Merge changes from CUPS 1.4svn-r7961.

[thirdparty/cups.git] / scheduler / auth.c

diff --git a/scheduler/auth.c b/scheduler/auth.c
index c12592cda83d2a2763bbf7fbac53a1b76c23c356..5d839283c72f6ebed34a461e2b454b06590c34af 100644 (file)
--- a/scheduler/auth.c
+++ b/scheduler/auth.c
@@ -1,5 +1,5 @@
 /*
- * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $"
+ * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
  *
  *   Authorization routines for the Common UNIX Printing System (CUPS).
  *
@@ -114,7 +114,8 @@ static int          compare_locations(cupsd_location_t *a,
 static char            *cups_crypt(const char *pw, const char *salt);
 #endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
 #ifdef HAVE_GSSAPI
-static gss_cred_id_t   get_gss_creds(const char *service_name);
+static gss_cred_id_t   get_gss_creds(const char *service_name,
+                                     const char *con_server_name);
 #endif /* HAVE_GSSAPI */
 static char            *get_md5_password(const char *username,
                                          const char *group, char passwd[33]);
@@ -343,7 +344,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
   char         *ptr,                   /* Pointer into string */
                username[256],          /* Username string */
                password[33];           /* Password string */
-  const char   *localuser;             /* Certificate username */
+  cupsd_cert_t *localuser;             /* Certificate username */
   char         nonce[HTTP_MAX_VALUE],  /* Nonce value from client */
                md5[33],                /* MD5 password */
                basicmd5[33];           /* MD5 of Basic password */
@@ -545,7 +546,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
 
     if ((localuser = cupsdFindCert(authorization)) != NULL)
     {
-      strlcpy(username, localuser, sizeof(username));
+      strlcpy(username, localuser->username, sizeof(username));
 
       cupsdLogMessage(CUPSD_LOG_DEBUG,
                      "cupsdAuthorize: Authorized as %s using Local",
@@ -559,7 +560,12 @@ cupsdAuthorize(cupsd_client_t *con)        /* I - Client connection */
       return;
     }
 
-    con->type = CUPSD_AUTH_BASIC;
+#ifdef HAVE_GSSAPI
+    if (localuser->ccache)
+      con->type = CUPSD_AUTH_NEGOTIATE;
+    else
+#endif /* HAVE_GSSAPI */
+      con->type = CUPSD_AUTH_BASIC;
   }
   else if (!strncmp(authorization, "Basic", 5))
   {
@@ -660,25 +666,46 @@ cupsdAuthorize(cupsd_client_t *con)       /* I - Client connection */
            if (pamerr != PAM_SUCCESS)
            {
              cupsdLogMessage(CUPSD_LOG_ERROR,
-                             "cupsdAuthorize: pam_start() returned %d (%s)!\n",
+                             "cupsdAuthorize: pam_start() returned %d (%s)!",
                              pamerr, pam_strerror(pamh, pamerr));
              return;
            }
 
-#  if defined(HAVE_PAM_SET_ITEM) && defined(PAM_RHOST)
+#  ifdef HAVE_PAM_SET_ITEM
+#    ifdef PAM_RHOST
            pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
            if (pamerr != PAM_SUCCESS)
              cupsdLogMessage(CUPSD_LOG_WARN,
-                             "cupsdAuthorize: pam_set_item() returned %d "
-                             "(%s)!\n", pamerr, pam_strerror(pamh, pamerr));
-#  endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */
+                             "cupsdAuthorize: pam_set_item(PAM_RHOST) "
+                             "returned %d (%s)!", pamerr,
+                             pam_strerror(pamh, pamerr));
+#    endif /* PAM_RHOST */
+
+#    ifdef PAM_TTY
+           pamerr = pam_set_item(pamh, PAM_TTY, "cups");
+           if (pamerr != PAM_SUCCESS)
+             cupsdLogMessage(CUPSD_LOG_WARN,
+                             "cupsdAuthorize: pam_set_item(PAM_TTY) "
+                             "returned %d (%s)!", pamerr,
+                             pam_strerror(pamh, pamerr));
+#    endif /* PAM_TTY */
+#  endif /* HAVE_PAM_SET_ITEM */
+
+#  ifdef HAVE_PAM_SETCRED
+            pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+           if (pamerr != PAM_SUCCESS)
+             cupsdLogMessage(CUPSD_LOG_WARN,
+                             "cupsdAuthorize: pam_setcred() "
+                             "returned %d (%s)!", pamerr,
+                             pam_strerror(pamh, pamerr));
+#  endif /* HAVE_PAM_SETCRED */
 
            pamerr = pam_authenticate(pamh, PAM_SILENT);
            if (pamerr != PAM_SUCCESS)
            {
              cupsdLogMessage(CUPSD_LOG_ERROR,
                              "cupsdAuthorize: pam_authenticate() returned %d "
-                             "(%s)!\n",
+                             "(%s)!",
                              pamerr, pam_strerror(pamh, pamerr));
              pam_end(pamh, 0);
              return;
@@ -689,7 +716,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
            {
              cupsdLogMessage(CUPSD_LOG_ERROR,
                              "cupsdAuthorize: pam_acct_mgmt() returned %d "
-                             "(%s)!\n",
+                             "(%s)!",
                              pamerr, pam_strerror(pamh, pamerr));
              pam_end(pamh, 0);
              return;
@@ -707,8 +734,8 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
 
 
            cupsdLogMessage(CUPSD_LOG_DEBUG,
-                           "cupsdAuthorize: AIX authenticate of username \"%s\"",
-                            username);
+                           "cupsdAuthorize: AIX authenticate of username "
+                           "\"%s\"", username);
 
            reenter = 1;
            if (authenticate(username, password, &reenter, &authmsg) != 0)
@@ -985,7 +1012,7 @@ cupsdAuthorize(cupsd_client_t *con)        /* I - Client connection */
     * Get the server credentials...
     */
 
-    if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
+    if ((server_creds = get_gss_creds(GSSServiceName, con->servername)) == NULL)
       return;  
 
    /*
@@ -1346,13 +1373,13 @@ cupsdCheckGroup(
     struct passwd *user,               /* I - System user info */
     const char    *groupname)          /* I - Group name */
 {
-  int                  i;              /* Looping var */
-  struct group         *group;         /* System group info */
-  char                 junk[33];       /* MD5 password (not used) */
+  int          i;                      /* Looping var */
+  struct group *group;                 /* System group info */
+  char         junk[33];               /* MD5 password (not used) */
 #ifdef HAVE_MBR_UID_TO_UUID
-  uuid_t               useruuid,       /* UUID for username */
-                       groupuuid;      /* UUID for groupname */
-  int                  is_member;      /* True if user is a member of group */
+  uuid_t       useruuid,               /* UUID for username */
+               groupuuid;              /* UUID for groupname */
+  int          is_member;              /* True if user is a member of group */
 #endif /* HAVE_MBR_UID_TO_UUID */
 
 
@@ -1398,12 +1425,40 @@ cupsdCheckGroup(
   * Check group membership through MacOS X membership API...
   */
 
-  if (user && group)
-    if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
+  if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
+  {
+    if (group)
+    {
+     /*
+      * Map group name to UUID and check membership...
+      */
+
       if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
-       if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+        if (!mbr_check_membership(useruuid, groupuuid, &is_member))
          if (is_member)
            return (1);
+    }
+    else if (groupname[0] == '#')
+    {
+     /*
+      * Use UUID directly and check for equality (user UUID) and
+      * membership (group UUID)...
+      */
+
+      if (!uuid_parse((char *)groupname + 1, groupuuid))
+      {
+        if (!uuid_compare(useruuid, groupuuid))
+         return (1);
+       else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+         if (is_member)
+           return (1);
+      }
+
+      return (0);
+    }
+  }
+  else if (groupname[0] == '#')
+    return (0);
 #endif /* HAVE_MBR_UID_TO_UUID */
 
  /*
@@ -2120,7 +2175,7 @@ cupsdIsAuthorized(cupsd_client_t *con,    /* I - Connection */
          return (HTTP_OK);
       }
 
-      return (HTTP_UNAUTHORIZED);
+      return (HTTP_FORBIDDEN);
     }
 #endif /* HAVE_AUTHORIZATION_H */
 
@@ -2144,7 +2199,7 @@ cupsdIsAuthorized(cupsd_client_t *con,    /* I - Connection */
         return (HTTP_OK);
     }
 
-    return (HTTP_UNAUTHORIZED);
+    return (HTTP_FORBIDDEN);
   }
 
  /*
@@ -2181,7 +2236,7 @@ cupsdIsAuthorized(cupsd_client_t *con,    /* I - Connection */
   cupsdLogMessage(CUPSD_LOG_DEBUG,
                   "cupsdIsAuthorized: User not in group(s)!");
 
-  return (HTTP_UNAUTHORIZED);
+  return (HTTP_FORBIDDEN);
 }
 
 
@@ -2463,7 +2518,9 @@ cups_crypt(const char *pw,                /* I - Password string */
  */
 
 static gss_cred_id_t                   /* O - Server credentials */
-get_gss_creds(const char *service_name)        /* I - Service name */
+get_gss_creds(
+    const char *service_name,          /* I - Service name */
+    const char *con_server_name)       /* I - Hostname of server */
 {
   OM_uint32    major_status,           /* Major status code */
                minor_status;           /* Minor status code */
@@ -2471,12 +2528,10 @@ get_gss_creds(const char *service_name) /* I - Service name */
   gss_cred_id_t        server_creds;           /* Server credentials */
   gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
                                        /* Service name token */
-  char         buf[1024],              /* Service name buffer */
-               fqdn[HTTP_MAX_URI];     /* Hostname of server */
+  char         buf[1024];              /* Service name buffer */
 
 
-  snprintf(buf, sizeof(buf), "%s@%s", service_name,
-          httpGetHostname(NULL, fqdn, sizeof(fqdn)));
+  snprintf(buf, sizeof(buf), "%s@%s", service_name, con_server_name);
 
   token.value  = buf;
   token.length = strlen(buf);
@@ -2709,5 +2764,5 @@ to64(char          *s,                    /* O - Output string */
 
 
 /*
- * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $".
+ * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
  */