/*
- * "$Id$"
- *
* Authorization routines for the CUPS scheduler.
*
- * Copyright 2007-2014 by Apple Inc.
- * Copyright 1997-2007 by Easy Software Products, all rights reserved.
+ * Copyright © 2007-2018 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
*
* This file contains Kerberos support code, copyright 2006 by
* Jelmer Vernooij.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more
+ * information.
*/
/*
static int compare_locations(cupsd_location_t *a,
cupsd_location_t *b);
static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
-#if !HAVE_LIBPAM
-static char *cups_crypt(const char *pw, const char *salt);
-#endif /* !HAVE_LIBPAM */
static void free_authmask(cupsd_authmask_t *am, void *data);
#if HAVE_LIBPAM
static int pam_func(int, const struct pam_message **,
cupsd_authmask_t temp; /* New host/domain mask */
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, "
- "netmask=%x:%x:%x:%x)",
- masks, *masks,
- address[0], address[1], address[2], address[3],
- netmask[0], netmask[1], netmask[2], netmask[3]);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", masks, *masks, address[0], address[1], address[2], address[3], netmask[0], netmask[1], netmask[2], netmask[3]);
temp.type = CUPSD_AUTH_IP;
memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address));
{
cupsArrayAdd(Locations, loc);
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"",
- loc->location ? loc->location : "(null)");
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"", loc->location ? loc->location : "(null)");
}
}
cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */
char *name) /* I - Name to add */
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")",
- loc, name);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", loc, name);
if (!loc->names)
loc->names = cupsArrayNew3(NULL, NULL, NULL, 0,
*ifptr; /* Pointer to end of name */
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAddNameMask(masks=%p(%p), name=\"%s\")",
- masks, *masks, name);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddNameMask(masks=%p(%p), name=\"%s\")", masks, *masks, name);
if (!_cups_strcasecmp(name, "@LOCAL"))
{
con->best = cupsdFindBest(con->uri, httpGetState(con->http));
con->type = CUPSD_AUTH_NONE;
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "[Client %d] con->uri=\"%s\", con->best=%p(%s)",
- con->number, con->uri, con->best,
- con->best ? con->best->location : "");
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : "");
if (con->best && con->best->type != CUPSD_AUTH_NONE)
{
authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION);
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "[Client %d] Authorization=\"%s\"",
- con->number, authorization);
-
username[0] = '\0';
password[0] = '\0';
* No authorization data provided, return early...
*/
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] No authentication data provided.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "No authentication data provided.");
return;
}
#ifdef HAVE_AUTHORIZATION_H
if (authlen != kAuthorizationExternalFormLength)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] External Authorization reference size is "
- "incorrect.", con->number);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "External Authorization reference size is incorrect.");
return;
}
if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] AuthorizationCreateFromExternalForm "
- "returned %d (%s)", con->number, (int)status,
- cssmErrorString(status));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "AuthorizationCreateFromExternalForm returned %d (%s)", (int)status, cssmErrorString(status));
return;
}
{
strlcpy(username, authinfo->items[0].value, sizeof(username));
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as \"%s\" using AuthRef",
- con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef.", username);
}
AuthorizationFreeItemSet(authinfo);
if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Unable to get peer credentials - %s",
- con->number, strerror(errno));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
return;
}
if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Unable to find UID %d for peer "
- "credentials.", con->number,
- (int)CUPSD_UCRED_UID(peercred));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to find UID %d for peer credentials.", (int)CUPSD_UCRED_UID(peercred));
return;
}
strlcpy(username, pwd->pw_name, sizeof(username));
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as \"%s\" using "
- "AuthRef + PeerCred", con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef + PeerCred.", username);
}
con->type = CUPSD_AUTH_BASIC;
if (no_peer)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] PeerCred authentication not allowed for "
- "resource per AUTHKEY policy.", con->number);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "PeerCred authentication not allowed for resource per AUTHKEY policy.");
return;
}
#endif /* HAVE_AUTHORIZATION_H */
if ((pwd = getpwnam(authorization + 9)) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] User \"%s\" does not exist.", con->number,
- authorization + 9);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
return;
}
if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
# endif /* __APPLE__ */
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Unable to get peer credentials - %s",
- con->number, strerror(errno));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
return;
}
if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Invalid peer credentials for \"%s\" - got "
- "%d, expected %d!", con->number, authorization + 9,
- CUPSD_UCRED_UID(peercred), pwd->pw_uid);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Invalid peer credentials for \"%s\" - got %d, expected %d.", authorization + 9, CUPSD_UCRED_UID(peercred), pwd->pw_uid);
# ifdef HAVE_SYS_UCRED_H
- cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_version=%d",
- con->number, peercred.cr_version);
- cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_uid=%d",
- con->number, peercred.cr_uid);
- cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_ngroups=%d",
- con->number, peercred.cr_ngroups);
- cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_groups[0]=%d",
- con->number, peercred.cr_groups[0]);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_version=%d", peercred.cr_version);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_uid=%d", peercred.cr_uid);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_ngroups=%d", peercred.cr_ngroups);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_groups[0]=%d", peercred.cr_groups[0]);
# endif /* HAVE_SYS_UCRED_H */
return;
}
con->gss_uid = CUPSD_UCRED_UID(peercred);
# endif /* HAVE_GSSAPI */
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using PeerCred", con->number,
- username);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using PeerCred.", username);
con->type = CUPSD_AUTH_BASIC;
}
if ((localuser = cupsdFindCert(authorization)) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Local authentication certificate not found.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Local authentication certificate not found.");
return;
}
strlcpy(username, localuser->username, sizeof(username));
con->type = localuser->type;
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using Local", con->number,
- username);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using Local.", username);
}
else if (!strncmp(authorization, "Basic", 5))
{
if ((ptr = strchr(username, ':')) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Missing Basic password.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Basic password.");
return;
}
* Username must not be empty...
*/
- cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic username.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic username.");
return;
}
* Password must not be empty...
*/
- cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic password.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic password.");
return;
}
pamerr = pam_start("cups", username, &pamdata, &pamh);
if (pamerr != PAM_SUCCESS)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] pam_start() returned %d (%s)",
- con->number, pamerr, pam_strerror(pamh, pamerr));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
return;
}
# ifdef PAM_RHOST
pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
if (pamerr != PAM_SUCCESS)
- cupsdLogMessage(CUPSD_LOG_WARN,
- "[Client %d] pam_set_item(PAM_RHOST) "
- "returned %d (%s)", con->number, pamerr,
- pam_strerror(pamh, pamerr));
+ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
# endif /* PAM_RHOST */
# ifdef PAM_TTY
pamerr = pam_set_item(pamh, PAM_TTY, "cups");
if (pamerr != PAM_SUCCESS)
- cupsdLogMessage(CUPSD_LOG_WARN,
- "[Client %d] pam_set_item(PAM_TTY) "
- "returned %d (%s)!", con->number, pamerr,
- pam_strerror(pamh, pamerr));
+ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
# endif /* PAM_TTY */
# endif /* HAVE_PAM_SET_ITEM */
pamerr = pam_authenticate(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] pam_authenticate() returned %d (%s)",
- con->number, pamerr, pam_strerror(pamh, pamerr));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
# ifdef HAVE_PAM_SETCRED
pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
if (pamerr != PAM_SUCCESS)
- cupsdLogMessage(CUPSD_LOG_WARN,
- "[Client %d] pam_setcred() returned %d (%s)",
- con->number, pamerr,
- pam_strerror(pamh, pamerr));
+ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
# endif /* HAVE_PAM_SETCRED */
pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] pam_acct_mgmt() returned %d (%s)",
- con->number, pamerr, pam_strerror(pamh, pamerr));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
* No such user...
*/
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Unknown username \"%s\".",
- con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username);
return;
}
* Don't allow blank passwords!
*/
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Username \"%s\" has no shadow "
- "password.", con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
return;
}
* Don't allow blank passwords!
*/
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Username \"%s\" has no password.",
- con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
return;
}
* client...
*/
- pass = cups_crypt(password, pw->pw_passwd);
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "[Client %d] pw_passwd=\"%s\", crypt=\"%s\"",
- con->number, pw->pw_passwd, pass);
+ pass = crypt(password, pw->pw_passwd);
if (!pass || strcmp(pw->pw_passwd, pass))
{
# ifdef HAVE_SHADOW_H
if (spw)
{
- pass = cups_crypt(password, spw->sp_pwdp);
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "[Client %d] sp_pwdp=\"%s\", crypt=\"%s\"",
- con->number, spw->sp_pwdp, pass);
+ pass = crypt(password, spw->sp_pwdp);
if (pass == NULL || strcmp(spw->sp_pwdp, pass))
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Authentication failed for user "
- "\"%s\".", con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
return;
}
}
else
# endif /* HAVE_SHADOW_H */
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Authentication failed for user "
- "\"%s\".", con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
return;
}
}
#endif /* HAVE_LIBPAM */
}
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using Basic",
- con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
break;
}
* to use it...
*/
- if (gss_init_sec_context == NULL)
+ if (&gss_init_sec_context == NULL)
{
- cupsdLogMessage(CUPSD_LOG_WARN,
- "[Client %d] GSSAPI/Kerberos authentication failed "
- "because the Kerberos framework is not present.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present.");
return;
}
# endif /* __APPLE__ */
if (!*authorization)
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "[Client %d] No authentication data specified.",
- con->number);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "No authentication data specified.");
return;
}
if (GSS_ERROR(major_status))
{
- cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "[Client %d] Error accepting GSSAPI security context",
- con->number);
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error accepting GSSAPI security context.", con->number);
if (context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
*/
if (major_status == GSS_S_CONTINUE_NEEDED)
- cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "[Client %d] Credentials not complete", con->number);
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Credentials not complete.", con->number);
else if (major_status == GSS_S_COMPLETE)
{
major_status = gss_display_name(&minor_status, client_name,
if (GSS_ERROR(major_status))
{
- cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "[Client %d] Error getting username", con->number);
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error getting username.", con->number);
gss_release_name(&minor_status, &client_name);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
strlcpy(username, output_token.value, sizeof(username));
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using Negotiate",
- con->number, username);
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Negotiate.", username);
gss_release_name(&minor_status, &client_name);
gss_release_buffer(&minor_status, &output_token);
&peersize))
# endif /* __APPLE__ */
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Unable to get peer credentials - %s",
- con->number, strerror(errno));
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
}
else
{
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Using credentials for UID %d.",
- con->number, CUPSD_UCRED_UID(peercred));
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Using credentials for UID %d.", CUPSD_UCRED_UID(peercred));
con->gss_uid = CUPSD_UCRED_UID(peercred);
}
}
if (sscanf(authorization, "%255s", scheme) != 1)
strlcpy(scheme, "UNKNOWN", sizeof(scheme));
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] Bad authentication data \"%s ...\"",
- con->number, scheme);
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\".", scheme);
return;
}
const char *groupname) /* I - Group name */
{
int i; /* Looping var */
- struct group *group; /* System group info */
+ struct group *group; /* Group info */
+ gid_t groupid; /* ID of named group */
#ifdef HAVE_MBR_UID_TO_UUID
uuid_t useruuid, /* UUID for username */
groupuuid; /* UUID for groupname */
#endif /* HAVE_MBR_UID_TO_UUID */
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")",
- username, user, groupname);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", username, user, groupname);
/*
* Validate input...
* Group exists, check it...
*/
+ groupid = group->gr_gid;
+
+#ifdef HAVE_GETGROUPLIST
+ if (user)
+ {
+ int ngroups; /* Number of groups */
+# ifdef __APPLE__
+ int groups[2048]; /* Groups that user belongs to */
+# else
+ gid_t groups[2048]; /* Groups that user belongs to */
+# endif /* __APPLE__ */
+
+ ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+# ifdef __APPLE__
+ getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
+# else
+ getgrouplist(username, user->pw_gid, groups, &ngroups);
+#endif /* __APPLE__ */
+
+ for (i = 0; i < ngroups; i ++)
+ if ((int)groupid == (int)groups[i])
+ return (1);
+ }
+
+#else
for (i = 0; group->gr_mem[i]; i ++)
+ {
if (!_cups_strcasecmp(username, group->gr_mem[i]))
return (1);
+ }
+#endif /* HAVE_GETGROUPLIST */
}
+ else
+ groupid = (gid_t)-1;
/*
* Group doesn't exist or user not in group list, check the group ID
* against the user's group ID...
*/
- if (user && group && group->gr_gid == user->pw_gid)
+ if (user && groupid == user->pw_gid)
return (1);
#ifdef HAVE_MBR_UID_TO_UUID
/*
- * Check group membership through MacOS X membership API...
+ * Check group membership through macOS membership API...
*/
if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
{
- if (group)
+ if (groupid != (gid_t)-1)
{
/*
* Map group name to UUID and check membership...
*/
- if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
+ if (!mbr_gid_to_uuid(groupid, groupuuid))
if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
if (loc->location)
temp->location = _cupsStrAlloc(loc->location);
+ temp->length = loc->length;
temp->limit = loc->limit;
temp->order_type = loc->order_type;
temp->type = loc->type;
CUPSD_AUTH_LIMIT_DELETE,
CUPSD_AUTH_LIMIT_TRACE,
CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL,
CUPSD_AUTH_LIMIT_ALL
};
strlcpy(uri, path, sizeof(uri));
+ if ((uriptr = strchr(uri, '?')) != NULL)
+ *uriptr = '\0'; /* Drop trailing query string */
+
+ if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/')
+ *uriptr = '\0'; /* Remove trailing '/' */
+
if (!strncmp(uri, "/printers/", 10) ||
!strncmp(uri, "/classes/", 9))
{
*uriptr = '\0';
}
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri);
-
/*
* Loop through the list of locations to find a match...
*/
best = NULL;
bestlen = 0;
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri=\"%s\", limit=%x...", uri, limit);
+
+
for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
loc;
loc = (cupsd_location_t *)cupsArrayNext(Locations))
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x",
- loc->location ? loc->location : "nil", loc->limit);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit);
if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
{
* Return the match, if any...
*/
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best = %s",
- best ? best->location : "NONE");
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best=%s", best ? best->location : "NONE");
return (best);
}
};
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)",
- con->uri, con->best, con->best ? con->best->location ?
- con->best->location : "(null)" : "");
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location ? con->best->location : "(null)" : "");
if (owner)
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: owner=\"%s\"", owner);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: owner=\"%s\"", owner);
/*
* If there is no "best" authentication rule for this request, then
if ((type = best->type) == CUPSD_AUTH_DEFAULT)
type = cupsdDefaultAuthType();
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
- "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
- levels[best->level], types[type],
- best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
if (best->limit == CUPSD_AUTH_LIMIT_IPP)
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
- best->op, ippOpString(best->op));
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op));
/*
* Check host/ip-based accesses...
auth = cupsdCheckAccess(address, hostname, hostlen, best)
? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
- auth ? "DENY" : "ALLOW");
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW");
if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
return (HTTP_FORBIDDEN);
* allowed...
*/
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: Checking user membership...");
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking user membership...");
#ifdef HAVE_AUTHORIZATION_H
/*
* Check to see if this user is in any of the named groups...
*/
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: Checking group membership...");
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group membership...");
/*
* Check to see if this user is in any of the named groups...
name;
name = (char *)cupsArrayNext(best->names))
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: Checking group \"%s\" membership...",
- name);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name);
if (!_cups_strcasecmp(name, "@SYSTEM"))
{
* The user isn't part of the specified group, so deny access...
*/
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdIsAuthorized: User not in group(s)!");
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: User not in group(s).");
return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
return (0);
}
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "AuthorizationCopyRights(\"%s\") succeeded!",
- authright.name);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "AuthorizationCopyRights(\"%s\") succeeded.", authright.name);
return (1);
}
}
-#if !HAVE_LIBPAM
-/*
- * 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
- * as needed.
- */
-
-static char * /* O - Encrypted password */
-cups_crypt(const char *pw, /* I - Password string */
- const char *salt) /* I - Salt (key) string */
-{
- if (!strncmp(salt, "$1$", 3))
- {
- /*
- * Use MD5 passwords without the benefit of PAM; this is for
- * Slackware Linux, and the algorithm was taken from the
- * old shadow-19990827/lib/md5crypt.c source code... :(
- */
-
- int i; /* Looping var */
- unsigned long n; /* Output number */
- int pwlen; /* Length of password string */
- const char *salt_end; /* End of "salt" data for MD5 */
- char *ptr; /* Pointer into result string */
- _cups_md5_state_t state; /* Primary MD5 state info */
- _cups_md5_state_t state2; /* Secondary MD5 state info */
- unsigned char digest[16]; /* MD5 digest result */
- static char result[120]; /* Final password string */
-
-
- /*
- * Get the salt data between dollar signs, e.g. $1$saltdata$md5.
- * Get a maximum of 8 characters of salt data after $1$...
- */
-
- for (salt_end = salt + 3; *salt_end && (salt_end - salt) < 11; salt_end ++)
- if (*salt_end == '$')
- break;
-
- /*
- * Compute the MD5 sum we need...
- */
-
- pwlen = strlen(pw);
-
- _cupsMD5Init(&state);
- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
- _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt);
-
- _cupsMD5Init(&state2);
- _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
- _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
- _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
- _cupsMD5Finish(&state2, digest);
-
- for (i = pwlen; i > 0; i -= 16)
- _cupsMD5Append(&state, digest, i > 16 ? 16 : i);
-
- for (i = pwlen; i > 0; i >>= 1)
- _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
-
- _cupsMD5Finish(&state, digest);
-
- for (i = 0; i < 1000; i ++)
- {
- _cupsMD5Init(&state);
-
- if (i & 1)
- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
- else
- _cupsMD5Append(&state, digest, 16);
-
- if (i % 3)
- _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
-
- if (i % 7)
- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
-
- if (i & 1)
- _cupsMD5Append(&state, digest, 16);
- else
- _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
-
- _cupsMD5Finish(&state, digest);
- }
-
- /*
- * Copy the final sum to the result string and return...
- */
-
- memcpy(result, salt, (size_t)(salt_end - salt));
- ptr = result + (salt_end - salt);
- *ptr++ = '$';
-
- for (i = 0; i < 5; i ++, ptr += 4)
- {
- n = ((((unsigned)digest[i] << 8) | (unsigned)digest[i + 6]) << 8);
-
- if (i < 4)
- n |= (unsigned)digest[i + 12];
- else
- n |= (unsigned)digest[5];
-
- to64(ptr, n, 4);
- }
-
- to64(ptr, (unsigned)digest[11], 2);
- ptr += 2;
- *ptr = '\0';
-
- return (result);
- }
- else
- {
- /*
- * Use the standard crypt() function...
- */
-
- return (crypt(pw, salt));
- }
-}
-#endif /* !HAVE_LIBPAM */
-
-
/*
* 'free_authmask()' - Free function for auth masks.
*/
* Answer all of the messages...
*/
- DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr));
-
data = (cupsd_authdata_t *)appdata_ptr;
for (i = 0; i < num_msg; i ++)
{
- DEBUG_printf(("pam_func: Message = \"%s\"\n", msg[i]->msg));
-
switch (msg[i]->msg_style)
{
case PAM_PROMPT_ECHO_ON:
- DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_ON, returning \"%s\"...\n",
- data->username));
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = strdup(data->username);
break;
case PAM_PROMPT_ECHO_OFF:
- DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_OFF, returning \"%s\"...\n",
- data->password));
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = strdup(data->password);
break;
case PAM_TEXT_INFO:
- DEBUG_puts("pam_func: PAM_TEXT_INFO...");
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = NULL;
break;
case PAM_ERROR_MSG:
- DEBUG_puts("pam_func: PAM_ERROR_MSG...");
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = NULL;
break;
default:
- DEBUG_printf(("pam_func: Unknown PAM message %d...\n",
- msg[i]->msg_style));
free(replies);
return (PAM_CONV_ERR);
}
*s++ = itoa64[v & 0x3f];
}
#endif /* HAVE_LIBPAM */
-
-
-/*
- * End of "$Id$".
- */