIT
 115     if (NumSystemGroups > 1)
 116     {
 117      /*
 118       * Set POSIX ACLs for the root certificate so that all system
 119       * groups can access it...
 120       */
 121
 122       int       j;                      /* Looping var */
 123
 124 #  ifdef HAVE_MBR_UID_TO_UUID
 125      /*
 126       * On MacOS X, ACLs use UUIDs instead of GIDs...
 127       */
 128
 129       acl = acl_init(NumSystemGroups - 1);
 130
 131       for (i = 1; i < NumSystemGroups; i ++)
 132       {
 133        /*
 134         * Add each group ID to the ACL...
 135         */
 136
 137         for (j = 0; j < i; j ++)
 138           if (SystemGroupIDs[j] == SystemGroupIDs[i])
 139             break;
 140
 141         if (j < i)
 142           continue;                     /* Skip duplicate groups */
 143
 144         acl_create_entry(&acl, &entry);
 145         acl_get_permset(entry, &permset);
 146         acl_add_perm(permset, ACL_READ_DATA);
 147         acl_set_tag_type(entry, ACL_EXTENDED_ALLOW);
 148         mbr_gid_to_uuid((gid_t)SystemGroupIDs[i], group);
 149         acl_set_qualifier(entry, &group);
 150         acl_set_permset(entry, permset);
 151       }
 152
 153 #  else
 154      /*
 155       * POSIX ACLs need permissions for owner, group, other, and mask
 156       * in addition to the rest of the system groups...
 157       */
 158
 159       acl = acl_init(NumSystemGroups + 3);
 160
 161       /* Owner */
 162       acl_create_entry(&acl, &entry);
 163       acl_get_permset(entry, &permset);
 164       acl_add_perm(permset, ACL_READ);
 165       acl_set_tag_type(entry, ACL_USER_OBJ);
 166       acl_set_permset(entry, permset);
 167
 168       /* Group */
 169       acl_create_entry(&acl, &entry);
 170       acl_get_permset(entry, &permset);
 171       acl_add_perm(permset, ACL_READ);
 172       acl_set_tag_type(entry, ACL_GROUP_OBJ);
 173       acl_set_permset(entry, permset);
 174
 175       /* Others */
 176       acl_create_entry(&acl, &entry);
 177       acl_get_permset(entry, &permset);
 178       acl_add_perm(permset, 0);
 179       acl_set_tag_type(entry, ACL_OTHER);
 180       acl_set_permset(entry, permset);
 181
 182       /* Mask */
 183       acl_create_entry(&acl, &entry);
 184       acl_get_permset(entry, &permset);
 185       acl_add_perm(permset, ACL_READ);
 186       acl_set_tag_type(entry, ACL_MASK);
 187       acl_set_permset(entry, permset);
 188
 189       for (i = 1; i < NumSystemGroups; i ++)
 190       {
 191        /*
 192         * Add each group ID to the ACL...
 193         */
 194
 195         for (j = 0; j < i; j ++)
 196           if (SystemGroupIDs[j] == SystemGroupIDs[i])
 197             break;
 198
 199         if (j < i)
 200           continue;                     /* Skip duplicate groups */
 201
 202         acl_create_entry(&acl, &entry);
 203         acl_get_permset(entry, &permset);
 204         acl_add_perm(permset, ACL_READ);
 205         acl_set_tag_type(entry, ACL_GROUP);
 206         acl_set_qualifier(entry, SystemGroupIDs + i);
 207         acl_set_permset(entry, permset);
 208       }
 209
 210       if (acl_valid(acl))
 211       {
 212         char *text, *textptr;           /* Temporary string */
 213
 214         cupsdLogMessage(CUPSD_LOG_ERROR, "ACL did not validate: %s",
 215                         strerror(errno));
 216         text = acl_to_text(acl, NULL);
 217         for (textptr = strchr(text, '\n');
 218              textptr;
 219              textptr = strchr(textptr + 1, '\n'))
 220           *textptr = ',';
 221
 222         cupsdLogMessage(CUPSD_LOG_ERROR, "ACL: %s", text);
 223         acl_free(text);
 224       }
 225 #  endif /* HAVE_MBR_UID_TO_UUID */
 226
 227       if (acl_set_fd(fd, acl))
 228       {
 229         if (errno != EOPNOTSUPP || !acls_not_supported)
 230           cupsdLogMessage(CUPSD_LOG_ERROR,
 231                           "Unable to set ACLs on root certificate \"%s\" - %s",
 232                           filename, strerror(errno));
 233
 234         if (errno == EOPNOTSUPP)
 235           acls_not_supported = 1;
 236       }
 237
 238       acl_free(acl);
 239     }
 240 #endif /* HAVE_ACL_INIT */
 241
 242     RootCertTime = time(NULL);
 243   }
 244   else
 245   {
 246    /*
 247     * CGI certificate...
 248     */
 249
 250     fchmod(fd, 0400);
 251     fchown(fd, User, Group);
 252   }
 253
 254   DEBUG_printf(("ADD pid=%d, username=%s, cert=%s\n", pid, username,
 255                 cert->certificate));
 256
 257   write(fd, cert->certificate, strlen(cert->certificate));
 258   close(fd);
 259
 260  /*
 261   * Insert the certificate at the front of the list...
 262   */
 263
 264   cert->next = Certs;
 265   Certs      = cert;
 266 }
 267
 268
 269 /*
 270  * 'cupsdDeleteCert()' - Delete a single certificate.
 271  */
 272
 273 void
 274 cupsdDeleteCert(int pid)                /* I - Process ID */
 275 {
 276   cupsd_cert_t  *cert,                  /* Current certificate */
 277                 *prev;                  /* Previous certificate */
 278   char          filename[1024];         /* Certificate file */
 279
 280
 281   for (prev = NULL, cert = Certs; cert != NULL; prev = cert, cert = cert->next)
 282     if (cert->pid == pid)
 283     {
 284      /*
 285       * Remove this certificate from the list...
 286       */
 287
 288       cupsdLogMessage(CUPSD_LOG_DEBUG2,
 289                       "cupsdDeleteCert: Removing certificate for PID %d", pid);
 290
 291       DEBUG_printf(("DELETE pid=%d, username=%s, cert=%s\n", cert->pid,
 292                     cert->username, cert->certificate));
 293
 294       if (prev == NULL)
 295         Certs = cert->next;
 296       else
 297         prev->next = cert->next;
 298
 299       free(cert);
 300
 301      /*
 302       * Delete the file and return...
 303       */
 304
 305       snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, pid);
 306       if (unlink(filename))
 307         cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename);
 308
 309       return;
 310     }
 311 }
 312
 313
 314 /*
 315  * 'cupsdDeleteAllCerts()' - Delete all certificates...
 316  */
 317
 318 void
 319 cupsdDeleteAllCerts(void)
 320 {
 321   cupsd_cert_t  *cert,                  /* Current certificate */
 322                 *next;                  /* Next certificate */
 323   char          filename[1024];         /* Certificate file */
 324
 325
 326  /*
 327   * Loop through each certificate, deleting them...
 328   */
 329
 330   for (cert = Certs; cert != NULL; cert = next)
 331   {
 332    /*
 333     * Delete the file...
 334     */
 335
 336     snprintf(filename, sizeof(filename), "%s/certs/%d", StateDir, cert->pid);
 337     if (unlink(filename))
 338       cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to remove %s!", filename);
 339
 340    /*
 341     * Free memory...
 342     */
 343
 344     next = cert->next;
 345     free(cert);
 346   }
 347
 348   Certs        = NULL;
 349   RootCertTime = 0;
 350 }
 351
 352
 353 /*
 354  * 'cupsdFindCert()' - Find a certificate.
 355  */
 356
 357 cupsd_cert_t *                          /* O - Matching certificate or NULL */
 358 cupsdFindCert(const char *certificate)  /* I - Certificate */
 359 {
 360   cupsd_cert_t  *cert;                  /* Current certificate */
 361
 362
 363   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)",
 364                   certificate);
 365   for (cert = Certs; cert != NULL; cert = cert->next)
 366     if (!ctcompare(certificate, cert->certificate))
 367     {
 368       cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning %s...",
 369                       cert->username);
 370       return (cert);
 371     }
 372
 373   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found!");
 374
 375   return (NULL);
 376 }
 377
 378
 379 /*
 380  * 'cupsdInitCerts()' - Initialize the certificate "system" and root
 381  *                      certificate.
 382  */
 383
 384 void
 385 cupsdInitCerts(void)
 386 {
 387 #ifndef HAVE_ARC4RANDOM
 388   cups_file_t   *fp;                    /* /dev/random file */
 389
 390
 391  /*
 392   * Initialize the random number generator using the random device or
 393   * the current time, as available...
 394   */
 395
 396   if ((fp = cupsFileOpen("/dev/urandom", "rb")) == NULL)
 397   {
 398     struct timeval tod;                 /* Time of day */
 399
 400    /*
 401     * Get the time in usecs and use it as the initial seed...
 402     */
 403
 404     gettimeofday(&tod, NULL);
 405
 406     CUPS_SRAND((unsigned)(tod.tv_sec + tod.tv_usec));
 407   }
 408   else
 409   {
 410     unsigned    seed;                   /* Seed for random number generator */
 411
 412    /*
 413     * Read 4 random characters from the random device and use
 414     * them as the seed...
 415     */
 416
 417     seed = (unsigned)cupsFileGetChar(fp);
 418     seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
 419     seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
 420     CUPS_SRAND((seed << 8) | (unsigned)cupsFileGetChar(fp));
 421
 422     cupsFileClose(fp);
 423   }
 424 #endif /* !HAVE_ARC4RANDOM */
 425
 426  /*
 427   * Create a root certificate and return...
 428   */
 429
 430   if (!RunUser)
 431     cupsdAddCert(0, "root", cupsdDefaultAuthType());
 432 }
 433
 434
 435 /*
 436  * 'ctcompare()' - Compare two strings in constant time.
 437  */
 438
 439 static int                              /* O - 0 on match, non-zero on non-match */
 440 ctcompare(const char *a,                /* I - First string */
 441           const char *b)                /* I - Second string */
 442 {
 443   int   result = 0;                     /* Result */
 444
 445
 446   while (*a && *b)
 447     result |= *a ^ *b;
 448
 449   return (result);
 450 }
 451
 452
 453 /*
 454  * End of "$Id$".
 455  */