/*
- * "$Id: auth.c 5197 2006-02-27 21:30:20Z mike $"
+ * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
*
* Authorization routines for the Common UNIX Printing System (CUPS).
*
- * Copyright 1997-2006 by Easy Software Products, all rights reserved.
+ * Copyright 2007-2009 by Apple Inc.
+ * Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
- * These coded instructions, statements, and computer programs are the
- * property of Easy Software Products and are protected by Federal
- * copyright law. Distribution and use rights are outlined in the file
- * "LICENSE.txt" which should have been included with this file. If this
- * file is missing or damaged please contact Easy Software Products
- * at:
- *
- * Attn: CUPS Licensing Information
- * Easy Software Products
- * 44141 Airport View Drive, Suite 204
- * Hollywood, Maryland 20636 USA
+ * This file contains Kerberos support code, copyright 2006 by
+ * Jelmer Vernooij.
*
- * Voice: (301) 373-9600
- * EMail: cups-info@cups.org
- * WWW: http://www.cups.org
+ * These coded instructions, statements, and computer programs are the
+ * property of Apple Inc. and are protected by Federal copyright
+ * law. Distribution and use rights are outlined in the file "LICENSE.txt"
+ * which should have been included with this file. If this file is
+ * file is missing or damaged, see the license at "http://www.cups.org/".
*
* Contents:
*
* location.
* cupsdAllowIP() - Add an IP address or network that is allowed to
* access the location.
+ * cupsdAuthorize() - Validate any authorization credentials.
+ * cupsdCheckAccess() - Check whether the given address is allowed to
+ * access a location.
* cupsdCheckAuth() - Check authorization masks.
* cupsdCheckGroup() - Check for a user's group membership.
+ * cupsdCopyKrb5Creds() - Get a copy of the Kerberos credentials.
* cupsdCopyLocation() - Make a copy of a location...
- * cupsdDeleteAllLocations() - Free all memory used for location authorization.
+ * cupsdDeleteAllLocations() - Free all memory used for location
+ * authorization.
* cupsdDeleteLocation() - Free all memory used by a location.
- * cupsdDenyHost() - Add a host name that is not allowed to access the
- * location.
- * cupsdDenyIP() - Add an IP address or network that is not allowed
- * to access the location.
+ * cupsdDenyHost() - Add a host name that is not allowed to access
+ * the location.
+ * cupsdDenyIP() - Add an IP address or network that is not
+ * allowed to access the location.
* cupsdFindBest() - Find the location entry that best matches the
* resource.
* cupsdFindLocation() - Find the named location.
- * cupsdGetMD5Passwd() - Get an MD5 password.
* cupsdIsAuthorized() - Check to see if the user is authorized...
* add_allow() - Add an allow mask to the location.
* add_deny() - Add a deny mask to the location.
+ * check_authref() - Check if an authorization services reference
+ * has the supplied right.
* compare_locations() - Compare two locations.
* cups_crypt() - Encrypt the password using the DES or MD5
* algorithms, as needed.
+ * get_md5_password() - Get an MD5 password.
* pam_func() - PAM conversation function.
* to64() - Base64-encode an integer value...
*/
#ifdef HAVE_MEMBERSHIP_H
# include <membership.h>
#endif /* HAVE_MEMBERSHIP_H */
+#ifdef HAVE_AUTHORIZATION_H
+# include <Security/AuthorizationTags.h>
+# ifdef HAVE_SECBASEPRIV_H
+# include <Security/SecBasePriv.h>
+# else
+extern const char *cssmErrorString(int error);
+# endif /* HAVE_SECBASEPRIV_H */
+#endif /* HAVE_AUTHORIZATION_H */
+#ifdef HAVE_SYS_PARAM_H
+# include <sys/param.h>
+#endif /* HAVE_SYS_PARAM_H */
+#ifdef HAVE_SYS_UCRED_H
+# include <sys/ucred.h>
+typedef struct xucred cupsd_ucred_t;
+# define CUPSD_UCRED_UID(c) (c).cr_uid
+#else
+typedef struct ucred cupsd_ucred_t;
+# define CUPSD_UCRED_UID(c) (c).uid
+#endif /* HAVE_SYS_UCRED_H */
+#ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
+/* Not in public headers... */
+extern void krb5_ipc_client_set_target_uid(uid_t);
+extern void krb5_ipc_client_clear_target(void);
+#endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
/*
static cupsd_authmask_t *add_allow(cupsd_location_t *loc);
static cupsd_authmask_t *add_deny(cupsd_location_t *loc);
+#ifdef HAVE_AUTHORIZATION_H
+static int check_authref(cupsd_client_t *con, const char *right);
+#endif /* HAVE_AUTHORIZATION_H */
static int compare_locations(cupsd_location_t *a,
cupsd_location_t *b);
-#if !HAVE_LIBPAM
+#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
static char *cups_crypt(const char *pw, const char *salt);
-#endif /* !HAVE_LIBPAM */
+#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+static char *get_md5_password(const char *username,
+ const char *group, char passwd[33]);
#if HAVE_LIBPAM
static int pam_func(int, const struct pam_message **,
struct pam_response **, void *);
-#else
+#elif !defined(HAVE_USERSEC_H)
static void to64(char *s, unsigned long v, int n);
#endif /* HAVE_LIBPAM */
* Local globals...
*/
-#if defined(__hpux) && defined(HAVE_LIBPAM)
+#if defined(__hpux) && HAVE_LIBPAM
static cupsd_authdata_t *auth_data; /* Current client being authenticated */
#endif /* __hpux && HAVE_LIBPAM */
* Initialize the record and copy the name over...
*/
- temp->location = strdup(location);
- temp->length = strlen(temp->location);
+ if ((temp->location = strdup(location)) == NULL)
+ {
+ free(temp);
+ return (NULL);
+ }
+
+ temp->length = strlen(temp->location);
cupsArrayAdd(Locations, temp);
if (temp == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to add name to location %s: %s",
- loc->location, strerror(errno));
+ loc->location ? loc->location : "nil", strerror(errno));
return;
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to duplicate name for location %s: %s",
- loc->location, strerror(errno));
+ loc->location ? loc->location : "nil", strerror(errno));
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAllowHost(loc=%p(%s), name=\"%s\")",
- loc, loc->location, name);
+ loc, loc->location ? loc->location : "nil", name);
if ((temp = add_allow(loc)) == NULL)
return;
* Allow *interface*...
*/
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup("*");
temp->mask.name.length = 1;
}
*ifptr = '\0';
}
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup(ifname);
temp->mask.name.length = ifptr - ifname;
}
* Allow name...
*/
- temp->type = AUTH_NAME;
+ temp->type = CUPSD_AUTH_NAME;
temp->mask.name.name = strdup(name);
temp->mask.name.length = strlen(name);
}
*/
void
-cupsdAllowIP(cupsd_location_t *loc, /* I - Location to add to */
- unsigned address[4], /* I - IP address to add */
- unsigned netmask[4]) /* I - Netmask of address */
+cupsdAllowIP(
+ cupsd_location_t *loc, /* I - Location to add to */
+ const unsigned address[4], /* I - IP address to add */
+ const unsigned netmask[4]) /* I - Netmask of address */
{
cupsd_authmask_t *temp; /* New host/domain mask */
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdAllowIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
- loc, loc->location, address[0], address[1], address[2],
- address[3], netmask[0], netmask[1], netmask[2],
- netmask[3]);
+ loc, loc->location ? loc->location : "nil",
+ address[0], address[1], address[2], address[3],
+ netmask[0], netmask[1], netmask[2], netmask[3]);
if ((temp = add_allow(loc)) == NULL)
return;
- temp->type = AUTH_IP;
+ temp->type = CUPSD_AUTH_IP;
memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
}
cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
{
int type; /* Authentication type */
- char *authorization, /* Pointer into Authorization string */
- *ptr, /* Pointer into string */
- username[65], /* Username string */
+ const char *authorization; /* Pointer into Authorization string */
+ char *ptr, /* Pointer into string */
+ username[256], /* Username string */
password[33]; /* Password string */
- const char *localuser; /* Certificate username */
+ cupsd_cert_t *localuser; /* Certificate username */
char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
md5[33], /* MD5 password */
basicmd5[33]; /* MD5 of Basic password */
*/
con->best = cupsdFindBest(con->uri, con->http.state);
+ con->type = CUPSD_AUTH_NONE;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)",
con->uri, con->best, con->best ? con->best->location : "");
- if (con->best && con->best->type != AUTH_NONE)
- type = con->best->type;
+ if (con->best && con->best->type != CUPSD_AUTH_NONE)
+ {
+ if (con->best->type == CUPSD_AUTH_DEFAULT)
+ type = DefaultAuthType;
+ else
+ type = con->best->type;
+ }
else
type = DefaultAuthType;
* Decode the Authorization string...
*/
- authorization = con->http.fields[HTTP_FIELD_AUTHORIZATION];
+ authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: Authorization=\"%s\"",
authorization);
username[0] = '\0';
password[0] = '\0';
- if (type == AUTH_NONE)
+#ifdef HAVE_AUTHORIZATION_H
+ if (con->authref)
+ {
+ AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
+ con->authref = NULL;
+ }
+#endif /* HAVE_AUTHORIZATION_H */
+
+ if (!*authorization)
{
/*
- * No authorization required, return early...
+ * No authorization data provided, return early...
*/
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: No authentication required.");
+ "cupsdAuthorize: No authentication data provided.");
return;
}
- else if (!*authorization)
+#ifdef HAVE_AUTHORIZATION_H
+ else if (!strncmp(authorization, "AuthRef", 6) &&
+ !strcasecmp(con->http.hostname, "localhost"))
{
+ OSStatus status; /* Status */
+ int authlen; /* Auth string length */
+ AuthorizationItemSet *authinfo; /* Authorization item set */
+
/*
- * No authorization data provided, return early...
+ * Get the Authorization Services data...
*/
+ authorization += 7;
+ while (isspace(*authorization & 255))
+ authorization ++;
+
+ authlen = sizeof(nonce);
+ httpDecode64_2(nonce, &authlen, authorization);
+
+ if (authlen != kAuthorizationExternalFormLength)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "External Authorization reference size is incorrect!");
+ return;
+ }
+
+ if ((status = AuthorizationCreateFromExternalForm(
+ (AuthorizationExternalForm *)nonce, &con->authref)) != 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "AuthorizationCreateFromExternalForm returned %d (%s)",
+ (int)status, cssmErrorString(status));
+ return;
+ }
+
+ strlcpy(username, "_AUTHREF_", sizeof(username));
+
+ if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
+ &authinfo))
+ {
+ if (authinfo->count == 1 && authinfo->items[0].value &&
+ authinfo->items[0].valueLength >= 2)
+ strlcpy(username, authinfo->items[0].value, sizeof(username));
+
+ AuthorizationFreeItemSet(authinfo);
+ }
+
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: No authentication data provided.");
- return;
+ "cupsdAuthorize: Authorized as \"%s\" using AuthRef",
+ username);
+ con->type = CUPSD_AUTH_BASIC;
}
+#endif /* HAVE_AUTHORIZATION_H */
+#if defined(SO_PEERCRED) && defined(AF_LOCAL)
+ else if (!strncmp(authorization, "PeerCred ", 9) &&
+ con->http.hostaddr->addr.sa_family == AF_LOCAL)
+ {
+ /*
+ * Use peer credentials from domain socket connection...
+ */
+
+ struct passwd *pwd; /* Password entry for this user */
+ cupsd_ucred_t peercred; /* Peer credentials */
+ socklen_t peersize; /* Size of peer credentials */
+
+
+ if ((pwd = getpwnam(authorization + 9)) == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist!",
+ authorization + 9);
+ return;
+ }
+
+ peersize = sizeof(peercred);
+
+# ifdef __APPLE__
+ if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+# else
+ if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
+# endif /* __APPLE__ */
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
+ strerror(errno));
+ return;
+ }
+
+ if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Invalid peer credentials for \"%s\" - got %d, "
+ "expected %d!", authorization + 9,
+ CUPSD_UCRED_UID(peercred), pwd->pw_uid);
+# ifdef HAVE_SYS_UCRED_H
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_version=%d",
+ peercred.cr_version);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_uid=%d",
+ peercred.cr_uid);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_ngroups=%d",
+ peercred.cr_ngroups);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_groups[0]=%d",
+ peercred.cr_groups[0]);
+# endif /* HAVE_SYS_UCRED_H */
+ return;
+ }
+
+ strlcpy(username, authorization + 9, sizeof(username));
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using PeerCred",
+ username);
+
+ con->type = CUPSD_AUTH_BASIC;
+ }
+#endif /* SO_PEERCRED && AF_LOCAL */
else if (!strncmp(authorization, "Local", 5) &&
!strcasecmp(con->http.hostname, "localhost"))
{
*/
authorization += 5;
- while (isspace(*authorization))
+ while (isspace(*authorization & 255))
authorization ++;
if ((localuser = cupsdFindCert(authorization)) != NULL)
- strlcpy(username, localuser, sizeof(username));
+ {
+ strlcpy(username, localuser->username, sizeof(username));
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using Local",
+ username);
+ }
else
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"found!");
return;
}
+
+#ifdef HAVE_GSSAPI
+ if (localuser->ccache)
+ con->type = CUPSD_AUTH_NEGOTIATE;
+ else
+#endif /* HAVE_GSSAPI */
+ con->type = CUPSD_AUTH_BASIC;
}
- else if (!strncmp(authorization, "Basic", 5) &&
- (type == AUTH_BASIC || type == AUTH_BASICDIGEST))
+ else if (!strncmp(authorization, "Basic", 5))
{
/*
* Get the Basic authentication data...
authorization += 5;
- while (isspace(*authorization))
+ while (isspace(*authorization & 255))
authorization ++;
userlen = sizeof(username);
switch (type)
{
- case AUTH_BASIC :
+ default :
+ case CUPSD_AUTH_BASIC :
{
#if HAVE_LIBPAM
/*
strlcpy(data.username, username, sizeof(data.username));
strlcpy(data.password, password, sizeof(data.password));
+# if defined(__sun) || defined(__hpux)
+ pamdata.conv = (int (*)(int, struct pam_message **,
+ struct pam_response **,
+ void *))pam_func;
+# else
pamdata.conv = pam_func;
+# endif /* __sun || __hpux */
pamdata.appdata_ptr = &data;
# ifdef __hpux
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_start() returned %d (%s)!\n",
+ "cupsdAuthorize: pam_start() returned %d (%s)!",
pamerr, pam_strerror(pamh, pamerr));
- pam_end(pamh, 0);
return;
}
+# ifdef HAVE_PAM_SET_ITEM
+# ifdef PAM_RHOST
+ pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_set_item(PAM_RHOST) "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* PAM_RHOST */
+
+# ifdef PAM_TTY
+ pamerr = pam_set_item(pamh, PAM_TTY, "cups");
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_set_item(PAM_TTY) "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* PAM_TTY */
+# endif /* HAVE_PAM_SET_ITEM */
+
pamerr = pam_authenticate(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_authenticate() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
+# ifdef HAVE_PAM_SETCRED
+ pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "cupsdAuthorize: pam_setcred() "
+ "returned %d (%s)!", pamerr,
+ pam_strerror(pamh, pamerr));
+# endif /* HAVE_PAM_SETCRED */
+
pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: pam_acct_mgmt() returned %d "
- "(%s)!\n",
+ "(%s)!",
pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
*/
char *authmsg; /* Authentication message */
- char *loginmsg; /* Login message */
int reenter; /* ??? */
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: AIX authenticate of username \"%s\"",
- username);
+ "cupsdAuthorize: AIX authenticate of username "
+ "\"%s\"", username);
reenter = 1;
if (authenticate(username, password, &reenter, &authmsg) != 0)
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: Unknown username \"%s\"!",
username);
- return (HTTP_UNAUTHORIZED);
+ return;
}
# ifdef HAVE_SHADOW_H
}
#endif /* HAVE_LIBPAM */
}
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using Basic",
+ username);
break;
- case AUTH_BASICDIGEST :
+ case CUPSD_AUTH_BASICDIGEST :
/*
* Do Basic authentication with the Digest password file...
*/
- if (!cupsdGetMD5Passwd(username, NULL, md5))
+ if (!get_md5_password(username, NULL, md5))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: Unknown MD5 username \"%s\"!",
username);
return;
}
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using BasicDigest",
+ username);
break;
}
+
+ con->type = type;
}
- else if (!strncmp(authorization, "Digest", 6) && type == AUTH_DIGEST)
+ else if (!strncmp(authorization, "Digest", 6))
{
/*
* Get the username, password, and nonce from the Digest attributes...
* Validate the username and password...
*/
- if (!cupsdGetMD5Passwd(username, NULL, md5))
+ if (!get_md5_password(username, NULL, md5))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"cupsdAuthorize: Unknown MD5 username \"%s\"!",
username);
return;
}
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using Digest",
+ username);
+
+ con->type = CUPSD_AUTH_DIGEST;
+ }
+#ifdef HAVE_GSSAPI
+ else if (!strncmp(authorization, "Negotiate", 9))
+ {
+ int len; /* Length of authorization string */
+ gss_ctx_id_t context; /* Authorization context */
+ OM_uint32 major_status, /* Major status code */
+ minor_status; /* Minor status code */
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
+ /* Input token from string */
+ output_token = GSS_C_EMPTY_BUFFER;
+ /* Output token for username */
+ gss_name_t client_name; /* Client name */
+
+
+# ifdef __APPLE__
+ /*
+ * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+ * to use it...
+ */
+
+ if (gss_init_sec_context == NULL)
+ {
+ cupsdLogMessage(CUPSD_LOG_WARN,
+ "GSSAPI/Kerberos authentication failed because the "
+ "Kerberos framework is not present.");
+ return;
+ }
+# endif /* __APPLE__ */
+
+ con->gss_output_token.length = 0;
+
+ /*
+ * Find the start of the Kerberos input token...
+ */
+
+ authorization += 9;
+ while (isspace(*authorization & 255))
+ authorization ++;
+
+ if (!*authorization)
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ "cupsdAuthorize: No authentication data specified.");
+ return;
+ }
+
+ /*
+ * Decode the authorization string to get the input token...
+ */
+
+ len = strlen(authorization);
+ input_token.value = malloc(len);
+ input_token.value = httpDecode64_2(input_token.value, &len,
+ authorization);
+ input_token.length = len;
+
+ /*
+ * Accept the input token to get the authorization info...
+ */
+
+ context = GSS_C_NO_CONTEXT;
+ client_name = GSS_C_NO_NAME;
+ major_status = gss_accept_sec_context(&minor_status,
+ &context,
+ GSS_C_NO_CREDENTIAL,
+ &input_token,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &client_name,
+ NULL,
+ &con->gss_output_token,
+ &con->gss_flags,
+ NULL,
+ &con->gss_creds);
+
+ if (GSS_ERROR(major_status))
+ {
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
+ "cupsdAuthorize: Error accepting GSSAPI security "
+ "context");
+
+ if (context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+ return;
+ }
+
+ /*
+ * Get the username associated with the client's credentials...
+ */
+
+ if (!con->gss_creds)
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: No credentials!");
+
+ if (major_status == GSS_S_CONTINUE_NEEDED)
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
+ "cupsdAuthorize: Credentials not complete");
+ else if (major_status == GSS_S_COMPLETE)
+ {
+ major_status = gss_display_name(&minor_status, client_name,
+ &output_token, NULL);
+
+ if (GSS_ERROR(major_status))
+ {
+ cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
+ "cupsdAuthorize: Error getting username");
+ gss_release_cred(&minor_status, &con->gss_creds);
+ gss_release_name(&minor_status, &client_name);
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+ return;
+ }
+
+ strlcpy(username, output_token.value, sizeof(username));
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "cupsdAuthorize: Authorized as %s using Negotiate",
+ username);
+
+ gss_release_name(&minor_status, &client_name);
+ gss_release_buffer(&minor_status, &output_token);
+
+ con->type = CUPSD_AUTH_NEGOTIATE;
+ }
+ else
+ gss_release_cred(&minor_status, &con->gss_creds);
+
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
}
+#endif /* HAVE_GSSAPI */
else
{
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Bad authentication data.");
+ char scheme[256]; /* Auth scheme... */
+
+
+ if (sscanf(authorization, "%255s", scheme) != 1)
+ strcpy(scheme, "UNKNOWN");
+
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\"",
+ scheme);
return;
}
strlcpy(con->username, username, sizeof(con->username));
strlcpy(con->password, password, sizeof(con->password));
+}
+
- cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: username=\"%s\"",
- con->username);
+/*
+ * 'cupsdCheckAccess()' - Check whether the given address is allowed to
+ * access a location.
+ */
+
+int /* O - 1 if allowed, 0 otherwise */
+cupsdCheckAccess(
+ unsigned ip[4], /* I - Client address */
+ char *name, /* I - Client hostname */
+ int namelen, /* I - Length of hostname */
+ cupsd_location_t *loc) /* I - Location to check */
+{
+ int allow; /* 1 if allowed, 0 otherwise */
+
+
+ if (!strcasecmp(name, "localhost"))
+ {
+ /*
+ * Access from localhost (127.0.0.1 or ::1) is always allowed...
+ */
+
+ return (1);
+ }
+ else
+ {
+ /*
+ * Do authorization checks on the domain/address...
+ */
+
+ switch (loc->order_type)
+ {
+ default :
+ allow = 0; /* anti-compiler-warning-code */
+ break;
+
+ case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
+ allow = 1;
+
+ if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
+ allow = 0;
+
+ if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
+ allow = 1;
+ break;
+
+ case CUPSD_AUTH_DENY : /* Order Allow,Deny */
+ allow = 0;
+
+ if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
+ allow = 1;
+
+ if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
+ allow = 0;
+ break;
+ }
+ }
+
+ return (allow);
}
unsigned netip6[4]; /* IPv6 network address */
#endif /* AF_INET6 */
+
while (num_masks > 0)
{
switch (masks->type)
{
- case AUTH_INTERFACE :
+ case CUPSD_AUTH_INTERFACE :
/*
* Check for a match with a network interface...
*/
if (!strcmp(masks->mask.name.name, "*"))
{
+#ifdef __APPLE__
+ /*
+ * Allow Back-to-My-Mac addresses...
+ */
+
+ if ((ip[0] & 0xff000000) == 0xfd000000)
+ return (1);
+#endif /* __APPLE__ */
+
/*
* Check against all local interfaces...
*/
*/
for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
- iface && !strcmp(masks->mask.name.name, iface->name);
+ iface;
iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
{
+ if (strcmp(masks->mask.name.name, iface->name))
+ continue;
+
if (iface->address.addr.sa_family == AF_INET)
{
/*
}
break;
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
/*
* Check for exact name match...
*/
return (1);
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
/*
* Check for IP/network address match...
*/
struct passwd *user, /* I - System user info */
const char *groupname) /* I - Group name */
{
- int i; /* Looping var */
- struct group *group; /* System group info */
- char junk[33]; /* MD5 password (not used) */
+ int i; /* Looping var */
+ struct group *group; /* System group info */
+ char junk[33]; /* MD5 password (not used) */
#ifdef HAVE_MBR_UID_TO_UUID
- uuid_t useruuid, /* UUID for username */
- groupuuid; /* UUID for groupname */
- int is_member; /* True if user is a member of group */
+ uuid_t useruuid, /* UUID for username */
+ groupuuid; /* UUID for groupname */
+ int is_member; /* True if user is a member of group */
#endif /* HAVE_MBR_UID_TO_UUID */
* Check group membership through MacOS X membership API...
*/
- if (user && group)
- if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
+ if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
+ {
+ if (group)
+ {
+ /*
+ * Map group name to UUID and check membership...
+ */
+
if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
- if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
+ }
+ else if (groupname[0] == '#')
+ {
+ /*
+ * Use UUID directly and check for equality (user UUID) and
+ * membership (group UUID)...
+ */
+
+ if (!uuid_parse((char *)groupname + 1, groupuuid))
+ {
+ if (!uuid_compare(useruuid, groupuuid))
+ return (1);
+ else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
+ if (is_member)
+ return (1);
+ }
+
+ return (0);
+ }
+ }
+ else if (groupname[0] == '#')
+ return (0);
#endif /* HAVE_MBR_UID_TO_UUID */
/*
* file...
*/
- if (cupsdGetMD5Passwd(username, groupname, junk) != NULL)
+ if (get_md5_password(username, groupname, junk) != NULL)
return (1);
/*
}
+#ifdef HAVE_GSSAPI
+/*
+ * 'cupsdCopyKrb5Creds()' - Get a copy of the Kerberos credentials.
+ */
+
+krb5_ccache /* O - Credentials or NULL */
+cupsdCopyKrb5Creds(cupsd_client_t *con) /* I - Client connection */
+{
+# if !defined(HAVE_KRB5_CC_NEW_UNIQUE) && !defined(HAVE_HEIMDAL)
+ cupsdLogMessage(CUPSD_LOG_INFO,
+ "Sorry, your version of Kerberos does not support delegated "
+ "credentials!");
+ return (NULL);
+
+# else
+ krb5_ccache ccache = NULL; /* Credentials */
+ krb5_error_code error; /* Kerberos error code */
+ OM_uint32 major_status, /* Major status code */
+ minor_status; /* Minor status code */
+ krb5_principal principal; /* Kerberos principal */
+
+
+# ifdef __APPLE__
+ /*
+ * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+ * to use it...
+ */
+
+ if (krb5_init_context == NULL)
+ return (NULL);
+# endif /* __APPLE__ */
+
+ if (!KerberosInitialized)
+ {
+ /*
+ * Setup a Kerberos context for the scheduler to use...
+ */
+
+ KerberosInitialized = 1;
+
+ if (krb5_init_context(&KerberosContext))
+ {
+ KerberosContext = NULL;
+
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize Kerberos context");
+ return (NULL);
+ }
+ }
+
+ /*
+ * We MUST create a file-based cache because memory-based caches are
+ * only valid for the current process/address space.
+ *
+ * Due to various bugs/features in different versions of Kerberos, we
+ * need either the krb5_cc_new_unique() function or Heimdal's version
+ * of krb5_cc_gen_new() to create a new FILE: credential cache that
+ * can be passed to the backend. These functions create a temporary
+ * file (typically in /tmp) containing the cached credentials, which
+ * are removed when we have successfully printed a job.
+ */
+
+# ifdef HAVE_KRB5_CC_NEW_UNIQUE
+ if ((error = krb5_cc_new_unique(KerberosContext, "FILE", NULL, &ccache)) != 0)
+# else /* HAVE_HEIMDAL */
+ if ((error = krb5_cc_gen_new(KerberosContext, &krb5_fcc_ops, &ccache)) != 0)
+# endif /* HAVE_KRB5_CC_NEW_UNIQUE */
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to create new credentials cache (%d/%s)",
+ error, strerror(errno));
+ return (NULL);
+ }
+
+ if ((error = krb5_parse_name(KerberosContext, con->username, &principal)) != 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to parse kerberos username (%d/%s)", error,
+ strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ return (NULL);
+ }
+
+ if ((error = krb5_cc_initialize(KerberosContext, ccache, principal)))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to initialize credentials cache (%d/%s)", error,
+ strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ krb5_free_principal(KerberosContext, principal);
+ return (NULL);
+ }
+
+ krb5_free_principal(KerberosContext, principal);
+
+ /*
+ * Copy the user's credentials to the new cache file...
+ */
+
+# ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
+ if (con->http.hostaddr->addr.sa_family == AF_LOCAL &&
+ !(con->gss_flags & GSS_C_DELEG_FLAG))
+ {
+ /*
+ * Pull the credentials directly from the user...
+ */
+
+ cupsd_ucred_t peercred; /* Peer credentials */
+ socklen_t peersize; /* Size of peer credentials */
+ krb5_ccache peerccache; /* Peer Kerberos credentials */
+
+ peersize = sizeof(peercred);
+
+ if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
+ strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ return (NULL);
+ }
+
+ krb5_ipc_client_set_target_uid(CUPSD_UCRED_UID(peercred));
+
+ if ((error = krb5_cc_default(KerberosContext, &peerccache)) != 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to get credentials cache for UID %d (%d/%s)",
+ (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ return (NULL);
+ }
+
+ error = krb5_cc_copy_creds(KerberosContext, peerccache, ccache);
+ krb5_cc_close(KerberosContext, peerccache);
+ krb5_ipc_client_clear_target();
+
+ if (error)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to copy credentials cache for UID %d (%d/%s)",
+ (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ return (NULL);
+ }
+ }
+ else
+# endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
+ {
+ major_status = gss_krb5_copy_ccache(&minor_status, con->gss_creds, ccache);
+
+ if (GSS_ERROR(major_status))
+ {
+ cupsdLogGSSMessage(CUPSD_LOG_ERROR, major_status, minor_status,
+ "Unable to copy client credentials cache");
+ krb5_cc_destroy(KerberosContext, ccache);
+ return (NULL);
+ }
+ }
+
+ return (ccache);
+# endif /* !HAVE_KRB5_CC_NEW_UNIQUE && !HAVE_HEIMDAL */
+}
+#endif /* HAVE_GSSAPI */
+
+
/*
* 'cupsdCopyLocation()' - Make a copy of a location...
*/
for (i = 0; i < temp->num_allow; i ++)
switch (temp->allow[i].type = (*loc)->allow[i].type)
{
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length;
temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name);
return (NULL);
}
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip),
sizeof(cupsd_ipmask_t));
break;
for (i = 0; i < temp->num_deny; i ++)
switch (temp->deny[i].type = (*loc)->deny[i].type)
{
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length;
temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name);
return (NULL);
}
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip),
sizeof(cupsd_ipmask_t));
break;
free(loc->names);
for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++)
- if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE)
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
free(mask->mask.name.name);
if (loc->num_allow > 0)
free(loc->allow);
for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++)
- if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE)
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
free(mask->mask.name.name);
if (loc->num_deny > 0)
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDenyHost(loc=%p(%s), name=\"%s\")",
- loc, loc->location, name);
+ loc, loc->location ? loc->location : "nil", name);
if ((temp = add_deny(loc)) == NULL)
return;
* Deny *interface*...
*/
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup("*");
temp->mask.name.length = 1;
}
*ifptr = '\0';
}
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup(ifname);
temp->mask.name.length = ifptr - ifname;
}
* Deny name...
*/
- temp->type = AUTH_NAME;
+ temp->type = CUPSD_AUTH_NAME;
temp->mask.name.name = strdup(name);
temp->mask.name.length = strlen(name);
}
void
cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */
- unsigned address[4],/* I - IP address to add */
- unsigned netmask[4])/* I - Netmask of address */
+ const unsigned address[4],/* I - IP address to add */
+ const unsigned netmask[4])/* I - Netmask of address */
{
cupsd_authmask_t *temp; /* New host/domain mask */
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdDenyIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
- loc, loc->location, address[0], address[1], address[2],
- address[3], netmask[0], netmask[1], netmask[2],
- netmask[3]);
+ loc, loc->location ? loc->location : "nil",
+ address[0], address[1], address[2], address[3],
+ netmask[0], netmask[1], netmask[2], netmask[3]);
if ((temp = add_deny(loc)) == NULL)
return;
- temp->type = AUTH_IP;
+ temp->type = CUPSD_AUTH_IP;
memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
}
*best; /* Best match for location so far */
int bestlen; /* Length of best match */
int limit; /* Limit field */
- static const int limits[] = /* Map http_status_t to AUTH_LIMIT_xyz */
+ static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
{
- AUTH_LIMIT_ALL,
- AUTH_LIMIT_OPTIONS,
- AUTH_LIMIT_GET,
- AUTH_LIMIT_GET,
- AUTH_LIMIT_HEAD,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_PUT,
- AUTH_LIMIT_PUT,
- AUTH_LIMIT_DELETE,
- AUTH_LIMIT_TRACE,
- AUTH_LIMIT_ALL,
- AUTH_LIMIT_ALL
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_OPTIONS,
+ CUPSD_AUTH_LIMIT_GET,
+ CUPSD_AUTH_LIMIT_GET,
+ CUPSD_AUTH_LIMIT_HEAD,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_PUT,
+ CUPSD_AUTH_LIMIT_PUT,
+ CUPSD_AUTH_LIMIT_DELETE,
+ CUPSD_AUTH_LIMIT_TRACE,
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL
};
loc = (cupsd_location_t *)cupsArrayNext(Locations))
{
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x",
- loc->location, loc->limit);
+ loc->location ? loc->location : "nil", loc->limit);
if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
{
* Use case-insensitive comparison for queue names...
*/
- if (loc->length > bestlen &&
+ if (loc->length > bestlen && loc->location &&
!strncasecmp(uri, loc->location, loc->length) &&
loc->location[0] == '/' &&
(limit & loc->limit) != 0)
* Use case-sensitive comparison for other URIs...
*/
- if (loc->length > bestlen &&
+ if (loc->length > bestlen && loc->location &&
!strncmp(uri, loc->location, loc->length) &&
loc->location[0] == '/' &&
(limit & loc->limit) != 0)
}
-/*
- * 'cupsdGetMD5Passwd()' - Get an MD5 password.
- */
-
-char * /* O - MD5 password string */
-cupsdGetMD5Passwd(const char *username, /* I - Username */
- const char *group, /* I - Group */
- char passwd[33])/* O - MD5 password string */
-{
- cups_file_t *fp; /* passwd.md5 file */
- char filename[1024], /* passwd.md5 filename */
- line[256], /* Line from file */
- tempuser[33], /* User from file */
- tempgroup[33]; /* Group from file */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdGetMD5Passwd(username=\"%s\", group=\"%s\", passwd=%p)",
- username, group ? group : "(null)", passwd);
-
- snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot);
- if ((fp = cupsFileOpen(filename, "r")) == NULL)
- {
- if (errno != ENOENT)
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename,
- strerror(errno));
-
- return (NULL);
- }
-
- while (cupsFileGets(fp, line, sizeof(line)) != NULL)
- {
- if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line);
- continue;
- }
-
- if (!strcmp(username, tempuser) &&
- (group == NULL || !strcmp(group, tempgroup)))
- {
- /*
- * Found the password entry!
- */
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...",
- username, tempgroup);
-
- cupsFileClose(fp);
- return (passwd);
- }
- }
-
- /*
- * Didn't find a password entry - return NULL!
- */
-
- cupsFileClose(fp);
- return (NULL);
-}
-
-
/*
* 'cupsdIsAuthorized()' - Check to see if the user is authorized...
*/
const char *owner)/* I - Owner of object */
{
int i, j, /* Looping vars */
- auth; /* Authorization status */
+ auth, /* Authorization status */
+ type; /* Type of authentication */
unsigned address[4]; /* Authorization address */
cupsd_location_t *best; /* Best match for location so far */
int hostlen; /* Length of hostname */
- const char *username; /* Username to authorize */
+ char username[256], /* Username to authorize */
+ ownername[256], /* Owner name to authorize */
+ *ptr; /* Pointer into username */
struct passwd *pw; /* User password data */
static const char * const levels[] = /* Auth levels */
{
};
static const char * const types[] = /* Auth types */
{
- "NONE",
- "BASIC",
- "DIGEST",
- "BASICDIGEST"
+ "None",
+ "Basic",
+ "Digest",
+ "BasicDigest",
+ "Negotiate"
};
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)",
- con->uri, con->best, con->best ? con->best->location : "");
+ con->uri, con->best, con->best ? con->best->location ?
+ con->best->location : "(null)" : "");
if (owner)
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: owner=\"%s\"", owner);
best = con->best;
+ if ((type = best->type) == CUPSD_AUTH_DEFAULT)
+ type = DefaultAuthType;
+
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: level=AUTH_%s, type=AUTH_%s, "
- "satisfy=AUTH_SATISFY_%s, num_names=%d",
- levels[best->level], types[best->type],
+ "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
+ "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
+ levels[best->level], types[type],
best->satisfy ? "ANY" : "ALL", best->num_names);
- if (best->limit == AUTH_LIMIT_IPP)
+ if (best->limit == CUPSD_AUTH_LIMIT_IPP)
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
best->op, ippOpString(best->op));
hostlen = strlen(con->http.hostname);
- if (!strcasecmp(con->http.hostname, "localhost"))
- {
- /*
- * Access from localhost (127.0.0.1 or :::1) is always allowed...
- */
-
- auth = AUTH_ALLOW;
- }
- else
- {
- /*
- * Do authorization checks on the domain/address...
- */
-
- switch (best->order_type)
- {
- default :
- auth = AUTH_DENY; /* anti-compiler-warning-code */
- break;
-
- case AUTH_ALLOW : /* Order Deny,Allow */
- auth = AUTH_ALLOW;
+ auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
+ ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
- if (cupsdCheckAuth(address, con->http.hostname, hostlen,
- best->num_deny, best->deny))
- auth = AUTH_DENY;
-
- if (cupsdCheckAuth(address, con->http.hostname, hostlen,
- best->num_allow, best->allow))
- auth = AUTH_ALLOW;
- break;
-
- case AUTH_DENY : /* Order Allow,Deny */
- auth = AUTH_DENY;
-
- if (cupsdCheckAuth(address, con->http.hostname, hostlen,
- best->num_allow, best->allow))
- auth = AUTH_ALLOW;
-
- if (cupsdCheckAuth(address, con->http.hostname, hostlen,
- best->num_deny, best->deny))
- auth = AUTH_DENY;
- break;
- }
- }
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=AUTH_%s...",
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
auth ? "DENY" : "ALLOW");
- if (auth == AUTH_DENY && best->satisfy == AUTH_SATISFY_ALL)
+ if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
return (HTTP_FORBIDDEN);
#ifdef HAVE_SSL
* See if encryption is required...
*/
- if (best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
- best->satisfy == AUTH_SATISFY_ALL)
+ if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
+ strcasecmp(con->http.hostname, "localhost") &&
+ best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
+ !(type == CUPSD_AUTH_NEGOTIATE ||
+ (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: Need upgrade to TLS...");
return (HTTP_UPGRADE_REQUIRED);
}
* Now see what access level is required...
*/
- if (best->level == AUTH_ANON || /* Anonymous access - allow it */
- (best->type == AUTH_NONE && best->num_names == 0))
+ if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
+ (type == CUPSD_AUTH_NONE && best->num_names == 0))
return (HTTP_OK);
- if (!con->username[0] && best->type == AUTH_NONE &&
- best->limit == AUTH_LIMIT_IPP)
+ if (!con->username[0] && type == CUPSD_AUTH_NONE &&
+ best->limit == CUPSD_AUTH_LIMIT_IPP)
{
/*
* Check for unauthenticated username...
attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
if (attr)
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: requesting-user-name=\"%s\"",
attr->values[0].string.text);
- username = attr->values[0].string.text;
+ strlcpy(username, attr->values[0].string.text, sizeof(username));
}
- else if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY)
+ else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
else
return (HTTP_OK); /* unless overridden with Satisfy */
}
else
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: username=\"%s\"",
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
con->username);
+#ifdef HAVE_AUTHORIZATION_H
+ if (!con->username[0] && !con->authref)
+#else
if (!con->username[0])
+#endif /* HAVE_AUTHORIZATION_H */
{
- if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY)
+ if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
else
return (HTTP_OK); /* unless overridden with Satisfy */
}
- username = con->username;
+ if (con->type != type && type != CUPSD_AUTH_NONE &&
+ (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
+ types[con->type], types[type]);
+
+ return (HTTP_UNAUTHORIZED);
+ }
+
+ strlcpy(username, con->username, sizeof(username));
}
/*
if (!strcmp(username, "root"))
return (HTTP_OK);
+ /*
+ * Strip any @domain or @KDC from the username and owner...
+ */
+
+ if ((ptr = strchr(username, '@')) != NULL)
+ *ptr = '\0';
+
+ if (owner)
+ {
+ strlcpy(ownername, owner, sizeof(ownername));
+
+ if ((ptr = strchr(ownername, '@')) != NULL)
+ *ptr = '\0';
+ }
+ else
+ ownername[0] = '\0';
+
/*
* Get the user info...
*/
- pw = getpwnam(username);
- endpwent();
+ if (username[0])
+ {
+ pw = getpwnam(username);
+ endpwent();
+ }
+ else
+ pw = NULL;
- if (best->level == AUTH_USER)
+ if (best->level == CUPSD_AUTH_USER)
{
/*
* If there are no names associated with this location, then
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: Checking user membership...");
+#ifdef HAVE_AUTHORIZATION_H
+ /*
+ * If an authorization reference was supplied it must match a right name...
+ */
+
+ if (con->authref)
+ {
+ for (i = 0; i < best->num_names; i ++)
+ {
+ if (!strncasecmp(best->names[i], "@AUTHKEY(", 9) &&
+ check_authref(con, best->names[i] + 9))
+ return (HTTP_OK);
+ else if (!strcasecmp(best->names[i], "@SYSTEM") &&
+ SystemGroupAuthKey &&
+ check_authref(con, SystemGroupAuthKey))
+ return (HTTP_OK);
+ }
+
+ return (HTTP_FORBIDDEN);
+ }
+#endif /* HAVE_AUTHORIZATION_H */
+
for (i = 0; i < best->num_names; i ++)
{
if (!strcasecmp(best->names[i], "@OWNER") && owner &&
- !strcasecmp(username, owner))
+ !strcasecmp(username, ownername))
return (HTTP_OK);
else if (!strcasecmp(best->names[i], "@SYSTEM"))
{
return (HTTP_OK);
}
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
/*
* The user isn't part of the specified group, so deny access...
*/
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: User not in group(s)!");
- return (HTTP_UNAUTHORIZED);
+ return (HTTP_FORBIDDEN);
}
}
+#ifdef HAVE_AUTHORIZATION_H
+/*
+ * 'check_authref()' - Check if an authorization services reference has the
+ * supplied right.
+ */
+
+static int /* O - 1 if right is valid, 0 otherwise */
+check_authref(cupsd_client_t *con, /* I - Connection */
+ const char *right) /* I - Right name */
+{
+ OSStatus status; /* OS Status */
+ AuthorizationItem authright; /* Authorization right */
+ AuthorizationRights authrights; /* Authorization rights */
+ AuthorizationFlags authflags; /* Authorization flags */
+
+
+ /*
+ * Check to see if the user is allowed to perform the task...
+ */
+
+ if (!con->authref)
+ return (0);
+
+ authright.name = right;
+ authright.valueLength = 0;
+ authright.value = NULL;
+ authright.flags = 0;
+
+ authrights.count = 1;
+ authrights.items = &authright;
+
+ authflags = kAuthorizationFlagDefaults |
+ kAuthorizationFlagExtendRights;
+
+ if ((status = AuthorizationCopyRights(con->authref, &authrights,
+ kAuthorizationEmptyEnvironment,
+ authflags, NULL)) != 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "AuthorizationCopyRights(\"%s\") returned %d (%s)",
+ authright.name, (int)status, cssmErrorString(status));
+ return (0);
+ }
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ "AuthorizationCopyRights(\"%s\") succeeded!",
+ authright.name);
+
+ return (1);
+}
+#endif /* HAVE_AUTHORIZATION_H */
+
+
/*
* 'compare_locations()' - Compare two locations.
*/
}
-#if !HAVE_LIBPAM
+#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
/*
* 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
* as needed.
pwlen = strlen(pw);
- _cups_md5_init(&state);
- _cups_md5_append(&state, (unsigned char *)pw, pwlen);
- _cups_md5_append(&state, (unsigned char *)salt, salt_end - salt);
+ _cupsMD5Init(&state);
+ _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
+ _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt);
- _cups_md5_init(&state2);
- _cups_md5_append(&state2, (unsigned char *)pw, pwlen);
- _cups_md5_append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
- _cups_md5_append(&state2, (unsigned char *)pw, pwlen);
- _cups_md5_finish(&state2, digest);
+ _cupsMD5Init(&state2);
+ _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
+ _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
+ _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
+ _cupsMD5Finish(&state2, digest);
for (i = pwlen; i > 0; i -= 16)
- _cups_md5_append(&state, digest, i > 16 ? 16 : i);
+ _cupsMD5Append(&state, digest, i > 16 ? 16 : i);
for (i = pwlen; i > 0; i >>= 1)
- _cups_md5_append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
+ _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
- _cups_md5_finish(&state, digest);
+ _cupsMD5Finish(&state, digest);
for (i = 0; i < 1000; i ++)
{
- _cups_md5_init(&state);
+ _cupsMD5Init(&state);
if (i & 1)
- _cups_md5_append(&state, (unsigned char *)pw, pwlen);
+ _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
else
- _cups_md5_append(&state, digest, 16);
+ _cupsMD5Append(&state, digest, 16);
if (i % 3)
- _cups_md5_append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
+ _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
if (i % 7)
- _cups_md5_append(&state, (unsigned char *)pw, pwlen);
+ _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
if (i & 1)
- _cups_md5_append(&state, digest, 16);
+ _cupsMD5Append(&state, digest, 16);
else
- _cups_md5_append(&state, (unsigned char *)pw, pwlen);
+ _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
- _cups_md5_finish(&state, digest);
+ _cupsMD5Finish(&state, digest);
}
/*
return (crypt(pw, salt));
}
}
-#endif /* !HAVE_LIBPAM */
+#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+
+
+/*
+ * 'get_md5_password()' - Get an MD5 password.
+ */
+
+static char * /* O - MD5 password string */
+get_md5_password(const char *username, /* I - Username */
+ const char *group, /* I - Group */
+ char passwd[33]) /* O - MD5 password string */
+{
+ cups_file_t *fp; /* passwd.md5 file */
+ char filename[1024], /* passwd.md5 filename */
+ line[256], /* Line from file */
+ tempuser[33], /* User from file */
+ tempgroup[33]; /* Group from file */
+
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+ "get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)",
+ username, group ? group : "(null)", passwd);
+
+ snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot);
+ if ((fp = cupsFileOpen(filename, "r")) == NULL)
+ {
+ if (errno != ENOENT)
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename,
+ strerror(errno));
+
+ return (NULL);
+ }
+
+ while (cupsFileGets(fp, line, sizeof(line)) != NULL)
+ {
+ if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line);
+ continue;
+ }
+
+ if (!strcmp(username, tempuser) &&
+ (group == NULL || !strcmp(group, tempgroup)))
+ {
+ /*
+ * Found the password entry!
+ */
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...",
+ username, tempgroup);
+
+ cupsFileClose(fp);
+ return (passwd);
+ }
+ }
+
+ /*
+ * Didn't find a password entry - return NULL!
+ */
+
+ cupsFileClose(fp);
+ return (NULL);
+}
#if HAVE_LIBPAM
return (PAM_SUCCESS);
}
-#else
+#elif !defined(HAVE_USERSEC_H)
/*
/*
- * End of "$Id: auth.c 5197 2006-02-27 21:30:20Z mike $".
+ * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
*/
projects / thirdparty / cups.git / blobdiff