CHANGES IN CUPS V1.3.6
- Documentation updates (STR #2646, STR #2647, STR #2649)
+ - The scheduler did not provide the Apple language ID to
+ job filters.
+ - Kerberos authentication did not work with the web
+ interface (STR #2606, STR #2669)
+ - The requesing-user-name-allowed and -denied functionality
+ did not work for Kerberos-authenticated usernames (STR
+ #2670)
+ - CUPS didn't compile on HP-UX 11i (STR #2679)
- cupsEncodeOptions2() did not handle option values like
"What's up, doc?" properly.
- Added lots of memory allocation checks (Fortify)
-INSTALL - CUPS v1.3.0 - 2007-08-13
-----------------------------------
+INSTALL - CUPS v1.4svn - 2008-01-22
+-----------------------------------
This file describes how to compile and install CUPS from source
code. For more information on CUPS see the file called
BEFORE YOU BEGIN
- You'll need ANSI-compliant C and C++ compilers, plus a make
- program and Bourne shell. The GNU compiler tools work well -
- we've tested the current CUPS code against several versions
- of GCC with excellent results.
+ You'll need an ANSI-compliant C compiler, plus a make program
+ and Bourne shell. The GNU compiler tools work well - we've
+ tested the current CUPS code against several versions of GCC
+ with excellent results.
- The makefiles used by the project should work with all
+ The makefiles used by the project should work with most
versions of make. We've tested them with GNU make as well as
the make programs shipped by Compaq, HP, SGI, and Sun.
- BSD users should use GNU make (gmake).
+ BSD users should use GNU make (gmake) since BSD make does
+ not support "include".
Besides these tools you'll want the JPEG, PNG, TIFF, and ZLIB
libraries for image support, the CDSA, GNU TLS, or OpenSSL
compile and run without these, however you'll miss out on
many of the features provided by CUPS.
- Kerberos support requires a very recent version of the MIT
- implementation with the krb5_cc_new_unique() function or the
- Heimdal implementation, along with the corresponding GSSAPI
+ Kerberos support requires MIT Kerberos 1.6.3 or later or
+ or Heimdal Kerberos, along with the corresponding GSSAPI
pieces.
Also, please note that CUPS no longer includes the
The CUPS Subversion repository doesn't hold a copy of the
pre-built configure script. You'll need to run the GNU
- autoconf software (2.52 or higher) before compiling the
+ autoconf software (2.60 or higher) before compiling the
software from Subversion:
autoconf -f
#
# Common makefile definitions for the Common UNIX Printing System (CUPS).
#
-# Copyright 2007 by Apple Inc.
+# Copyright 2007-2008 by Apple Inc.
# Copyright 1997-2007 by Easy Software Products, all rights reserved.
#
# These coded instructions, statements, and computer programs are the
AR = @AR@
AWK = @AWK@
CC = @LIBTOOL@ @CC@
-CXX = @LIBTOOL@ @CXX@
DSO = @DSO@
HTMLDOC = @HTMLDOC@
INSTALL = @INSTALL@
# for extra debug info)
#
-ALL_CFLAGS = $(CFLAGS) $(SSLFLAGS) @LARGEFILE@ @PTHREAD_FLAGS@ \
- $(OPTIONS)
+ALL_CFLAGS = -I.. -D_CUPS_SOURCE $(CFLAGS) $(SSLFLAGS) \
+ @LARGEFILE@ @PTHREAD_FLAGS@ $(OPTIONS)
ARCHFLAGS = @ARCHFLAGS@
ARFLAGS = @ARFLAGS@
BACKLIBS = @BACKLIBS@
-CFLAGS = -I.. -D_CUPS_SOURCE @CPPFLAGS@ @CFLAGS@ \
- @LARGEFILE@ @PTHREAD_FLAGS@ $(OPTIONS)
+CFLAGS = @CPPFLAGS@ @CFLAGS@
COMMONLIBS = @LIBS@
CUPSDLIBS = @CUPSDLIBS@
-CXXFLAGS = -I.. -D_CUPS_SOURCE $(SSLFLAGS) @CPPFLAGS@ @CXXFLAGS@ \
- @LARGEFILE@ @PTHREAD_FLAGS@ $(OPTIONS)
-CXXLIBS = @CXXLIBS@
DSOFLAGS = @DSOFLAGS@
DSOLIBS = @DSOLIBS@ $(COMMONLIBS)
DNSSDLIBS = @DNSSDLIBS@
#
.SILENT:
-.SUFFIXES: .1 .1.gz .1m .1m.gz .5 .5.gz .7 .7.gz .8 .8.gz .a .c .cxx .h .man .o .32.o .64.o .gz
+.SUFFIXES: .1 .1.gz .1m .1m.gz .5 .5.gz .7 .7.gz .8 .8.gz .a .c .h .man .o .32.o .64.o .gz
.c.o:
echo Compiling $<...
echo Compiling 64-bit $<...
$(CC) $(ARCH64FLAGS) $(OPTIM) $(ALL_CFLAGS) -c -o $@ $<
-.cxx.o:
- echo Compiling $<...
- $(CXX) $(ARCHFLAGS) $(OPTIM) $(CXXFLAGS) -c $<
-
.man.1 .man.1m .man.5 .man.7 .man.8:
echo Linking $<...
$(RM) $@
-README - CUPS v1.4svn - 2008-01-02
+*README - CUPS v1.4svn - 2008-01-02
----------------------------------
Looking for compile instructions? Read the file "INSTALL.txt"
The MD5 Digest code is Copyright 1999 Aladdin Enterprises.
- The PDF filter (pdftops) is based on the Xpdf software,
- Copyright 1996-2005 by Derek B. Noonburg.
-
This software is based in part on the work of the Independent
JPEG Group.
snprintf(refresh, sizeof(refresh), "2;URL=%s", uri);
cgiSetVariable("refresh_page", refresh);
}
+ else if (cupsLastError() == IPP_NOT_AUTHORIZED)
+ {
+ puts("Status: 401\n");
+ exit(0);
+ }
cgiStartHTML(cgiText(_("Print Test Page")));
*
* Job status CGI for the Common UNIX Printing System (CUPS).
*
- * Copyright 2007 by Apple Inc.
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
cgiFormEncode(url + 6, getenv("HTTP_REFERER"), sizeof(url) - 6);
cgiSetVariable("refresh_page", url);
}
+ else if (cupsLastError() == IPP_NOT_AUTHORIZED)
+ {
+ puts("Status: 401\n");
+ exit(0);
+ }
cgiStartHTML(cgiText(_("Jobs")));
*
* Printer status CGI for the Common UNIX Printing System (CUPS).
*
- * Copyright 2007 by Apple Inc.
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
snprintf(refresh, sizeof(refresh), "2;URL=%s", uri);
cgiSetVariable("refresh_page", refresh);
}
+ else if (cupsLastError() == IPP_NOT_AUTHORIZED)
+ {
+ puts("Status: 401\n");
+ exit(0);
+ }
cgiStartHTML(cgiText(_("Printer Maintenance")));
dnl
dnl Common configuration stuff for the Common UNIX Printing System (CUPS).
dnl
-dnl Copyright 2007 by Apple Inc.
+dnl Copyright 2007-2008 by Apple Inc.
dnl Copyright 1997-2007 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
dnl Default compiler flags...
CFLAGS="${CFLAGS:=}"
CPPFLAGS="${CPPFLAGS:=}"
-CXXFLAGS="${CXXFLAGS:=}"
LDFLAGS="${LDFLAGS:=}"
dnl Checks for programs...
AC_PROG_AWK
AC_PROG_CC
-AC_PROG_CXX
AC_PROG_CPP
AC_PROG_INSTALL
if test "$INSTALL" = "$ac_install_sh"; then
if test "x$CC" = x; then
AC_MSG_ERROR([Unable to find required C compiler command.])
fi
-if test "x$CXX" = x; then
- AC_MSG_ERROR([Unable to find required C++ compiler command.])
-fi
dnl Static library option...
INSTALLSTATIC=""
dnl
dnl Compiler stuff for the Common UNIX Printing System (CUPS).
dnl
-dnl Copyright 2007 by Apple Inc.
+dnl Copyright 2007-2008 by Apple Inc.
dnl Copyright 1997-2007 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
AC_ARG_ENABLE(relro, [ --enable-relro use GCC relro option, default=no])
dnl Update compiler options...
-CXXLIBS=""
-AC_SUBST(CXXLIBS)
-
PIEFLAGS=""
AC_SUBST(PIEFLAGS)
fi
CFLAGS="-Ae $CFLAGS"
- # Warning 336 is "empty translation unit"
- # Warning 829 is passing constant string as char *
- CXXFLAGS="+W336,829 $CXXFLAGS"
if test $PICFLAG = 1; then
OPTIM="+z $OPTIM"
# cups-support@cups.org...
echo "Building CUPS with default compiler optimizations; contact"
echo "cups-bugs@cups.org with uname and compiler options needed"
- echo "for your platform, or set the CFLAGS and CXXFLAGS"
- echo "environment variable before running configure."
+ echo "for your platform, or set the CFLAGS and LDFLAGS environment"
+ echo "variables before running configure."
;;
esac
fi
dnl http://www.multicastdns.org/
dnl http://developer.apple.com/networking/bonjour/
dnl
-dnl Copyright 2007 by Apple Inc.
+dnl Copyright 2007-2008 by Apple Inc.
dnl
dnl These coded instructions, statements, and computer programs are the
dnl property of Apple Inc. and are protected by Federal copyright
DSOFLAGS="-L$withval $DSOFLAGS",)
AC_ARG_WITH(dnssd-includes, [ --with-dnssd-includes set directory for DNS Service Discovery includes],
CFLAGS="-I$withval $CFLAGS"
- CXXFLAGS="-I$withval $CXXFLAGS"
CPPFLAGS="-I$withval $CPPFLAGS",)
DNSSDLIBS=""
dnl
dnl LDAP configuration stuff for the Common UNIX Printing System (CUPS).
dnl
-dnl Copyright 2007 by Apple Inc.
+dnl Copyright 2007-2008 by Apple Inc.
dnl Copyright 2003-2006 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
AC_ARG_WITH(openldap-includes, [ --with-openldap-includes
set directory for OpenLDAP includes],
CFLAGS="-I$withval $CFLAGS"
- CXXFLAGS="-I$withval $CXXFLAGS"
CPPFLAGS="-I$withval $CPPFLAGS",)
LIBLDAP=""
dnl
dnl OpenSLP configuration stuff for the Common UNIX Printing System (CUPS).
dnl
-dnl Copyright 2007 by Apple Inc.
+dnl Copyright 2007-2008 by Apple Inc.
dnl Copyright 1997-2005 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
DSOFLAGS="-L$withval $DSOFLAGS",)
AC_ARG_WITH(openslp-includes, [ --with-openslp-includes set directory for OpenSLP includes],
CFLAGS="-I$withval $CFLAGS"
- CXXFLAGS="-I$withval $CXXFLAGS"
CPPFLAGS="-I$withval $CPPFLAGS",)
LIBSLP=""
dnl
dnl OpenSSL/GNUTLS stuff for the Common UNIX Printing System (CUPS).
dnl
-dnl Copyright 2007 by Apple Inc.
+dnl Copyright 2007-2008 by Apple Inc.
dnl Copyright 1997-2007 by Easy Software Products, all rights reserved.
dnl
dnl These coded instructions, statements, and computer programs are the
DSOFLAGS="-L$withval $DSOFLAGS",)
AC_ARG_WITH(openssl-includes, [ --with-openssl-includes set directory for OpenSSL includes],
CFLAGS="-I$withval $CFLAGS"
- CXXFLAGS="-I$withval $CXXFLAGS"
CPPFLAGS="-I$withval $CPPFLAGS",)
SSLFLAGS=""
# define _CUPS_API_1_2
# define _CUPS_API_1_3
# define _CUPS_API_1_4
-# endif /* __APPLE__ */
+# endif /* __APPLE__ && !_CUPS_SOURCE */
/*
* With GCC 3.0 and higher, we can mark old APIs "deprecated" so you get
* Allow *interface*...
*/
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup("*");
temp->mask.name.length = 1;
}
*ifptr = '\0';
}
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup(ifname);
temp->mask.name.length = ifptr - ifname;
}
* Allow name...
*/
- temp->type = AUTH_NAME;
+ temp->type = CUPSD_AUTH_NAME;
temp->mask.name.name = strdup(name);
temp->mask.name.length = strlen(name);
}
if ((temp = add_allow(loc)) == NULL)
return;
- temp->type = AUTH_IP;
+ temp->type = CUPSD_AUTH_IP;
memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
}
*/
con->best = cupsdFindBest(con->uri, con->http.state);
- con->type = AUTH_NONE;
+ con->type = CUPSD_AUTH_NONE;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)",
con->uri, con->best, con->best ? con->best->location : "");
- if (con->best && con->best->type != AUTH_NONE)
+ if (con->best && con->best->type != CUPSD_AUTH_NONE)
{
- if (con->best->type == AUTH_DEFAULT)
+ if (con->best->type == CUPSD_AUTH_DEFAULT)
type = DefaultAuthType;
else
type = con->best->type;
AuthorizationFreeItemSet(authinfo);
- con->type = AUTH_BASIC;
+ con->type = CUPSD_AUTH_BASIC;
}
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
"cupsdAuthorize: Authorized as %s using PeerCred",
username);
- con->type = AUTH_BASIC;
+ con->type = CUPSD_AUTH_BASIC;
}
#endif /* SO_PEERCRED && AF_LOCAL */
else if (!strncmp(authorization, "Local", 5) &&
return;
}
- con->type = AUTH_BASIC;
+ con->type = CUPSD_AUTH_BASIC;
}
else if (!strncmp(authorization, "Basic", 5))
{
switch (type)
{
default :
- case AUTH_BASIC :
+ case CUPSD_AUTH_BASIC :
{
#if HAVE_LIBPAM
/*
username);
break;
- case AUTH_BASICDIGEST :
+ case CUPSD_AUTH_BASICDIGEST :
/*
* Do Basic authentication with the Digest password file...
*/
"cupsdAuthorize: Authorized as %s using Digest",
username);
- con->type = AUTH_DIGEST;
+ con->type = CUPSD_AUTH_DIGEST;
}
#ifdef HAVE_GSSAPI
else if (!strncmp(authorization, "Negotiate", 9))
con->gss_have_creds = 1;
- con->type = AUTH_NEGOTIATE;
+ con->type = CUPSD_AUTH_NEGOTIATE;
}
else
gss_release_name(&minor_status, &client_name);
allow = 0; /* anti-compiler-warning-code */
break;
- case AUTH_ALLOW : /* Order Deny,Allow */
+ case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
allow = 1;
if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
allow = 1;
break;
- case AUTH_DENY : /* Order Allow,Deny */
+ case CUPSD_AUTH_DENY : /* Order Allow,Deny */
allow = 0;
if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
{
switch (masks->type)
{
- case AUTH_INTERFACE :
+ case CUPSD_AUTH_INTERFACE :
/*
* Check for a match with a network interface...
*/
}
break;
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
/*
* Check for exact name match...
*/
return (1);
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
/*
* Check for IP/network address match...
*/
for (i = 0; i < temp->num_allow; i ++)
switch (temp->allow[i].type = (*loc)->allow[i].type)
{
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length;
temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name);
return (NULL);
}
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip),
sizeof(cupsd_ipmask_t));
break;
for (i = 0; i < temp->num_deny; i ++)
switch (temp->deny[i].type = (*loc)->deny[i].type)
{
- case AUTH_NAME :
+ case CUPSD_AUTH_NAME :
temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length;
temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name);
return (NULL);
}
break;
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip),
sizeof(cupsd_ipmask_t));
break;
free(loc->names);
for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++)
- if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE)
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
free(mask->mask.name.name);
if (loc->num_allow > 0)
free(loc->allow);
for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++)
- if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE)
+ if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
free(mask->mask.name.name);
if (loc->num_deny > 0)
* Deny *interface*...
*/
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup("*");
temp->mask.name.length = 1;
}
*ifptr = '\0';
}
- temp->type = AUTH_INTERFACE;
+ temp->type = CUPSD_AUTH_INTERFACE;
temp->mask.name.name = strdup(ifname);
temp->mask.name.length = ifptr - ifname;
}
* Deny name...
*/
- temp->type = AUTH_NAME;
+ temp->type = CUPSD_AUTH_NAME;
temp->mask.name.name = strdup(name);
temp->mask.name.length = strlen(name);
}
if ((temp = add_deny(loc)) == NULL)
return;
- temp->type = AUTH_IP;
+ temp->type = CUPSD_AUTH_IP;
memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
}
*best; /* Best match for location so far */
int bestlen; /* Length of best match */
int limit; /* Limit field */
- static const int limits[] = /* Map http_status_t to AUTH_LIMIT_xyz */
+ static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
{
- AUTH_LIMIT_ALL,
- AUTH_LIMIT_OPTIONS,
- AUTH_LIMIT_GET,
- AUTH_LIMIT_GET,
- AUTH_LIMIT_HEAD,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_POST,
- AUTH_LIMIT_PUT,
- AUTH_LIMIT_PUT,
- AUTH_LIMIT_DELETE,
- AUTH_LIMIT_TRACE,
- AUTH_LIMIT_ALL,
- AUTH_LIMIT_ALL
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_OPTIONS,
+ CUPSD_AUTH_LIMIT_GET,
+ CUPSD_AUTH_LIMIT_GET,
+ CUPSD_AUTH_LIMIT_HEAD,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_POST,
+ CUPSD_AUTH_LIMIT_PUT,
+ CUPSD_AUTH_LIMIT_PUT,
+ CUPSD_AUTH_LIMIT_DELETE,
+ CUPSD_AUTH_LIMIT_TRACE,
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL
};
best = con->best;
- if ((type = best->type) == AUTH_DEFAULT)
+ if ((type = best->type) == CUPSD_AUTH_DEFAULT)
type = DefaultAuthType;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdIsAuthorized: level=AUTH_%s, type=%s, "
- "satisfy=AUTH_SATISFY_%s, num_names=%d",
+ "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
+ "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
levels[best->level], types[type],
best->satisfy ? "ANY" : "ALL", best->num_names);
- if (best->limit == AUTH_LIMIT_IPP)
+ if (best->limit == CUPSD_AUTH_LIMIT_IPP)
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
best->op, ippOpString(best->op));
hostlen = strlen(con->http.hostname);
auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
- ? AUTH_ALLOW : AUTH_DENY;
+ ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=AUTH_%s...",
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
auth ? "DENY" : "ALLOW");
- if (auth == AUTH_DENY && best->satisfy == AUTH_SATISFY_ALL)
+ if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
return (HTTP_FORBIDDEN);
#ifdef HAVE_SSL
if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
strcasecmp(con->http.hostname, "localhost") &&
- best->satisfy == AUTH_SATISFY_ALL) &&
- !(type == AUTH_NEGOTIATE ||
- (type == AUTH_NONE && DefaultAuthType == AUTH_NEGOTIATE)))
+ best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
+ !(type == CUPSD_AUTH_NEGOTIATE ||
+ (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: Need upgrade to TLS...");
* Now see what access level is required...
*/
- if (best->level == AUTH_ANON || /* Anonymous access - allow it */
- (type == AUTH_NONE && best->num_names == 0))
+ if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
+ (type == CUPSD_AUTH_NONE && best->num_names == 0))
return (HTTP_OK);
- if (!con->username[0] && type == AUTH_NONE &&
- best->limit == AUTH_LIMIT_IPP)
+ if (!con->username[0] && type == CUPSD_AUTH_NONE &&
+ best->limit == CUPSD_AUTH_LIMIT_IPP)
{
/*
* Check for unauthenticated username...
attr->values[0].string.text);
strlcpy(username, attr->values[0].string.text, sizeof(username));
}
- else if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY)
+ else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
else
return (HTTP_OK); /* unless overridden with Satisfy */
if (!con->username[0])
#endif /* HAVE_AUTHORIZATION_H */
{
- if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY)
+ if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
else
return (HTTP_OK); /* unless overridden with Satisfy */
}
- if (con->type != type && type != AUTH_NONE &&
- (con->type != AUTH_BASIC || type != AUTH_BASICDIGEST))
+ if (con->type != type && type != CUPSD_AUTH_NONE &&
+ (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
types[con->type], types[type]);
else
pw = NULL;
- if (best->level == AUTH_USER)
+ if (best->level == CUPSD_AUTH_USER)
{
/*
* If there are no names associated with this location, then
* HTTP authorization types and levels...
*/
-#define AUTH_DEFAULT -1 /* Use DefaultAuthType */
-#define AUTH_NONE 0 /* No authentication */
-#define AUTH_BASIC 1 /* Basic authentication */
-#define AUTH_DIGEST 2 /* Digest authentication */
-#define AUTH_BASICDIGEST 3 /* Basic authentication w/passwd.md5 */
-#define AUTH_NEGOTIATE 4 /* Kerberos authentication */
-
-#define AUTH_ANON 0 /* Anonymous access */
-#define AUTH_USER 1 /* Must have a valid username/password */
-#define AUTH_GROUP 2 /* Must also be in a named group */
-
-#define AUTH_ALLOW 0 /* Allow access */
-#define AUTH_DENY 1 /* Deny access */
-
-#define AUTH_NAME 0 /* Authorize host by name */
-#define AUTH_IP 1 /* Authorize host by IP */
-#define AUTH_INTERFACE 2 /* Authorize host by interface */
-
-#define AUTH_SATISFY_ALL 0 /* Satisfy both address and auth */
-#define AUTH_SATISFY_ANY 1 /* Satisfy either address or auth */
-
-#define AUTH_LIMIT_DELETE 1 /* Limit DELETE requests */
-#define AUTH_LIMIT_GET 2 /* Limit GET requests */
-#define AUTH_LIMIT_HEAD 4 /* Limit HEAD requests */
-#define AUTH_LIMIT_OPTIONS 8 /* Limit OPTIONS requests */
-#define AUTH_LIMIT_POST 16 /* Limit POST requests */
-#define AUTH_LIMIT_PUT 32 /* Limit PUT requests */
-#define AUTH_LIMIT_TRACE 64 /* Limit TRACE requests */
-#define AUTH_LIMIT_ALL 127 /* Limit all requests */
-#define AUTH_LIMIT_IPP 128 /* Limit IPP requests */
+#define CUPSD_AUTH_DEFAULT -1 /* Use DefaultAuthType */
+#define CUPSD_AUTH_NONE 0 /* No authentication */
+#define CUPSD_AUTH_BASIC 1 /* Basic authentication */
+#define CUPSD_AUTH_DIGEST 2 /* Digest authentication */
+#define CUPSD_AUTH_BASICDIGEST 3 /* Basic authentication w/passwd.md5 */
+#define CUPSD_AUTH_NEGOTIATE 4 /* Kerberos authentication */
+
+#define CUPSD_AUTH_ANON 0 /* Anonymous access */
+#define CUPSD_AUTH_USER 1 /* Must have a valid username/password */
+#define CUPSD_AUTH_GROUP 2 /* Must also be in a named group */
+
+#define CUPSD_AUTH_ALLOW 0 /* Allow access */
+#define CUPSD_AUTH_DENY 1 /* Deny access */
+
+#define CUPSD_AUTH_NAME 0 /* Authorize host by name */
+#define CUPSD_AUTH_IP 1 /* Authorize host by IP */
+#define CUPSD_AUTH_INTERFACE 2 /* Authorize host by interface */
+
+#define CUPSD_AUTH_SATISFY_ALL 0 /* Satisfy both address and auth */
+#define CUPSD_AUTH_SATISFY_ANY 1 /* Satisfy either address or auth */
+
+#define CUPSD_AUTH_LIMIT_DELETE 1 /* Limit DELETE requests */
+#define CUPSD_AUTH_LIMIT_GET 2 /* Limit GET requests */
+#define CUPSD_AUTH_LIMIT_HEAD 4 /* Limit HEAD requests */
+#define CUPSD_AUTH_LIMIT_OPTIONS 8 /* Limit OPTIONS requests */
+#define CUPSD_AUTH_LIMIT_POST 16 /* Limit POST requests */
+#define CUPSD_AUTH_LIMIT_PUT 32 /* Limit PUT requests */
+#define CUPSD_AUTH_LIMIT_TRACE 64 /* Limit TRACE requests */
+#define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */
+#define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */
#define IPP_ANY_OPERATION (ipp_op_t)0
/* Any IPP operation */
VAR cups_array_t *Locations VALUE(NULL);
/* Authorization locations */
-VAR int DefaultAuthType VALUE(AUTH_BASIC);
+VAR int DefaultAuthType VALUE(CUPSD_AUTH_BASIC);
/* Default AuthType, if not specified */
#ifdef HAVE_SSL
VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED);
* Authentication certificate routines for the Common UNIX
* Printing System (CUPS).
*
- * Copyright 2007 by Apple Inc.
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
void
cupsdAddCert(int pid, /* I - Process ID */
- const char *username) /* I - Username */
+ const char *username, /* I - Username */
+ void *ccache) /* I - Kerberos credentials or NULL */
{
int i; /* Looping var */
cupsd_cert_t *cert; /* Current certificate */
write(fd, cert->certificate, strlen(cert->certificate));
close(fd);
+ /*
+ * Add Kerberos credentials as needed...
+ */
+
+#ifdef HAVE_GSSAPI
+ cert->ccache = (krb5_ccache)ccache;
+#else
+ (void)ccache;
+#endif /* HAVE_GSSAPI */
+
/*
* Insert the certificate at the front of the list...
*/
else
prev->next = cert->next;
+#ifdef HAVE_GSSAPI
+ /*
+ * Release Kerberos credentials as needed...
+ */
+
+ if (cert->ccache)
+ krb5_cc_destroy(KerberosContext, cert->ccache);
+#endif /* HAVE_GSSAPI */
+
free(cert);
/*
*/
if (!RunUser)
- cupsdAddCert(0, "root");
+ cupsdAddCert(0, "root", NULL);
}
* Authentication certificate definitions for the Common UNIX
* Printing System (CUPS).
*
- * Copyright 2007 by Apple Inc.
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1997-2005 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
int pid; /* Process ID (0 for root certificate) */
char certificate[33]; /* 32 hex characters, or 128 bits */
char username[33]; /* Authenticated username */
+#ifdef HAVE_GSSAPI
+ krb5_ccache ccache; /* Kerberos credential cache */
+#endif /* HAVE_GSSAPI */
} cupsd_cert_t;
* Prototypes...
*/
-extern void cupsdAddCert(int pid, const char *username);
+extern void cupsdAddCert(int pid, const char *username,
+ void *ccache);
extern void cupsdDeleteCert(int pid);
extern void cupsdDeleteAllCerts(void);
extern const char *cupsdFindCert(const char *certificate);
cupsdLogMessage(CUPSD_LOG_ERROR,
"Bad request line \"%s\" from %s!", line,
con->http.hostname);
- cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE);
+ cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
case 2 :
cupsdLogMessage(CUPSD_LOG_ERROR,
"Bad request line \"%s\" from %s!", line,
con->http.hostname);
- cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE);
+ cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
}
else
{
- cupsdSendError(con, HTTP_NOT_SUPPORTED, AUTH_NONE);
+ cupsdSendError(con, HTTP_NOT_SUPPORTED, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
cupsdLogMessage(CUPSD_LOG_ERROR, "Bad URI \"%s\" in request!",
con->uri);
- cupsdSendError(con, HTTP_METHOD_NOT_ALLOWED, AUTH_NONE);
+ cupsdSendError(con, HTTP_METHOD_NOT_ALLOWED, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
else
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Bad operation \"%s\"!", operation);
- cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE);
+ cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
if (status != HTTP_OK && status != HTTP_CONTINUE)
{
- cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE);
+ cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
* HTTP/1.1 and higher require the "Host:" field...
*/
- if (!cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Do OPTIONS command...
*/
- if (con->best && con->best->type != AUTH_NONE)
+ if (con->best && con->best->type != CUPSD_AUTH_NONE)
{
- if (!cupsdSendHeader(con, HTTP_UNAUTHORIZED, NULL, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_UNAUTHORIZED, NULL, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Do encryption stuff...
*/
- if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
return;
}
#else
- if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
#endif /* HAVE_SSL */
}
- if (!cupsdSendHeader(con, HTTP_OK, NULL, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_OK, NULL, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Protect against malicious users!
*/
- if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Do encryption stuff...
*/
- if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
return;
}
#else
- if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdReadClient: Unauthorized request for %s...\n",
con->uri);
- cupsdSendError(con, status, AUTH_NONE);
+ cupsdSendError(con, status, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
* Send 100-continue header...
*/
- if (!cupsdSendHeader(con, HTTP_CONTINUE, NULL, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_CONTINUE, NULL, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Send 417-expectation-failed header...
*/
- if (!cupsdSendHeader(con, HTTP_EXPECTATION_FAILED, NULL, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_EXPECTATION_FAILED, NULL, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
snprintf(con->uri, sizeof(con->uri), "/ppd/%s.ppd", p->name);
else
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
if (!cupsdSendCommand(con, con->command, con->options, 0))
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* /admin/conf...
*/
- if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
if ((filename = get_file(con, &filestats, buf,
sizeof(buf))) == NULL)
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
if (!cupsdSendCommand(con, con->command, con->options, 0))
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
if (!check_if_modified(con, &filestats))
{
- if (!cupsdSendError(con, HTTP_NOT_MODIFIED, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_MODIFIED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Request too large...
*/
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Negative content lengths are invalid!
*/
- if (!cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
if ((filename = get_file(con, &filestats, buf,
sizeof(buf))) == NULL)
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Only POST to CGI's...
*/
- if (!cupsdSendError(con, HTTP_UNAUTHORIZED, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_UNAUTHORIZED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* /admin/conf...
*/
- if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Request too large...
*/
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Negative content lengths are invalid!
*/
- if (!cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
"Unable to create request file %s: %s",
con->filename, strerror(errno));
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
case HTTP_DELETE :
case HTTP_TRACE :
- cupsdSendError(con, HTTP_NOT_IMPLEMENTED, AUTH_NONE);
+ cupsdSendError(con, HTTP_NOT_IMPLEMENTED, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
snprintf(con->uri, sizeof(con->uri), "/ppd/%s.ppd", p->name);
else
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* CGI output...
*/
- if (!cupsdSendHeader(con, HTTP_OK, "text/html", AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_OK, "text/html", CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* /admin/conf...
*/
- if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
else if ((filename = get_file(con, &filestats, buf,
sizeof(buf))) == NULL)
{
- if (!cupsdSendHeader(con, HTTP_NOT_FOUND, "text/html", AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_NOT_FOUND, "text/html", CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
}
else if (!check_if_modified(con, &filestats))
{
- if (!cupsdSendError(con, HTTP_NOT_MODIFIED, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_MODIFIED, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
else
snprintf(line, sizeof(line), "%s/%s", type->super, type->type);
- if (!cupsdSendHeader(con, HTTP_OK, line, AUTH_NONE))
+ if (!cupsdSendHeader(con, HTTP_OK, line, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
unlink(con->filename);
cupsdClearString(&con->filename);
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
unlink(con->filename);
cupsdClearString(&con->filename);
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* Return the status to the client...
*/
- if (!cupsdSendError(con, status, AUTH_NONE))
+ if (!cupsdSendError(con, status, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
"cupsdReadClient: %d IPP Read Error!",
con->http.fd);
- cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE);
+ cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
{
if (con->http.state == HTTP_POST_SEND)
{
- cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE);
+ cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE);
cupsdCloseClient(con);
return;
}
"Unable to create request file %s: %s",
con->filename, strerror(errno));
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
unlink(con->filename);
cupsdClearString(&con->filename);
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
con->request = NULL;
}
- if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
{
if (!cupsdSendCommand(con, con->command, con->options, 0))
{
- if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE))
+ if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE))
{
cupsdCloseClient(con);
return;
* never disable it in that case.
*/
- if (code >= HTTP_BAD_REQUEST && con->http.auth_type != AUTH_NEGOTIATE)
+ if (code >= HTTP_BAD_REQUEST && con->http.auth_type != CUPSD_AUTH_NEGOTIATE)
con->http.keep_alive = HTTP_KEEPALIVE_OFF;
/*
if (code == HTTP_UNAUTHORIZED)
{
- if (auth_type == AUTH_NONE)
+ if (auth_type == CUPSD_AUTH_NONE)
{
- if (!con->best || con->best->type <= AUTH_NONE)
+ if (!con->best || con->best->type <= CUPSD_AUTH_NONE)
auth_type = DefaultAuthType;
else
auth_type = con->best->type;
auth_str[0] = '\0';
- if (auth_type == AUTH_BASIC || auth_type == AUTH_BASICDIGEST)
+ if (auth_type == CUPSD_AUTH_BASIC || auth_type == CUPSD_AUTH_BASICDIGEST)
strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
- else if (auth_type == AUTH_DIGEST)
+ else if (auth_type == CUPSD_AUTH_DIGEST)
snprintf(auth_str, sizeof(auth_str), "Digest realm=\"CUPS\", nonce=\"%s\"",
con->http.hostname);
#ifdef HAVE_GSSAPI
- else if (auth_type == AUTH_NEGOTIATE && con->gss_output_token.length == 0)
+ else if (auth_type == CUPSD_AUTH_NEGOTIATE && con->gss_output_token.length == 0)
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
#endif /* HAVE_GSSAPI */
#ifdef HAVE_AUTHORIZATION_H
- if (con->best && auth_type != AUTH_NEGOTIATE)
+ if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE)
{
int i; /* Looping var */
char *auth_key; /* Auth key buffer */
if (!strncasecmp(buf, "Location:", 9))
{
- cupsdSendHeader(con, HTTP_SEE_OTHER, NULL, AUTH_NONE);
+ cupsdSendHeader(con, HTTP_SEE_OTHER, NULL, CUPSD_AUTH_NONE);
con->sent_header = 2;
if (httpPrintf(HTTP(con), "Content-Length: 0\r\n") < 0)
}
else if (!strncasecmp(buf, "Status:", 7))
{
- cupsdSendError(con, (http_status_t)atoi(buf + 7), AUTH_NONE);
+ cupsdSendError(con, (http_status_t)atoi(buf + 7), CUPSD_AUTH_NONE);
con->sent_header = 2;
}
else
{
- cupsdSendHeader(con, HTTP_OK, NULL, AUTH_NONE);
+ cupsdSendHeader(con, HTTP_OK, NULL, CUPSD_AUTH_NONE);
con->sent_header = 1;
if (con->http.version == HTTP_1_1)
char argbuf[10240], /* Argument buffer */
*argv[100], /* Argument strings */
*envp[MAX_ENV + 20]; /* Environment variables */
- char auth_type[256], /* AUTH_TYPE environment variable */
+ char auth_type[256], /* CUPSD_AUTH_TYPE environment variable */
content_length[1024], /* CONTENT_LENGTH environment variable */
content_type[1024], /* CONTENT_TYPE environment variable */
http_cookie[32768], /* HTTP_COOKIE environment variable */
server_name[1024], /* SERVER_NAME environment variable */
server_port[1024]; /* SERVER_PORT environment variable */
ipp_attribute_t *attr; /* attributes-natural-language attribute */
+#ifdef HAVE_GSSAPI
+ krb5_ccache ccache = NULL; /* Kerberos credentials */
+ char krb5ccname[1024]; /* KRB5CCNAME environment variable */
+#endif /* HAVE_GSSAPI */
/*
if (con->username[0])
{
- snprintf(auth_type, sizeof(auth_type), "AUTH_TYPE=%s",
+ snprintf(auth_type, sizeof(auth_type), "CUPSD_AUTH_TYPE=%s",
httpGetField(HTTP(con), HTTP_FIELD_AUTHORIZATION));
if ((uriptr = strchr(auth_type + 10, ' ')) != NULL)
snprintf(remote_user, sizeof(remote_user), "REMOTE_USER=%s", con->username);
envp[envc ++] = remote_user;
+
+ /*
+ * Save Kerberos credentials, if any...
+ */
+
+#ifdef HAVE_GSSAPI
+ if (con->gss_have_creds)
+ {
+# if !defined(HAVE_KRB5_CC_NEW_UNIQUE) && !defined(HAVE_HEIMDAL)
+ cupsdLogMessage(CUPSD_LOG_INFO,
+ "Sorry, your version of Kerberos does not support "
+ "delegated credentials!");
+
+# else
+ krb5_error_code error; /* Kerberos error code */
+ OM_uint32 major_status, /* Major status code */
+ minor_status; /* Minor status code */
+ krb5_principal principal; /* Kerberos principal */
+
+
+# ifdef __APPLE__
+ /*
+ * If the weak-linked GSSAPI/Kerberos library is not present, don't try
+ * to use it...
+ */
+
+ if (krb5_init_context != NULL)
+ {
+# endif /* __APPLE__ */
+
+ /*
+ * We MUST create a file-based cache because memory-based caches are
+ * only valid for the current process/address space.
+ *
+ * Due to various bugs/features in different versions of Kerberos, we
+ * need either the krb5_cc_new_unique() function or Heimdal's version
+ * of krb5_cc_gen_new() to create a new FILE: credential cache that
+ * can be passed to the backend. These functions create a temporary
+ * file (typically in /tmp) containing the cached credentials, which
+ * are removed when we have successfully printed a job.
+ */
+
+# ifdef HAVE_KRB5_CC_NEW_UNIQUE
+ if ((error = krb5_cc_new_unique(KerberosContext, "FILE", NULL,
+ &ccache)) != 0)
+# else /* HAVE_HEIMDAL */
+ if ((error = krb5_cc_gen_new(KerberosContext, &krb5_fcc_ops,
+ &ccache)) != 0)
+# endif /* HAVE_KRB5_CC_NEW_UNIQUE */
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to create new credentials cache (%d/%s)",
+ error, strerror(errno));
+ ccache = NULL;
+ }
+ else if ((error = krb5_parse_name(KerberosContext, con->username,
+ &principal)) != 0)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to parse kerberos username (%d/%s)", error,
+ strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ ccache = NULL;
+ }
+ else if ((error = krb5_cc_initialize(KerberosContext, ccache,
+ principal)))
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "Unable to initialize credentials cache (%d/%s)", error,
+ strerror(errno));
+ krb5_cc_destroy(KerberosContext, ccache);
+ krb5_free_principal(KerberosContext, principal);
+ ccache = NULL;
+ }
+ else
+ {
+ krb5_free_principal(KerberosContext, principal);
+
+ /*
+ * Copy the user's credentials to the new cache file...
+ */
+
+ major_status = gss_krb5_copy_ccache(&minor_status,
+ con->gss_delegated_cred, ccache);
+
+ if (GSS_ERROR(major_status))
+ {
+ cupsdLogGSSMessage(CUPSD_LOG_ERROR, major_status, minor_status,
+ "Unable to import client credentials cache");
+ krb5_cc_destroy(KerberosContext, ccache);
+ ccache = NULL;
+ }
+ else
+ {
+ /*
+ * Add the KRB5CCNAME environment variable to the job so that the
+ * backend can use the credentials when printing.
+ */
+
+ snprintf(krb5ccname, sizeof(krb5ccname), "KRB5CCNAME=FILE:%s",
+ krb5_cc_get_name(KerberosContext, ccache));
+ envp[envc++] = krb5ccname;
+
+ if (!RunUser)
+ chown(krb5_cc_get_name(KerberosContext, ccache), User, Group);
+ }
+ }
+# ifdef __APPLE__
+ }
+# endif /* __APPLE__ */
+# endif /* HAVE_KRB5_CC_NEW_UNIQUE || HAVE_HEIMDAL */
+ }
+#endif /* HAVE_GSSAPI */
+
}
if (con->http.version == HTTP_1_1)
*/
if (con->username[0])
- cupsdAddCert(pid, con->username);
+#ifdef HAVE_GSSAPI
+ cupsdAddCert(pid, con->username, ccache);
+#else
+ cupsdAddCert(pid, con->username, NULL);
+#endif /* HAVE_GSSAPI */
cupsdLogMessage(CUPSD_LOG_DEBUG, "[CGI] %s started - PID = %d",
command, pid);
con->pipe_pid = 0;
- if (!cupsdSendHeader(con, code, type, AUTH_NONE))
+ if (!cupsdSendHeader(con, code, type, CUPSD_AUTH_NONE))
return (0);
if (httpPrintf(HTTP(con), "Last-Modified: %s\r\n",
if (NumRelays > 0)
{
for (i = 0; i < NumRelays; i ++)
- if (Relays[i].from.type == AUTH_NAME)
+ if (Relays[i].from.type == CUPSD_AUTH_NAME)
free(Relays[i].from.mask.name.name);
free(Relays);
*/
ConfigFilePerm = CUPS_DEFAULT_CONFIG_FILE_PERM;
- DefaultAuthType = AUTH_BASIC;
+ DefaultAuthType = CUPSD_AUTH_BASIC;
#ifdef HAVE_SSL
DefaultEncryption = HTTP_ENCRYPT_REQUIRED;
#endif /* HAVE_SSL */
cupsdLogMessage(CUPSD_LOG_INFO, "Order Deny,Allow");
po = cupsdAddPolicyOp(p, NULL, IPP_SEND_DOCUMENT);
- po->order_type = AUTH_ALLOW;
- po->level = AUTH_USER;
+ po->order_type = CUPSD_AUTH_ALLOW;
+ po->level = CUPSD_AUTH_USER;
cupsdAddName(po, "@OWNER");
cupsdAddName(po, "@SYSTEM");
cupsdLogMessage(CUPSD_LOG_INFO, "AuthType Default");
po = cupsdAddPolicyOp(p, NULL, IPP_PAUSE_PRINTER);
- po->order_type = AUTH_ALLOW;
- po->type = AUTH_DEFAULT;
- po->level = AUTH_USER;
+ po->order_type = CUPSD_AUTH_ALLOW;
+ po->type = CUPSD_AUTH_DEFAULT;
+ po->level = CUPSD_AUTH_USER;
cupsdAddName(po, "@SYSTEM");
cupsdLogMessage(CUPSD_LOG_INFO, "Require user @SYSTEM");
cupsdLogMessage(CUPSD_LOG_INFO, "Order Deny,Allow");
po = cupsdAddPolicyOp(p, NULL, IPP_ANY_OPERATION);
- po->order_type = AUTH_ALLOW;
+ po->order_type = CUPSD_AUTH_ALLOW;
cupsdLogMessage(CUPSD_LOG_INFO, "</Limit>");
cupsdLogMessage(CUPSD_LOG_INFO, "</Policy>");
*/
if (!strncasecmp(value, "deny", 4))
- loc->order_type = AUTH_ALLOW;
+ loc->order_type = CUPSD_AUTH_ALLOW;
else if (!strncasecmp(value, "allow", 5))
- loc->order_type = AUTH_DENY;
+ loc->order_type = CUPSD_AUTH_DENY;
else
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown Order value %s on line %d.",
if (!strcasecmp(value, "none"))
{
- loc->type = AUTH_NONE;
- loc->level = AUTH_ANON;
+ loc->type = CUPSD_AUTH_NONE;
+ loc->level = CUPSD_AUTH_ANON;
}
else if (!strcasecmp(value, "basic"))
{
- loc->type = AUTH_BASIC;
+ loc->type = CUPSD_AUTH_BASIC;
- if (loc->level == AUTH_ANON)
- loc->level = AUTH_USER;
+ if (loc->level == CUPSD_AUTH_ANON)
+ loc->level = CUPSD_AUTH_USER;
}
else if (!strcasecmp(value, "digest"))
{
- loc->type = AUTH_DIGEST;
+ loc->type = CUPSD_AUTH_DIGEST;
- if (loc->level == AUTH_ANON)
- loc->level = AUTH_USER;
+ if (loc->level == CUPSD_AUTH_ANON)
+ loc->level = CUPSD_AUTH_USER;
}
else if (!strcasecmp(value, "basicdigest"))
{
- loc->type = AUTH_BASICDIGEST;
+ loc->type = CUPSD_AUTH_BASICDIGEST;
- if (loc->level == AUTH_ANON)
- loc->level = AUTH_USER;
+ if (loc->level == CUPSD_AUTH_ANON)
+ loc->level = CUPSD_AUTH_USER;
}
else if (!strcasecmp(value, "default"))
{
- loc->type = AUTH_DEFAULT;
+ loc->type = CUPSD_AUTH_DEFAULT;
- if (loc->level == AUTH_ANON)
- loc->level = AUTH_USER;
+ if (loc->level == CUPSD_AUTH_ANON)
+ loc->level = CUPSD_AUTH_USER;
}
#ifdef HAVE_GSSAPI
else if (!strcasecmp(value, "negotiate"))
{
- loc->type = AUTH_NEGOTIATE;
+ loc->type = CUPSD_AUTH_NEGOTIATE;
- if (loc->level == AUTH_ANON)
- loc->level = AUTH_USER;
+ if (loc->level == CUPSD_AUTH_ANON)
+ loc->level = CUPSD_AUTH_USER;
}
#endif /* HAVE_GSSAPI */
else
if (!strcasecmp(value, "anonymous"))
{
- loc->type = AUTH_NONE;
- loc->level = AUTH_ANON;
+ loc->type = CUPSD_AUTH_NONE;
+ loc->level = CUPSD_AUTH_ANON;
cupsdLogMessage(CUPSD_LOG_WARN,
"\"AuthClass %s\" is deprecated; consider removing "
}
else if (!strcasecmp(value, "user"))
{
- loc->level = AUTH_USER;
+ loc->level = CUPSD_AUTH_USER;
cupsdLogMessage(CUPSD_LOG_WARN,
"\"AuthClass %s\" is deprecated; consider using "
}
else if (!strcasecmp(value, "group"))
{
- loc->level = AUTH_GROUP;
+ loc->level = CUPSD_AUTH_GROUP;
cupsdLogMessage(CUPSD_LOG_WARN,
"\"AuthClass %s\" is deprecated; consider using "
}
else if (!strcasecmp(value, "system"))
{
- loc->level = AUTH_GROUP;
+ loc->level = CUPSD_AUTH_GROUP;
cupsdAddName(loc, "@SYSTEM");
if (!strcasecmp(value, "valid-user") ||
!strcasecmp(value, "user"))
- loc->level = AUTH_USER;
+ loc->level = CUPSD_AUTH_USER;
else if (!strcasecmp(value, "group"))
- loc->level = AUTH_GROUP;
+ loc->level = CUPSD_AUTH_GROUP;
else
{
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown Require type %s on line %d.",
else if (!strcasecmp(line, "Satisfy"))
{
if (!strcasecmp(value, "all"))
- loc->satisfy = AUTH_SATISFY_ALL;
+ loc->satisfy = CUPSD_AUTH_SATISFY_ALL;
else if (!strcasecmp(value, "any"))
- loc->satisfy = AUTH_SATISFY_ANY;
+ loc->satisfy = CUPSD_AUTH_SATISFY_ANY;
else
{
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown Satisfy value %s on line %d.",
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to initialize browse access control list!");
else if (!strncasecmp(value, "deny", 4))
- location->order_type = AUTH_ALLOW;
+ location->order_type = CUPSD_AUTH_ALLOW;
else if (!strncasecmp(value, "allow", 5))
- location->order_type = AUTH_DENY;
+ location->order_type = CUPSD_AUTH_DENY;
else
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unknown BrowseOrder value %s on line %d.",
if ((ptr = strchr(temp, ' ')) != NULL)
*ptr = '\0';
- relay->from.type = AUTH_NAME;
+ relay->from.type = CUPSD_AUTH_NAME;
if ((relay->from.mask.name.name = strdup(temp)) == NULL)
{
break;
}
- relay->from.type = AUTH_IP;
+ relay->from.type = CUPSD_AUTH_IP;
memcpy(relay->from.mask.ip.address, ip,
sizeof(relay->from.mask.ip.address));
memcpy(relay->from.mask.ip.netmask, mask,
httpAddrString(&(relay->to), temp, sizeof(temp));
- if (relay->from.type == AUTH_IP)
+ if (relay->from.type == CUPSD_AUTH_IP)
snprintf(temp2, sizeof(temp2), "%u.%u.%u.%u/%u.%u.%u.%u",
relay->from.mask.ip.address[0] >> 24,
(relay->from.mask.ip.address[0] >> 16) & 255,
}
else
{
- if (relay->from.type == AUTH_NAME)
+ if (relay->from.type == CUPSD_AUTH_NAME)
free(relay->from.mask.name.name);
cupsdLogMessage(CUPSD_LOG_ERROR, "Bad relay address %s at line %d.",
*/
if (!strcasecmp(value, "none"))
- DefaultAuthType = AUTH_NONE;
+ DefaultAuthType = CUPSD_AUTH_NONE;
else if (!strcasecmp(value, "basic"))
- DefaultAuthType = AUTH_BASIC;
+ DefaultAuthType = CUPSD_AUTH_BASIC;
else if (!strcasecmp(value, "digest"))
- DefaultAuthType = AUTH_DIGEST;
+ DefaultAuthType = CUPSD_AUTH_DIGEST;
else if (!strcasecmp(value, "basicdigest"))
- DefaultAuthType = AUTH_BASICDIGEST;
+ DefaultAuthType = CUPSD_AUTH_BASICDIGEST;
#ifdef HAVE_GSSAPI
else if (!strcasecmp(value, "negotiate"))
- DefaultAuthType = AUTH_NEGOTIATE;
+ DefaultAuthType = CUPSD_AUTH_NEGOTIATE;
#endif /* HAVE_GSSAPI */
else
{
if ((parent = cupsdAddLocation(location)) == NULL)
return (0);
- parent->limit = AUTH_LIMIT_ALL;
+ parent->limit = CUPSD_AUTH_LIMIT_ALL;
loc = parent;
while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))
*valptr++ = '\0';
if (!strcmp(value, "ALL"))
- loc->limit = AUTH_LIMIT_ALL;
+ loc->limit = CUPSD_AUTH_LIMIT_ALL;
else if (!strcmp(value, "GET"))
- loc->limit |= AUTH_LIMIT_GET;
+ loc->limit |= CUPSD_AUTH_LIMIT_GET;
else if (!strcmp(value, "HEAD"))
- loc->limit |= AUTH_LIMIT_HEAD;
+ loc->limit |= CUPSD_AUTH_LIMIT_HEAD;
else if (!strcmp(value, "OPTIONS"))
- loc->limit |= AUTH_LIMIT_OPTIONS;
+ loc->limit |= CUPSD_AUTH_LIMIT_OPTIONS;
else if (!strcmp(value, "POST"))
- loc->limit |= AUTH_LIMIT_POST;
+ loc->limit |= CUPSD_AUTH_LIMIT_POST;
else if (!strcmp(value, "PUT"))
- loc->limit |= AUTH_LIMIT_PUT;
+ loc->limit |= CUPSD_AUTH_LIMIT_PUT;
else if (!strcmp(value, "TRACE"))
- loc->limit |= AUTH_LIMIT_TRACE;
+ loc->limit |= CUPSD_AUTH_LIMIT_TRACE;
else
cupsdLogMessage(CUPSD_LOG_WARN, "Unknown request type %s on line %d!",
value, linenum);
}
if (!strcasecmp(line, "<LimitExcept"))
- loc->limit = AUTH_LIMIT_ALL ^ loc->limit;
+ loc->limit = CUPSD_AUTH_LIMIT_ALL ^ loc->limit;
parent->limit &= ~loc->limit;
}
* Access from localhost (127.0.0.1) is always allowed...
*/
- auth = AUTH_ALLOW;
+ auth = CUPSD_AUTH_ALLOW;
}
else
{
switch (BrowseACL->order_type)
{
default :
- auth = AUTH_DENY; /* anti-compiler-warning-code */
+ auth = CUPSD_AUTH_DENY; /* anti-compiler-warning-code */
break;
- case AUTH_ALLOW : /* Order Deny,Allow */
- auth = AUTH_ALLOW;
+ case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
+ auth = CUPSD_AUTH_ALLOW;
if (cupsdCheckAuth(address, srcname, len,
BrowseACL->num_deny, BrowseACL->deny))
- auth = AUTH_DENY;
+ auth = CUPSD_AUTH_DENY;
if (cupsdCheckAuth(address, srcname, len,
BrowseACL->num_allow, BrowseACL->allow))
- auth = AUTH_ALLOW;
+ auth = CUPSD_AUTH_ALLOW;
break;
- case AUTH_DENY : /* Order Allow,Deny */
- auth = AUTH_DENY;
+ case CUPSD_AUTH_DENY : /* Order Allow,Deny */
+ auth = CUPSD_AUTH_DENY;
if (cupsdCheckAuth(address, srcname, len,
BrowseACL->num_allow, BrowseACL->allow))
- auth = AUTH_ALLOW;
+ auth = CUPSD_AUTH_ALLOW;
if (cupsdCheckAuth(address, srcname, len,
BrowseACL->num_deny, BrowseACL->deny))
- auth = AUTH_DENY;
+ auth = CUPSD_AUTH_DENY;
break;
}
}
}
else
- auth = AUTH_ALLOW;
+ auth = CUPSD_AUTH_ALLOW;
- if (auth == AUTH_DENY)
+ if (auth == CUPSD_AUTH_DENY)
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"update_cups_browse: Refused %d bytes from %s", bytes,
con->http.fd, con->response->request.status.status_code,
ippErrorString(con->response->request.status.status_code));
- if (cupsdSendHeader(con, HTTP_OK, "application/ipp", AUTH_NONE))
+ if (cupsdSendHeader(con, HTTP_OK, "application/ipp", CUPSD_AUTH_NONE))
{
#ifdef CUPSD_USE_CHUNKING
/*
cupsFilePrintf(fp, "%s\n", line);
if (!strcmp(dest->auth_info_required[i], "username"))
- cupsdSetStringf(&job->auth_username, "AUTH_USERNAME=%s",
+ cupsdSetStringf(&job->auth_username, "CUPSD_AUTH_USERNAME=%s",
auth_info->values[i].string.text);
else if (!strcmp(dest->auth_info_required[i], "domain"))
- cupsdSetStringf(&job->auth_domain, "AUTH_DOMAIN=%s",
+ cupsdSetStringf(&job->auth_domain, "CUPSD_AUTH_DOMAIN=%s",
auth_info->values[i].string.text);
else if (!strcmp(dest->auth_info_required[i], "password"))
- cupsdSetStringf(&job->auth_password, "AUTH_PASSWORD=%s",
+ cupsdSetStringf(&job->auth_password, "CUPSD_AUTH_PASSWORD=%s",
auth_info->values[i].string.text);
}
}
httpEncode64_2(line, sizeof(line), con->username, strlen(con->username));
cupsFilePrintf(fp, "%s\n", line);
- cupsdSetStringf(&job->auth_username, "AUTH_USERNAME=%s", con->username);
+ cupsdSetStringf(&job->auth_username, "CUPSD_AUTH_USERNAME=%s", con->username);
cupsdClearString(&job->auth_domain);
/*
httpEncode64_2(line, sizeof(line), con->password, strlen(con->password));
cupsFilePrintf(fp, "%s\n", line);
- cupsdSetStringf(&job->auth_password, "AUTH_PASSWORD=%s", con->password);
+ cupsdSetStringf(&job->auth_password, "CUPSD_AUTH_PASSWORD=%s", con->password);
}
/*
if (status == HTTP_UNAUTHORIZED &&
printer && printer->num_auth_info_required > 0 &&
!strcmp(printer->auth_info_required[0], "negotiate"))
- cupsdSendError(con, status, AUTH_NEGOTIATE);
+ cupsdSendError(con, status, CUPSD_AUTH_NEGOTIATE);
else if (printer)
{
char resource[HTTP_MAX_URI]; /* Resource portion of URI */
snprintf(resource, sizeof(resource), "/printers/%s", printer->name);
if ((auth = cupsdFindBest(resource, HTTP_POST)) == NULL ||
- auth->type == AUTH_NONE)
+ auth->type == CUPSD_AUTH_NONE)
auth = cupsdFindPolicyOp(printer->op_policy_ptr, IPP_PRINT_JOB);
- cupsdSendError(con, status, auth ? auth->type : AUTH_NONE);
+ cupsdSendError(con, status, auth ? auth->type : CUPSD_AUTH_NONE);
}
else
- cupsdSendError(con, status, AUTH_NONE);
+ cupsdSendError(con, status, CUPSD_AUTH_NONE);
ippDelete(con->response);
con->response = NULL;
{
int i; /* Looping var */
struct passwd *pw; /* User password data */
+ char baseuser[256], /* Base username */
+ *baseptr; /* Pointer to "@" in base username */
if (p->num_users == 0)
if (!strcmp(username, "root"))
return (1);
+ if (strchr(username, '@'))
+ {
+ /*
+ * Strip @REALM for username check...
+ */
+
+ strlcpy(baseuser, username, sizeof(baseuser));
+
+ if ((baseptr = strchr(baseuser, '@')) != NULL)
+ *baseptr = '\0';
+
+ username = baseuser;
+ }
+
pw = getpwnam(username);
endpwent();
cupsdClearString(&job->auth_username);
cupsdClearString(&job->auth_domain);
cupsdClearString(&job->auth_password);
+
#ifdef HAVE_GSSAPI
/*
* Destroy the credential cache and clear the KRB5CCNAME env var string.
envp[envc] = NULL;
for (i = 0; i < envc; i ++)
- if (!strncmp(envp[i], "AUTH_", 5))
- cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"AUTH_%c****\"",
+ if (!strncmp(envp[i], "CUPSD_AUTH_", 5))
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"CUPSD_AUTH_%c****\"",
job->id, i, envp[i][5]);
else if (strncmp(envp[i], "DEVICE_URI=", 11))
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"%s\"",
browse_time, /* Next browse send time */
senddoc_time, /* Send-Document time */
expire_time, /* Subscription expire time */
- mallinfo_time; /* Malloc information time */
- size_t string_count, /* String count */
- alloc_bytes, /* Allocated string bytes */
- total_bytes; /* Total string bytes */
+ report_time; /* Malloc/client/job report time */
long timeout; /* Timeout for cupsdDoSelect() */
struct rlimit limit; /* Runtime limit */
#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
* Loop forever...
*/
- mallinfo_time = 0;
browse_time = time(NULL);
- senddoc_time = time(NULL);
expire_time = time(NULL);
fds = 1;
+ report_time = 0;
+ senddoc_time = time(NULL);
while (!stop_scheduler)
{
*/
cupsdDeleteCert(0);
- cupsdAddCert(0, "root");
+ cupsdAddCert(0, "root", NULL);
}
/*
}
/*
- * Log memory usage every minute...
+ * Log statistics at most once a minute when in debug mode...
*/
- if ((current_time - mallinfo_time) >= 60 && LogLevel >= CUPSD_LOG_DEBUG2)
+ if ((current_time - report_time) >= 60 && LogLevel >= CUPSD_LOG_DEBUG)
{
+ size_t string_count, /* String count */
+ alloc_bytes, /* Allocated string bytes */
+ total_bytes; /* Total string bytes */
#ifdef HAVE_MALLINFO
- struct mallinfo mem; /* Malloc information */
+ struct mallinfo mem; /* Malloc information */
mem = mallinfo();
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "mallinfo: arena = %d, used = %d, free = %d\n",
- mem.arena, mem.usmblks + mem.uordblks,
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: malloc-arena=%lu", mem.arena);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: malloc-used=%lu",
+ mem.usmblks + mem.uordblks);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: malloc-free=%lu",
mem.fsmblks + mem.fordblks);
#endif /* HAVE_MALLINFO */
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: clients=%d",
+ cupsArrayCount(Clients));
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: jobs=%d",
+ cupsArrayCount(Jobs));
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: jobs-active=%d",
+ cupsArrayCount(ActiveJobs));
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: printers=%d",
+ cupsArrayCount(Printers));
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: printers-implicit=%d",
+ cupsArrayCount(ImplicitPrinters));
+
string_count = _cupsStrStatistics(&alloc_bytes, &total_bytes);
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "stringpool: " CUPS_LLFMT " strings, "
- CUPS_LLFMT " allocated, " CUPS_LLFMT " total bytes",
- CUPS_LLCAST string_count, CUPS_LLCAST alloc_bytes,
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "Report: stringpool-string-count=" CUPS_LLFMT,
+ CUPS_LLCAST string_count);
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "Report: stringpool-alloc-bytes=" CUPS_LLFMT,
+ CUPS_LLCAST alloc_bytes);
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "Report: stringpool-total-bytes=" CUPS_LLFMT,
CUPS_LLCAST total_bytes);
- mallinfo_time = current_time;
+ report_time = current_time;
}
/*
*
* Policy routines for the Common UNIX Printing System (CUPS).
*
- * Copyright 2007 by Apple Inc.
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products, all rights reserved.
*
* These coded instructions, statements, and computer programs are the
if ((temp = calloc(1, sizeof(cupsd_location_t))) != NULL)
{
temp->op = op;
- temp->limit = AUTH_LIMIT_IPP;
+ temp->limit = CUPSD_AUTH_LIMIT_IPP;
cupsArrayAdd(p->ops, temp);
for (i = 0; i < po->num_allow; i ++)
switch (po->allow[i].type)
{
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
cupsdAllowIP(temp, po->allow[i].mask.ip.address,
po->allow[i].mask.ip.netmask);
break;
- case AUTH_INTERFACE :
+ case CUPSD_AUTH_INTERFACE :
snprintf(name, sizeof(name), "@IF(%s)",
po->allow[i].mask.name.name);
cupsdAllowHost(temp, name);
for (i = 0; i < po->num_deny; i ++)
switch (po->deny[i].type)
{
- case AUTH_IP :
+ case CUPSD_AUTH_IP :
cupsdDenyIP(temp, po->deny[i].mask.ip.address,
po->deny[i].mask.ip.netmask);
break;
- case AUTH_INTERFACE :
+ case CUPSD_AUTH_INTERFACE :
snprintf(name, sizeof(name), "@IF(%s)",
po->deny[i].mask.name.name);
cupsdDenyHost(temp, name);
snprintf(resource, sizeof(resource), "/printers/%s", p->name);
if ((auth = cupsdFindBest(resource, HTTP_POST)) == NULL ||
- auth->type == AUTH_NONE)
+ auth->type == CUPSD_AUTH_NONE)
auth = cupsdFindPolicyOp(p->op_policy_ptr, IPP_PRINT_JOB);
if (auth)
{
- if (auth->type == AUTH_BASIC || auth->type == AUTH_BASICDIGEST)
+ if (auth->type == CUPSD_AUTH_BASIC || auth->type == CUPSD_AUTH_BASICDIGEST)
{
auth_supported = "basic";
num_air = 2;
air = air_userpass;
}
- else if (auth->type == AUTH_DIGEST)
+ else if (auth->type == CUPSD_AUTH_DIGEST)
{
auth_supported = "digest";
num_air = 2;
air = air_userpass;
}
#ifdef HAVE_GSSAPI
- else if (auth->type == AUTH_NEGOTIATE)
+ else if (auth->type == CUPSD_AUTH_NEGOTIATE)
{
auth_supported = "negotiate";
num_air = 1;
}
#endif /* HAVE_GSSAPI */
- if (auth->type != AUTH_NONE)
+ if (auth->type != CUPSD_AUTH_NONE)
p->type |= CUPS_PRINTER_AUTHENTICATED;
else
p->type &= ~CUPS_PRINTER_AUTHENTICATED;
cupsFilePuts(fp, "(allow default)\n");
cupsFilePrintf(fp,
"(deny file-write* file-read-data file-read-metadata\n"
- " (regex #\"^%s\"))\n", request);
+ " (regex #\"^%s/\"))\n", request);
cupsFilePrintf(fp,
"(deny file-write*\n"
" (regex #\"^%s\" #\"^/private/etc\" #\"^/usr/local/etc\" "
- "#\"^/Library\" #\"^/System\"))\n", root);
+ "#\"^/Library\" #\"^/System\" #\"^/Users\"))\n", root);
cupsFilePrintf(fp,
"(allow file-write* file-read-data file-read-metadata\n"
" (regex #\"^%s$\" #\"^%s/\" #\"^%s$\" #\"^%s/\"))\n",
cupsFilePrintf(fp,
"(allow file-read-data file-read-metadata\n"
" (regex #\"^%s/([ac]%05d|d%05d-[0-9][0-9][0-9])$\"))\n",
- request);
+ request, job_id, job_id);
cupsFileClose(fp);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = \"%s\"",
+ job_id, profile);
return ((void *)strdup(profile));
#else
#ifdef HAVE_SANDBOX_H
if (profile)
{
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteProfile(profile=\"%s\")",
+ (char *)profile);
unlink((char *)profile);
free(profile);
}
/*
* Change the priority of the process based on the FilterNice setting.
- * (this is not done for backends...)
+ * (this is not done for root processes...)
*/
if (!root)
nice(FilterNice);
+#ifdef HAVE_SANDBOX_H
+ /*
+ * Run in a separate security profile...
+ */
+
+ if (profile)
+ {
+ char *error = NULL; /* Sandbox error, if any */
+
+ if (sandbox_init((char *)profile, SANDBOX_NAMED_EXTERNAL, &error))
+ {
+ fprintf(stderr, "ERROR: sandbox_init failed: %s (%s)\n", error,
+ strerror(errno));
+ sandbox_free_error(error);
+ }
+ }
+#endif /* HAVE_SANDBOX_H */
+
/*
* Change user to something "safe"...
*/
cupsdReleaseSignals();
-#ifdef HAVE_SANDBOX_H
- /*
- * Run in a separate security profile...
- */
-
- if (profile)
- {
- char *error; /* Sandbox error, if any */
-
- if (sandbox_init((char *)profile, SANDBOX_NAMED_EXTERNAL, &error))
- {
- fprintf(stderr, "ERROR: sandbox_init failed: %s (%s)\n", error,
- strerror(errno));
- sandbox_free_error(error);
- }
- }
-#endif /* HAVE_SANDBOX_H */
-
/*
* Execute the command; if for some reason this doesn't work,
* return the error code...