/*
- * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
+ * "$Id: auth.c 11500 2014-01-06 22:21:15Z msweet $"
*
* Authorization routines for the CUPS scheduler.
*
typedef struct xucred cupsd_ucred_t;
# define CUPSD_UCRED_UID(c) (c).cr_uid
#else
+# ifndef __OpenBSD__
typedef struct ucred cupsd_ucred_t;
+# else
+typedef struct sockpeercred cupsd_ucred_t;
+# endif
# define CUPSD_UCRED_UID(c) (c).uid
#endif /* HAVE_SYS_UCRED_H */
-#ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
-/* Not in public headers... */
-extern void krb5_ipc_client_set_target_uid(uid_t);
-extern void krb5_ipc_client_clear_target(void);
-#endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
/*
socklen_t peersize; /* Size of peer credentials */
#ifdef HAVE_AUTHORIZATION_H
const char *name; /* Authorizing name */
+ int no_peer = 0; /* Don't allow peer credentials? */
+
+ /*
+ * See if we should allow peer credentials...
+ */
for (name = (char *)cupsArrayFirst(con->best->names);
name;
name = (char *)cupsArrayNext(con->best->names))
+ {
if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
!_cups_strcasecmp(name, "@SYSTEM"))
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] PeerCred authentication not allowed for "
- "resource.", con->http.fd);
- return;
+ /* Normally don't want peer credentials if we need an auth key... */
+ no_peer = 1;
}
+ else if (!_cups_strcasecmp(name, "@OWNER"))
+ {
+ /* but if @OWNER is present then we allow it... */
+ no_peer = 0;
+ break;
+ }
+ }
+
+ if (no_peer)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] PeerCred authentication not allowed for "
+ "resource per AUTHKEY policy.", con->http.fd);
+ return;
+ }
#endif /* HAVE_AUTHORIZATION_H */
if ((pwd = getpwnam(authorization + 9)) == NULL)
while (isspace(*authorization & 255))
authorization ++;
- if ((localuser = cupsdFindCert(authorization)) != NULL)
- {
- strlcpy(username, localuser->username, sizeof(username));
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using Local", con->http.fd,
- username);
- }
- else
+ if ((localuser = cupsdFindCert(authorization)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Local authentication certificate not found.",
return;
}
-#ifdef HAVE_GSSAPI
- if (localuser->ccache)
- con->type = CUPSD_AUTH_NEGOTIATE;
- else
-#endif /* HAVE_GSSAPI */
- con->type = CUPSD_AUTH_BASIC;
+ strlcpy(username, localuser->username, sizeof(username));
+ con->type = localuser->type;
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "[Client %d] Authorized as %s using Local", con->http.fd,
+ username);
}
else if (!strncmp(authorization, "Basic", 5))
{
if (sscanf(authorization, "%255s", scheme) != 1)
- strcpy(scheme, "UNKNOWN");
+ strlcpy(scheme, "UNKNOWN", sizeof(scheme));
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Bad authentication data \"%s ...\"",
netip6[3] = htonl(ip[3]);
#endif /* AF_INET6 */
+ cupsdNetIFUpdate();
+
if (!strcmp(mask->mask.name.name, "*"))
{
#ifdef __APPLE__
* Check against all local interfaces...
*/
- cupsdNetIFUpdate();
-
for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
iface;
iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
/*
- * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
+ * End of "$Id: auth.c 11500 2014-01-06 22:21:15Z msweet $".
*/