/*
* "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
*
- * Authorization routines for the Common UNIX Printing System (CUPS).
+ * Authorization routines for the CUPS scheduler.
*
- * Copyright 2007-2009 by Apple Inc.
+ * Copyright 2007-2011 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* This file contains Kerberos support code, copyright 2006 by
*
* Contents:
*
+ * cupsdAddIPMask() - Add an IP address authorization mask.
* cupsdAddLocation() - Add a location for authorization.
* cupsdAddName() - Add a name to a location...
- * cupsdAllowHost() - Add a host name that is allowed to access the
- * location.
- * cupsdAllowIP() - Add an IP address or network that is allowed to
- * access the location.
+ * cupsdAddNameMask() - Add a host or interface name authorization
+ * mask.
* cupsdAuthorize() - Validate any authorization credentials.
* cupsdCheckAccess() - Check whether the given address is allowed to
* access a location.
* cupsdCheckAuth() - Check authorization masks.
* cupsdCheckGroup() - Check for a user's group membership.
- * cupsdCopyKrb5Creds() - Get a copy of the Kerberos credentials.
* cupsdCopyLocation() - Make a copy of a location...
* cupsdDeleteAllLocations() - Free all memory used for location
* authorization.
- * cupsdDeleteLocation() - Free all memory used by a location.
- * cupsdDenyHost() - Add a host name that is not allowed to access
- * the location.
- * cupsdDenyIP() - Add an IP address or network that is not
- * allowed to access the location.
* cupsdFindBest() - Find the location entry that best matches the
* resource.
* cupsdFindLocation() - Find the named location.
+ * cupsdFreeLocation() - Free all memory used by a location.
* cupsdIsAuthorized() - Check to see if the user is authorized...
- * add_allow() - Add an allow mask to the location.
- * add_deny() - Add a deny mask to the location.
+ * cupsdNewLocation() - Create a new location for authorization.
* check_authref() - Check if an authorization services reference
* has the supplied right.
* compare_locations() - Compare two locations.
+ * copy_authmask() - Copy function for auth masks.
* cups_crypt() - Encrypt the password using the DES or MD5
* algorithms, as needed.
+ * free_authmask() - Free function for auth masks.
* get_md5_password() - Get an MD5 password.
* pam_func() - PAM conversation function.
* to64() - Base64-encode an integer value...
* Local functions...
*/
-static cupsd_authmask_t *add_allow(cupsd_location_t *loc);
-static cupsd_authmask_t *add_deny(cupsd_location_t *loc);
#ifdef HAVE_AUTHORIZATION_H
static int check_authref(cupsd_client_t *con, const char *right);
#endif /* HAVE_AUTHORIZATION_H */
static int compare_locations(cupsd_location_t *a,
cupsd_location_t *b);
+static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
static char *cups_crypt(const char *pw, const char *salt);
#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+static void free_authmask(cupsd_authmask_t *am, void *data);
static char *get_md5_password(const char *username,
const char *group, char passwd[33]);
#if HAVE_LIBPAM
/*
- * 'cupsdAddLocation()' - Add a location for authorization.
+ * 'cupsdAddIPMask()' - Add an IP address authorization mask.
*/
-cupsd_location_t * /* O - Pointer to new location record */
-cupsdAddLocation(const char *location) /* I - Location path */
+int /* O - 1 on success, 0 on failure */
+cupsdAddIPMask(
+ cups_array_t **masks, /* IO - Masks array (created as needed) */
+ const unsigned address[4], /* I - IP address */
+ const unsigned netmask[4]) /* I - IP netmask */
{
- cupsd_location_t *temp; /* New location */
-
-
- /*
- * Make sure the locations array is created...
- */
+ cupsd_authmask_t temp; /* New host/domain mask */
- if (!Locations)
- Locations = cupsArrayNew((cups_array_func_t)compare_locations, NULL);
- if (!Locations)
- return (NULL);
-
- /*
- * Try to allocate memory for the new location.
- */
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, "
+ "netmask=%x:%x:%x:%x)",
+ masks, *masks,
+ address[0], address[1], address[2], address[3],
+ netmask[0], netmask[1], netmask[2], netmask[3]);
- if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
- return (NULL);
+ temp.type = CUPSD_AUTH_IP;
+ memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address));
+ memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask));
/*
- * Initialize the record and copy the name over...
+ * Create the masks array as needed and add...
*/
- if ((temp->location = strdup(location)) == NULL)
- {
- free(temp);
- return (NULL);
- }
+ if (!*masks)
+ *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
+ (cups_acopy_func_t)copy_authmask,
+ (cups_afree_func_t)free_authmask);
- temp->length = strlen(temp->location);
+ return (cupsArrayAdd(*masks, &temp));
+}
- cupsArrayAdd(Locations, temp);
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: added location \'%s\'",
- location);
+/*
+ * 'cupsdAddLocation()' - Add a location for authorization.
+ */
+void
+cupsdAddLocation(cupsd_location_t *loc) /* I - Location to add */
+{
/*
- * Return the new record...
+ * Make sure the locations array is created...
*/
- return (temp);
+ if (!Locations)
+ Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL,
+ (cups_ahash_func_t)NULL, 0,
+ (cups_acopy_func_t)NULL,
+ (cups_afree_func_t)cupsdFreeLocation);
+
+ if (Locations)
+ {
+ cupsArrayAdd(Locations, loc);
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"",
+ loc->location ? loc->location : "(null)");
+ }
}
cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */
char *name) /* I - Name to add */
{
- char **temp; /* Pointer to names array */
-
-
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")",
loc, name);
- if (loc->num_names == 0)
- temp = malloc(sizeof(char *));
- else
- temp = realloc(loc->names, (loc->num_names + 1) * sizeof(char *));
+ if (!loc->names)
+ loc->names = cupsArrayNew3(NULL, NULL, NULL, 0,
+ (cups_acopy_func_t)_cupsStrAlloc,
+ (cups_afree_func_t)_cupsStrFree);
- if (temp == NULL)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to add name to location %s: %s",
- loc->location ? loc->location : "nil", strerror(errno));
- return;
- }
-
- loc->names = temp;
-
- if ((temp[loc->num_names] = strdup(name)) == NULL)
+ if (!cupsArrayAdd(loc->names, name))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to duplicate name for location %s: %s",
loc->location ? loc->location : "nil", strerror(errno));
return;
}
-
- loc->num_names ++;
}
/*
- * 'cupsdAllowHost()' - Add a host name that is allowed to access the location.
+ * 'cupsdAddNameMask()' - Add a host or interface name authorization mask.
*/
-void
-cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */
- char *name) /* I - Name of host or domain to add */
+int /* O - 1 on success, 0 on failure */
+cupsdAddNameMask(cups_array_t **masks, /* IO - Masks array (created as needed) */
+ char *name) /* I - Host or interface name */
{
- cupsd_authmask_t *temp; /* New host/domain mask */
+ cupsd_authmask_t temp; /* New host/domain mask */
char ifname[32], /* Interface name */
*ifptr; /* Pointer to end of name */
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAllowHost(loc=%p(%s), name=\"%s\")",
- loc, loc->location ? loc->location : "nil", name);
-
- if ((temp = add_allow(loc)) == NULL)
- return;
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ "cupsdAddNameMask(masks=%p(%p), name=\"%s\")",
+ masks, *masks, name);
- if (!strcasecmp(name, "@LOCAL"))
+ if (!_cups_strcasecmp(name, "@LOCAL"))
{
/*
- * Allow *interface*...
+ * Deny *interface*...
*/
- temp->type = CUPSD_AUTH_INTERFACE;
- temp->mask.name.name = strdup("*");
- temp->mask.name.length = 1;
+ temp.type = CUPSD_AUTH_INTERFACE;
+ temp.mask.name.name = (char *)"*";
}
- else if (!strncasecmp(name, "@IF(", 4))
+ else if (!_cups_strncasecmp(name, "@IF(", 4))
{
/*
- * Allow *interface*...
+ * Deny *interface*...
*/
strlcpy(ifname, name + 4, sizeof(ifname));
- ifptr = ifname + strlen(ifname);
+ ifptr = ifname + strlen(ifname) - 1;
- if (ifptr[-1] == ')')
+ if (ifptr >= ifname && *ifptr == ')')
{
ifptr --;
*ifptr = '\0';
}
- temp->type = CUPSD_AUTH_INTERFACE;
- temp->mask.name.name = strdup(ifname);
- temp->mask.name.length = ifptr - ifname;
+ temp.type = CUPSD_AUTH_INTERFACE;
+ temp.mask.name.name = ifname;
}
else
{
/*
- * Allow name...
+ * Deny name...
*/
- temp->type = CUPSD_AUTH_NAME;
- temp->mask.name.name = strdup(name);
- temp->mask.name.length = strlen(name);
- }
-}
-
+ if (*name == '*')
+ name ++;
-/*
- * 'cupsdAllowIP()' - Add an IP address or network that is allowed to access
- * the location.
- */
+ temp.type = CUPSD_AUTH_NAME;
+ temp.mask.name.name = (char *)name;
+ }
-void
-cupsdAllowIP(
- cupsd_location_t *loc, /* I - Location to add to */
- const unsigned address[4], /* I - IP address to add */
- const unsigned netmask[4]) /* I - Netmask of address */
-{
- cupsd_authmask_t *temp; /* New host/domain mask */
+ /*
+ * Set the name length...
+ */
+ temp.mask.name.length = strlen(temp.mask.name.name);
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAllowIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
- loc, loc->location ? loc->location : "nil",
- address[0], address[1], address[2], address[3],
- netmask[0], netmask[1], netmask[2], netmask[3]);
+ /*
+ * Create the masks array as needed and add...
+ */
- if ((temp = add_allow(loc)) == NULL)
- return;
+ if (!*masks)
+ *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
+ (cups_acopy_func_t)copy_authmask,
+ (cups_afree_func_t)free_authmask);
- temp->type = CUPSD_AUTH_IP;
- memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
- memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
+ return (cupsArrayAdd(*masks, &temp));
}
username[0] = '\0';
password[0] = '\0';
+#ifdef HAVE_GSSAPI
+ con->gss_uid = 0;
+#endif /* HAVE_GSSAPI */
+
#ifdef HAVE_AUTHORIZATION_H
if (con->authref)
{
return;
}
#ifdef HAVE_AUTHORIZATION_H
- else if (!strncmp(authorization, "AuthRef", 6) &&
- !strcasecmp(con->http.hostname, "localhost"))
+ else if (!strncmp(authorization, "AuthRef ", 8) &&
+ !_cups_strcasecmp(con->http.hostname, "localhost"))
{
OSStatus status; /* Status */
int authlen; /* Auth string length */
* Get the Authorization Services data...
*/
- authorization += 7;
+ authorization += 8;
while (isspace(*authorization & 255))
authorization ++;
return;
}
- strlcpy(username, "_AUTHREF_", sizeof(username));
+ username[0] = '\0';
- if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
+ if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
&authinfo))
{
if (authinfo->count == 1 && authinfo->items[0].value &&
authinfo->items[0].valueLength >= 2)
+ {
strlcpy(username, authinfo->items[0].value, sizeof(username));
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as \"%s\" using AuthRef",
+ username);
+ }
+
AuthorizationFreeItemSet(authinfo);
}
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as \"%s\" using AuthRef",
- username);
+ if (!username[0])
+ {
+ /*
+ * No username in AuthRef, grab username using peer credentials...
+ */
+
+ struct passwd *pwd; /* Password entry for this user */
+ cupsd_ucred_t peercred; /* Peer credentials */
+ socklen_t peersize; /* Size of peer credentials */
+
+ peersize = sizeof(peercred);
+
+ if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
+ strerror(errno));
+ return;
+ }
+
+ if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to find UID %d for peer credentials.",
+ (int)CUPSD_UCRED_UID(peercred));
+ return;
+ }
+
+ strlcpy(username, pwd->pw_name, sizeof(username));
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as \"%s\" using "
+ "AuthRef + PeerCred", username);
+ }
+
con->type = CUPSD_AUTH_BASIC;
}
#endif /* HAVE_AUTHORIZATION_H */
struct passwd *pwd; /* Password entry for this user */
cupsd_ucred_t peercred; /* Peer credentials */
socklen_t peersize; /* Size of peer credentials */
+#ifdef HAVE_AUTHORIZATION_H
+ const char *name; /* Authorizing name */
+ for (name = (char *)cupsArrayFirst(con->best->names);
+ name;
+ name = (char *)cupsArrayNext(con->best->names))
+ if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) || !_cups_strcasecmp(name, "@SYSTEM"))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "PeerCred authentication not allowed for resource.");
+ return;
+ }
+#endif /* HAVE_AUTHORIZATION_H */
if ((pwd = getpwnam(authorization + 9)) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist!",
+ cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist.",
authorization + 9);
return;
}
peersize = sizeof(peercred);
+# ifdef __APPLE__
+ if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+# else
if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
+# endif /* __APPLE__ */
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
strerror(errno));
strlcpy(username, authorization + 9, sizeof(username));
+# ifdef HAVE_GSSAPI
+ con->gss_uid = CUPSD_UCRED_UID(peercred);
+# endif /* HAVE_GSSAPI */
+
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdAuthorize: Authorized as %s using PeerCred",
username);
}
#endif /* SO_PEERCRED && AF_LOCAL */
else if (!strncmp(authorization, "Local", 5) &&
- !strcasecmp(con->http.hostname, "localhost"))
+ !_cups_strcasecmp(con->http.hostname, "localhost"))
{
/*
* Get Local certificate authentication data...
con->type = CUPSD_AUTH_DIGEST;
}
#ifdef HAVE_GSSAPI
- else if (!strncmp(authorization, "Negotiate", 9))
+ else if (!strncmp(authorization, "Negotiate", 9))
{
int len; /* Length of authorization string */
gss_ctx_id_t context; /* Authorization context */
}
# endif /* __APPLE__ */
- con->gss_output_token.length = 0;
-
/*
* Find the start of the Kerberos input token...
*/
if (!*authorization)
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAuthorize: No authentication data specified.");
+ "cupsdAuthorize: No authentication data specified.");
return;
}
len = strlen(authorization);
input_token.value = malloc(len);
input_token.value = httpDecode64_2(input_token.value, &len,
- authorization);
+ authorization);
input_token.length = len;
/*
client_name = GSS_C_NO_NAME;
major_status = gss_accept_sec_context(&minor_status,
&context,
- GSS_C_NO_CREDENTIAL,
+ GSS_C_NO_CREDENTIAL,
&input_token,
GSS_C_NO_CHANNEL_BINDINGS,
&client_name,
NULL,
- &con->gss_output_token,
- &con->gss_flags,
+ &output_token,
+ NULL,
NULL,
- &con->gss_creds);
+ NULL);
+
+ if (output_token.length > 0)
+ gss_release_buffer(&minor_status, &output_token);
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "cupsdAuthorize: Error accepting GSSAPI security "
+ "cupsdAuthorize: Error accepting GSSAPI security "
"context");
if (context != GSS_C_NO_CONTEXT)
return;
}
+ con->have_gss = 1;
+
/*
* Get the username associated with the client's credentials...
*/
- if (!con->gss_creds)
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: No credentials!");
-
if (major_status == GSS_S_CONTINUE_NEEDED)
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"cupsdAuthorize: Credentials not complete");
else if (major_status == GSS_S_COMPLETE)
{
- major_status = gss_display_name(&minor_status, client_name,
+ major_status = gss_display_name(&minor_status, client_name,
&output_token, NULL);
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "cupsdAuthorize: Error getting username");
- gss_release_cred(&minor_status, &con->gss_creds);
+ "cupsdAuthorize: Error getting username");
gss_release_name(&minor_status, &client_name);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
con->type = CUPSD_AUTH_NEGOTIATE;
}
- else
- gss_release_cred(&minor_status, &con->gss_creds);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+
+# if defined(SO_PEERCRED) && defined(AF_LOCAL)
+ /*
+ * Get the client's UID if we are printing locally - that allows a backend
+ * to run as the correct user to get Kerberos credentials of its own.
+ */
+
+ if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
+ {
+ cupsd_ucred_t peercred; /* Peer credentials */
+ socklen_t peersize; /* Size of peer credentials */
+
+ peersize = sizeof(peercred);
+
+# ifdef __APPLE__
+ if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+# else
+ if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred,
+ &peersize))
+# endif /* __APPLE__ */
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
+ strerror(errno));
+ }
+ else
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Using credentials for UID %d...",
+ CUPSD_UCRED_UID(peercred));
+ con->gss_uid = CUPSD_UCRED_UID(peercred);
+ }
+ }
+# endif /* SO_PEERCRED && AF_LOCAL */
}
#endif /* HAVE_GSSAPI */
else
int allow; /* 1 if allowed, 0 otherwise */
- if (!strcasecmp(name, "localhost"))
+ if (!_cups_strcasecmp(name, "localhost"))
{
/*
* Access from localhost (127.0.0.1 or ::1) is always allowed...
case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
allow = 1;
- if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
+ if (cupsdCheckAuth(ip, name, namelen, loc->deny))
allow = 0;
- if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
+ if (cupsdCheckAuth(ip, name, namelen, loc->allow))
allow = 1;
break;
case CUPSD_AUTH_DENY : /* Order Allow,Deny */
allow = 0;
- if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
+ if (cupsdCheckAuth(ip, name, namelen, loc->allow))
allow = 1;
- if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
+ if (cupsdCheckAuth(ip, name, namelen, loc->deny))
allow = 0;
break;
}
*/
int /* O - 1 if mask matches, 0 otherwise */
-cupsdCheckAuth(
- unsigned ip[4], /* I - Client address */
- char *name, /* I - Client hostname */
- int name_len, /* I - Length of hostname */
- int num_masks, /* I - Number of masks */
- cupsd_authmask_t *masks) /* I - Masks */
+cupsdCheckAuth(unsigned ip[4], /* I - Client address */
+ char *name, /* I - Client hostname */
+ int name_len, /* I - Length of hostname */
+ cups_array_t *masks) /* I - Masks */
{
- int i; /* Looping var */
- cupsd_netif_t *iface; /* Network interface */
- unsigned netip4; /* IPv4 network address */
+ int i; /* Looping var */
+ cupsd_authmask_t *mask; /* Current mask */
+ cupsd_netif_t *iface; /* Network interface */
+ unsigned netip4; /* IPv4 network address */
#ifdef AF_INET6
- unsigned netip6[4]; /* IPv6 network address */
+ unsigned netip6[4]; /* IPv6 network address */
#endif /* AF_INET6 */
- while (num_masks > 0)
+ for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks);
+ mask;
+ mask = (cupsd_authmask_t *)cupsArrayNext(masks))
{
- switch (masks->type)
+ switch (mask->type)
{
case CUPSD_AUTH_INTERFACE :
/*
netip6[3] = htonl(ip[3]);
#endif /* AF_INET6 */
- if (!strcmp(masks->mask.name.name, "*"))
+ if (!strcmp(mask->mask.name.name, "*"))
{
#ifdef __APPLE__
/*
iface;
iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
{
- if (strcmp(masks->mask.name.name, iface->name))
+ if (strcmp(mask->mask.name.name, iface->name))
continue;
if (iface->address.addr.sa_family == AF_INET)
* Check for exact name match...
*/
- if (!strcasecmp(name, masks->mask.name.name))
+ if (!_cups_strcasecmp(name, mask->mask.name.name))
return (1);
/*
* Check for domain match...
*/
- if (name_len >= masks->mask.name.length &&
- masks->mask.name.name[0] == '.' &&
- !strcasecmp(name + name_len - masks->mask.name.length,
- masks->mask.name.name))
+ if (name_len >= mask->mask.name.length &&
+ mask->mask.name.name[0] == '.' &&
+ !_cups_strcasecmp(name + name_len - mask->mask.name.length,
+ mask->mask.name.name))
return (1);
break;
*/
for (i = 0; i < 4; i ++)
- if ((ip[i] & masks->mask.ip.netmask[i]) !=
- masks->mask.ip.address[i])
+ if ((ip[i] & mask->mask.ip.netmask[i]) !=
+ mask->mask.ip.address[i])
break;
if (i == 4)
return (1);
break;
}
-
- masks ++;
- num_masks --;
}
return (0);
*/
for (i = 0; group->gr_mem[i]; i ++)
- if (!strcasecmp(username, group->gr_mem[i]))
+ if (!_cups_strcasecmp(username, group->gr_mem[i]))
return (1);
}
}
-#ifdef HAVE_GSSAPI
-/*
- * 'cupsdCopyKrb5Creds()' - Get a copy of the Kerberos credentials.
- */
-
-krb5_ccache /* O - Credentials or NULL */
-cupsdCopyKrb5Creds(cupsd_client_t *con) /* I - Client connection */
-{
-# if !defined(HAVE_KRB5_CC_NEW_UNIQUE) && !defined(HAVE_HEIMDAL)
- cupsdLogMessage(CUPSD_LOG_INFO,
- "Sorry, your version of Kerberos does not support delegated "
- "credentials!");
- return (NULL);
-
-# else
- krb5_ccache ccache = NULL; /* Credentials */
- krb5_error_code error; /* Kerberos error code */
- OM_uint32 major_status, /* Major status code */
- minor_status; /* Minor status code */
- krb5_principal principal; /* Kerberos principal */
-
-
-# ifdef __APPLE__
- /*
- * If the weak-linked GSSAPI/Kerberos library is not present, don't try
- * to use it...
- */
-
- if (krb5_init_context == NULL)
- return (NULL);
-# endif /* __APPLE__ */
-
- if (!KerberosInitialized)
- {
- /*
- * Setup a Kerberos context for the scheduler to use...
- */
-
- KerberosInitialized = 1;
-
- if (krb5_init_context(&KerberosContext))
- {
- KerberosContext = NULL;
-
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize Kerberos context");
- return (NULL);
- }
- }
-
- /*
- * We MUST create a file-based cache because memory-based caches are
- * only valid for the current process/address space.
- *
- * Due to various bugs/features in different versions of Kerberos, we
- * need either the krb5_cc_new_unique() function or Heimdal's version
- * of krb5_cc_gen_new() to create a new FILE: credential cache that
- * can be passed to the backend. These functions create a temporary
- * file (typically in /tmp) containing the cached credentials, which
- * are removed when we have successfully printed a job.
- */
-
-# ifdef HAVE_KRB5_CC_NEW_UNIQUE
- if ((error = krb5_cc_new_unique(KerberosContext, "FILE", NULL, &ccache)) != 0)
-# else /* HAVE_HEIMDAL */
- if ((error = krb5_cc_gen_new(KerberosContext, &krb5_fcc_ops, &ccache)) != 0)
-# endif /* HAVE_KRB5_CC_NEW_UNIQUE */
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to create new credentials cache (%d/%s)",
- error, strerror(errno));
- return (NULL);
- }
-
- if ((error = krb5_parse_name(KerberosContext, con->username, &principal)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to parse kerberos username (%d/%s)", error,
- strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
-
- if ((error = krb5_cc_initialize(KerberosContext, ccache, principal)))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to initialize credentials cache (%d/%s)", error,
- strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- krb5_free_principal(KerberosContext, principal);
- return (NULL);
- }
-
- krb5_free_principal(KerberosContext, principal);
-
- /*
- * Copy the user's credentials to the new cache file...
- */
-
-# ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
- if (con->http.hostaddr->addr.sa_family == AF_LOCAL &&
- !(con->gss_flags & GSS_C_DELEG_FLAG))
- {
- /*
- * Pull the credentials directly from the user...
- */
-
- cupsd_ucred_t peercred; /* Peer credentials */
- socklen_t peersize; /* Size of peer credentials */
- krb5_ccache peerccache; /* Peer Kerberos credentials */
-
- peersize = sizeof(peercred);
-
- if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
- strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
-
- krb5_ipc_client_set_target_uid(CUPSD_UCRED_UID(peercred));
-
- if ((error = krb5_cc_default(KerberosContext, &peerccache)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to get credentials cache for UID %d (%d/%s)",
- (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
-
- error = krb5_cc_copy_creds(KerberosContext, peerccache, ccache);
- krb5_cc_close(KerberosContext, peerccache);
- krb5_ipc_client_clear_target();
-
- if (error)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to copy credentials cache for UID %d (%d/%s)",
- (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
- }
- else
-# endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
- {
- major_status = gss_krb5_copy_ccache(&minor_status, con->gss_creds, ccache);
-
- if (GSS_ERROR(major_status))
- {
- cupsdLogGSSMessage(CUPSD_LOG_ERROR, major_status, minor_status,
- "Unable to copy client credentials cache");
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
- }
-
- return (ccache);
-# endif /* !HAVE_KRB5_CC_NEW_UNIQUE && !HAVE_HEIMDAL */
-}
-#endif /* HAVE_GSSAPI */
-
-
/*
* 'cupsdCopyLocation()' - Make a copy of a location...
*/
cupsd_location_t * /* O - New location */
cupsdCopyLocation(
- cupsd_location_t **loc) /* IO - Original location */
+ cupsd_location_t *loc) /* I - Original location */
{
- int i; /* Looping var */
cupsd_location_t *temp; /* New location */
- char location[HTTP_MAX_URI];
- /* Location of resource */
/*
- * Use a local copy of location because cupsdAddLocation may cause
- * this memory to be moved...
+ * Make a copy of the original location...
*/
- strlcpy(location, (*loc)->location, sizeof(location));
-
- if ((temp = cupsdAddLocation(location)) == NULL)
+ if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
return (NULL);
/*
* Copy the information from the original location to the new one.
*/
- temp->limit = (*loc)->limit;
- temp->order_type = (*loc)->order_type;
- temp->type = (*loc)->type;
- temp->level = (*loc)->level;
- temp->satisfy = (*loc)->satisfy;
- temp->encryption = (*loc)->encryption;
+ if (!loc)
+ return (temp);
- if ((temp->num_names = (*loc)->num_names) > 0)
- {
- /*
- * Copy the names array...
- */
+ if (loc->location)
+ temp->location = _cupsStrAlloc(loc->location);
+
+ temp->limit = loc->limit;
+ temp->order_type = loc->order_type;
+ temp->type = loc->type;
+ temp->level = loc->level;
+ temp->satisfy = loc->satisfy;
+ temp->encryption = loc->encryption;
- if ((temp->names = calloc(temp->num_names, sizeof(char *))) == NULL)
+ if (loc->names)
+ {
+ if ((temp->names = cupsArrayDup(loc->names)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdCopyLocation: Unable to allocate memory for %d names: %s",
- temp->num_names, strerror(errno));
+ "Unable to allocate memory for %d names: %s",
+ cupsArrayCount(loc->names), strerror(errno));
- cupsdDeleteLocation(temp);
+ cupsdFreeLocation(temp);
return (NULL);
}
-
- for (i = 0; i < temp->num_names; i ++)
- if ((temp->names[i] = strdup((*loc)->names[i])) == NULL)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdCopyLocation: Unable to copy name \"%s\": %s",
- (*loc)->names[i], strerror(errno));
-
- cupsdDeleteLocation(temp);
- return (NULL);
- }
}
- if ((temp->num_allow = (*loc)->num_allow) > 0)
+ if (loc->allow)
{
/*
* Copy allow rules...
*/
- if ((temp->allow = calloc(temp->num_allow, sizeof(cupsd_authmask_t))) == NULL)
+ if ((temp->allow = cupsArrayDup(loc->allow)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdCopyLocation: Unable to allocate memory for %d allow rules: %s",
- temp->num_allow, strerror(errno));
- cupsdDeleteLocation(temp);
+ "Unable to allocate memory for %d allow rules: %s",
+ cupsArrayCount(loc->allow), strerror(errno));
+ cupsdFreeLocation(temp);
return (NULL);
}
-
- for (i = 0; i < temp->num_allow; i ++)
- switch (temp->allow[i].type = (*loc)->allow[i].type)
- {
- case CUPSD_AUTH_NAME :
- temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length;
- temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name);
-
- if (temp->allow[i].mask.name.name == NULL)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdCopyLocation: Unable to copy allow name \"%s\": %s",
- (*loc)->allow[i].mask.name.name, strerror(errno));
- cupsdDeleteLocation(temp);
- return (NULL);
- }
- break;
- case CUPSD_AUTH_IP :
- memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip),
- sizeof(cupsd_ipmask_t));
- break;
- }
}
- if ((temp->num_deny = (*loc)->num_deny) > 0)
+ if (loc->deny)
{
/*
* Copy deny rules...
*/
- if ((temp->deny = calloc(temp->num_deny, sizeof(cupsd_authmask_t))) == NULL)
+ if ((temp->deny = cupsArrayDup(loc->deny)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdCopyLocation: Unable to allocate memory for %d deny rules: %s",
- temp->num_deny, strerror(errno));
- cupsdDeleteLocation(temp);
+ "Unable to allocate memory for %d deny rules: %s",
+ cupsArrayCount(loc->deny), strerror(errno));
+ cupsdFreeLocation(temp);
return (NULL);
}
-
- for (i = 0; i < temp->num_deny; i ++)
- switch (temp->deny[i].type = (*loc)->deny[i].type)
- {
- case CUPSD_AUTH_NAME :
- temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length;
- temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name);
-
- if (temp->deny[i].mask.name.name == NULL)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdCopyLocation: Unable to copy deny name \"%s\": %s",
- (*loc)->deny[i].mask.name.name, strerror(errno));
- cupsdDeleteLocation(temp);
- return (NULL);
- }
- break;
- case CUPSD_AUTH_IP :
- memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip),
- sizeof(cupsd_ipmask_t));
- break;
- }
}
return (temp);
void
cupsdDeleteAllLocations(void)
{
- cupsd_location_t *loc; /* Current location */
-
-
/*
- * Free all of the allow/deny records first...
- */
-
- for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
- loc;
- loc = (cupsd_location_t *)cupsArrayNext(Locations))
- cupsdDeleteLocation(loc);
-
- /*
- * Then free the location array...
+ * Free the location array, which will free all of the locations...
*/
cupsArrayDelete(Locations);
}
-/*
- * 'cupsdDeleteLocation()' - Free all memory used by a location.
- */
-
-void
-cupsdDeleteLocation(
- cupsd_location_t *loc) /* I - Location to delete */
-{
- int i; /* Looping var */
- cupsd_authmask_t *mask; /* Current mask */
-
-
- cupsArrayRemove(Locations, loc);
-
- for (i = loc->num_names - 1; i >= 0; i --)
- free(loc->names[i]);
-
- if (loc->num_names > 0)
- free(loc->names);
-
- for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++)
- if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
- free(mask->mask.name.name);
-
- if (loc->num_allow > 0)
- free(loc->allow);
-
- for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++)
- if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
- free(mask->mask.name.name);
-
- if (loc->num_deny > 0)
- free(loc->deny);
-
- free(loc->location);
- free(loc);
-}
-
-
-/*
- * 'cupsdDenyHost()' - Add a host name that is not allowed to access the
- * location.
- */
-
-void
-cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */
- char *name) /* I - Name of host or domain to add */
-{
- cupsd_authmask_t *temp; /* New host/domain mask */
- char ifname[32], /* Interface name */
- *ifptr; /* Pointer to end of name */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDenyHost(loc=%p(%s), name=\"%s\")",
- loc, loc->location ? loc->location : "nil", name);
-
- if ((temp = add_deny(loc)) == NULL)
- return;
-
- if (!strcasecmp(name, "@LOCAL"))
- {
- /*
- * Deny *interface*...
- */
-
- temp->type = CUPSD_AUTH_INTERFACE;
- temp->mask.name.name = strdup("*");
- temp->mask.name.length = 1;
- }
- else if (!strncasecmp(name, "@IF(", 4))
- {
- /*
- * Deny *interface*...
- */
-
- strlcpy(ifname, name + 4, sizeof(ifname));
-
- ifptr = ifname + strlen(ifname);
-
- if (ifptr[-1] == ')')
- {
- ifptr --;
- *ifptr = '\0';
- }
-
- temp->type = CUPSD_AUTH_INTERFACE;
- temp->mask.name.name = strdup(ifname);
- temp->mask.name.length = ifptr - ifname;
- }
- else
- {
- /*
- * Deny name...
- */
-
- temp->type = CUPSD_AUTH_NAME;
- temp->mask.name.name = strdup(name);
- temp->mask.name.length = strlen(name);
- }
-}
-
-
-/*
- * 'cupsdDenyIP()' - Add an IP address or network that is not allowed to
- * access the location.
- */
-
-void
-cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */
- const unsigned address[4],/* I - IP address to add */
- const unsigned netmask[4])/* I - Netmask of address */
-{
- cupsd_authmask_t *temp; /* New host/domain mask */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdDenyIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
- loc, loc->location ? loc->location : "nil",
- address[0], address[1], address[2], address[3],
- netmask[0], netmask[1], netmask[2], netmask[3]);
-
- if ((temp = add_deny(loc)) == NULL)
- return;
-
- temp->type = CUPSD_AUTH_IP;
- memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
- memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
-}
-
-
/*
* 'cupsdFindBest()' - Find the location entry that best matches the resource.
*/
*/
if (loc->length > bestlen && loc->location &&
- !strncasecmp(uri, loc->location, loc->length) &&
+ !_cups_strncasecmp(uri, loc->location, loc->length) &&
loc->location[0] == '/' &&
(limit & loc->limit) != 0)
{
}
+/*
+ * 'cupsdFreeLocation()' - Free all memory used by a location.
+ */
+
+void
+cupsdFreeLocation(cupsd_location_t *loc)/* I - Location to free */
+{
+ cupsArrayDelete(loc->names);
+ cupsArrayDelete(loc->allow);
+ cupsArrayDelete(loc->deny);
+
+ _cupsStrFree(loc->location);
+ free(loc);
+}
+
+
/*
* 'cupsdIsAuthorized()' - Check to see if the user is authorized...
*/
cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
const char *owner)/* I - Owner of object */
{
- int i, j, /* Looping vars */
+ int i, /* Looping vars */
auth, /* Authorization status */
type; /* Type of authentication */
unsigned address[4]; /* Authorization address */
cupsd_location_t *best; /* Best match for location so far */
int hostlen; /* Length of hostname */
- char username[256], /* Username to authorize */
+ char *name, /* Current username */
+ username[256], /* Username to authorize */
ownername[256], /* Owner name to authorize */
*ptr; /* Pointer into username */
struct passwd *pw; /* User password data */
"cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
"satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
levels[best->level], types[type],
- best->satisfy ? "ANY" : "ALL", best->num_names);
+ best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
if (best->limit == CUPSD_AUTH_LIMIT_IPP)
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
*/
if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
- strcasecmp(con->http.hostname, "localhost") &&
+ _cups_strcasecmp(con->http.hostname, "localhost") &&
best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
- !(type == CUPSD_AUTH_NEGOTIATE ||
+ !(type == CUPSD_AUTH_NEGOTIATE ||
(type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
*/
if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
- (type == CUPSD_AUTH_NONE && best->num_names == 0))
+ (type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0))
return (HTTP_OK);
if (!con->username[0] && type == CUPSD_AUTH_NONE &&
return (HTTP_OK); /* unless overridden with Satisfy */
}
+
if (con->type != type && type != CUPSD_AUTH_NONE &&
+#ifdef HAVE_GSSAPI
+ (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
+#endif /* HAVE_GSSAPI */
(con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
* any valid user is OK...
*/
- if (best->num_names == 0)
+ if (cupsArrayCount(best->names) == 0)
return (HTTP_OK);
/*
if (con->authref)
{
- for (i = 0; i < best->num_names; i ++)
+ for (name = (char *)cupsArrayFirst(best->names);
+ name;
+ name = (char *)cupsArrayNext(best->names))
{
- if (!strncasecmp(best->names[i], "@AUTHKEY(", 9) &&
- check_authref(con, best->names[i] + 9))
+ if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
return (HTTP_OK);
- else if (!strcasecmp(best->names[i], "@SYSTEM") &&
- SystemGroupAuthKey &&
+ else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
check_authref(con, SystemGroupAuthKey))
return (HTTP_OK);
}
}
#endif /* HAVE_AUTHORIZATION_H */
- for (i = 0; i < best->num_names; i ++)
+ for (name = (char *)cupsArrayFirst(best->names);
+ name;
+ name = (char *)cupsArrayNext(best->names))
{
- if (!strcasecmp(best->names[i], "@OWNER") && owner &&
- !strcasecmp(username, ownername))
+ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+ !_cups_strcasecmp(username, ownername))
return (HTTP_OK);
- else if (!strcasecmp(best->names[i], "@SYSTEM"))
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
{
- for (j = 0; j < NumSystemGroups; j ++)
- if (cupsdCheckGroup(username, pw, SystemGroups[j]))
+ for (i = 0; i < NumSystemGroups; i ++)
+ if (cupsdCheckGroup(username, pw, SystemGroups[i]))
return (HTTP_OK);
}
- else if (best->names[i][0] == '@')
+ else if (name[0] == '@')
{
- if (cupsdCheckGroup(username, pw, best->names[i] + 1))
+ if (cupsdCheckGroup(username, pw, name + 1))
return (HTTP_OK);
}
- else if (!strcasecmp(username, best->names[i]))
+ else if (!_cups_strcasecmp(username, name))
return (HTTP_OK);
}
- return (HTTP_FORBIDDEN);
+ return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
/*
* Check to see if this user is in any of the named groups...
*/
- for (i = 0; i < best->num_names; i ++)
+ for (name = (char *)cupsArrayFirst(best->names);
+ name;
+ name = (char *)cupsArrayNext(best->names))
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: Checking group \"%s\" membership...",
- best->names[i]);
+ name);
- if (!strcasecmp(best->names[i], "@SYSTEM"))
+ if (!_cups_strcasecmp(name, "@SYSTEM"))
{
- for (j = 0; j < NumSystemGroups; j ++)
- if (cupsdCheckGroup(username, pw, SystemGroups[j]))
+ for (i = 0; i < NumSystemGroups; i ++)
+ if (cupsdCheckGroup(username, pw, SystemGroups[i]))
return (HTTP_OK);
}
- else if (cupsdCheckGroup(username, pw, best->names[i]))
+ else if (cupsdCheckGroup(username, pw, name))
return (HTTP_OK);
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: User not in group(s)!");
- return (HTTP_FORBIDDEN);
+ return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
/*
- * 'add_allow()' - Add an allow mask to the location.
- */
-
-static cupsd_authmask_t * /* O - New mask record */
-add_allow(cupsd_location_t *loc) /* I - Location to add to */
-{
- cupsd_authmask_t *temp; /* New mask record */
-
-
- /*
- * Range-check...
- */
-
- if (loc == NULL)
- return (NULL);
-
- /*
- * Try to allocate memory for the record...
- */
-
- if (loc->num_allow == 0)
- temp = malloc(sizeof(cupsd_authmask_t));
- else
- temp = realloc(loc->allow, sizeof(cupsd_authmask_t) * (loc->num_allow + 1));
-
- if (temp == NULL)
- return (NULL);
-
- loc->allow = temp;
- temp += loc->num_allow;
- loc->num_allow ++;
-
- /*
- * Clear the mask record and return...
- */
-
- memset(temp, 0, sizeof(cupsd_authmask_t));
- return (temp);
-}
-
-
-/*
- * 'add_deny()' - Add a deny mask to the location.
+ * 'cupsdNewLocation()' - Create a new location for authorization.
+ *
+ * Note: Still need to call cupsdAddLocation() to add it to the list of global
+ * locations.
*/
-static cupsd_authmask_t * /* O - New mask record */
-add_deny(cupsd_location_t *loc) /* I - Location to add to */
+cupsd_location_t * /* O - Pointer to new location record */
+cupsdNewLocation(const char *location) /* I - Location path */
{
- cupsd_authmask_t *temp; /* New mask record */
+ cupsd_location_t *temp; /* New location */
/*
- * Range-check...
+ * Try to allocate memory for the new location.
*/
- if (loc == NULL)
+ if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
return (NULL);
/*
- * Try to allocate memory for the record...
+ * Initialize the record and copy the name over...
*/
- if (loc->num_deny == 0)
- temp = malloc(sizeof(cupsd_authmask_t));
- else
- temp = realloc(loc->deny, sizeof(cupsd_authmask_t) * (loc->num_deny + 1));
-
- if (temp == NULL)
+ if ((temp->location = _cupsStrAlloc(location)) == NULL)
+ {
+ free(temp);
return (NULL);
+ }
- loc->deny = temp;
- temp += loc->num_deny;
- loc->num_deny ++;
+ temp->length = strlen(temp->location);
/*
- * Clear the mask record and return...
+ * Return the new record...
*/
- memset(temp, 0, sizeof(cupsd_authmask_t));
return (temp);
}
authrights.count = 1;
authrights.items = &authright;
- authflags = kAuthorizationFlagDefaults |
+ authflags = kAuthorizationFlagDefaults |
kAuthorizationFlagExtendRights;
- if ((status = AuthorizationCopyRights(con->authref, &authrights,
- kAuthorizationEmptyEnvironment,
+ if ((status = AuthorizationCopyRights(con->authref, &authrights,
+ kAuthorizationEmptyEnvironment,
authflags, NULL)) != 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
}
+/*
+ * 'copy_authmask()' - Copy function for auth masks.
+ */
+
+static cupsd_authmask_t * /* O - New auth mask */
+copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */
+ void *data) /* I - User data (unused) */
+{
+ cupsd_authmask_t *temp; /* New auth mask */
+
+
+ (void)data;
+
+ if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL)
+ {
+ memcpy(temp, mask, sizeof(cupsd_authmask_t));
+
+ if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE)
+ {
+ /*
+ * Make a copy of the name...
+ */
+
+ if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL)
+ {
+ /*
+ * Failed to make copy...
+ */
+
+ free(temp);
+ temp = NULL;
+ }
+ }
+ }
+
+ return (temp);
+}
+
+
#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
/*
* 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+/*
+ * 'free_authmask()' - Free function for auth masks.
+ */
+
+static void
+free_authmask(cupsd_authmask_t *mask, /* I - Auth mask to free */
+ void *data) /* I - User data (unused) */
+{
+ (void)data;
+
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
+ _cupsStrFree(mask->mask.name.name);
+
+ free(mask);
+}
+
+
/*
* 'get_md5_password()' - Get an MD5 password.
*/
projects / thirdparty / cups.git / blobdiff