From 5bd77a735f888a051bcc81bbb241ddac9274b059 Mon Sep 17 00:00:00 2001 From: msweet Date: Tue, 22 Jan 2008 22:37:41 +0000 Subject: [PATCH] Merge changes from CUPS 1.4svn-r7242. git-svn-id: svn+ssh://src.apple.com/svn/cups/easysw/current@598 a1ca3aef-8c08-0410-bb20-df032aa958be --- CHANGES-1.3.txt | 8 ++ INSTALL.txt | 24 ++-- Makedefs.in | 19 +-- README.txt | 5 +- cgi-bin/ipp-var.c | 5 + cgi-bin/jobs.c | 7 +- cgi-bin/printers.c | 7 +- config-scripts/cups-common.m4 | 7 +- config-scripts/cups-compiler.m4 | 12 +- config-scripts/cups-dnssd.m4 | 3 +- config-scripts/cups-ldap.m4 | 3 +- config-scripts/cups-slp.m4 | 3 +- config-scripts/cups-ssl.m4 | 3 +- cups/versioning.h | 2 +- scheduler/auth.c | 126 ++++++++-------- scheduler/auth.h | 62 ++++---- scheduler/cert.c | 26 +++- scheduler/cert.h | 8 +- scheduler/client.c | 246 ++++++++++++++++++++++++-------- scheduler/conf.c | 112 +++++++-------- scheduler/dirsvc.c | 24 ++-- scheduler/ipp.c | 36 +++-- scheduler/job.c | 5 +- scheduler/main.c | 52 ++++--- scheduler/policy.c | 12 +- scheduler/printers.c | 10 +- scheduler/process.c | 48 ++++--- 27 files changed, 527 insertions(+), 348 deletions(-) diff --git a/CHANGES-1.3.txt b/CHANGES-1.3.txt index 788b076bc..3bb16f52d 100644 --- a/CHANGES-1.3.txt +++ b/CHANGES-1.3.txt @@ -4,6 +4,14 @@ CHANGES-1.3.txt CHANGES IN CUPS V1.3.6 - Documentation updates (STR #2646, STR #2647, STR #2649) + - The scheduler did not provide the Apple language ID to + job filters. + - Kerberos authentication did not work with the web + interface (STR #2606, STR #2669) + - The requesing-user-name-allowed and -denied functionality + did not work for Kerberos-authenticated usernames (STR + #2670) + - CUPS didn't compile on HP-UX 11i (STR #2679) - cupsEncodeOptions2() did not handle option values like "What's up, doc?" properly. - Added lots of memory allocation checks (Fortify) diff --git a/INSTALL.txt b/INSTALL.txt index 5732830f3..6ca73c64f 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -1,5 +1,5 @@ -INSTALL - CUPS v1.3.0 - 2007-08-13 ----------------------------------- +INSTALL - CUPS v1.4svn - 2008-01-22 +----------------------------------- This file describes how to compile and install CUPS from source code. For more information on CUPS see the file called @@ -14,15 +14,16 @@ code. For more information on CUPS see the file called BEFORE YOU BEGIN - You'll need ANSI-compliant C and C++ compilers, plus a make - program and Bourne shell. The GNU compiler tools work well - - we've tested the current CUPS code against several versions - of GCC with excellent results. + You'll need an ANSI-compliant C compiler, plus a make program + and Bourne shell. The GNU compiler tools work well - we've + tested the current CUPS code against several versions of GCC + with excellent results. - The makefiles used by the project should work with all + The makefiles used by the project should work with most versions of make. We've tested them with GNU make as well as the make programs shipped by Compaq, HP, SGI, and Sun. - BSD users should use GNU make (gmake). + BSD users should use GNU make (gmake) since BSD make does + not support "include". Besides these tools you'll want the JPEG, PNG, TIFF, and ZLIB libraries for image support, the CDSA, GNU TLS, or OpenSSL @@ -31,9 +32,8 @@ BEFORE YOU BEGIN compile and run without these, however you'll miss out on many of the features provided by CUPS. - Kerberos support requires a very recent version of the MIT - implementation with the krb5_cc_new_unique() function or the - Heimdal implementation, along with the corresponding GSSAPI + Kerberos support requires MIT Kerberos 1.6.3 or later or + or Heimdal Kerberos, along with the corresponding GSSAPI pieces. Also, please note that CUPS no longer includes the @@ -47,7 +47,7 @@ COMPILING FROM SUBVERSION The CUPS Subversion repository doesn't hold a copy of the pre-built configure script. You'll need to run the GNU - autoconf software (2.52 or higher) before compiling the + autoconf software (2.60 or higher) before compiling the software from Subversion: autoconf -f diff --git a/Makedefs.in b/Makedefs.in index c48f013f7..ad73a3108 100644 --- a/Makedefs.in +++ b/Makedefs.in @@ -3,7 +3,7 @@ # # Common makefile definitions for the Common UNIX Printing System (CUPS). # -# Copyright 2007 by Apple Inc. +# Copyright 2007-2008 by Apple Inc. # Copyright 1997-2007 by Easy Software Products, all rights reserved. # # These coded instructions, statements, and computer programs are the @@ -20,7 +20,6 @@ AR = @AR@ AWK = @AWK@ CC = @LIBTOOL@ @CC@ -CXX = @LIBTOOL@ @CXX@ DSO = @DSO@ HTMLDOC = @HTMLDOC@ INSTALL = @INSTALL@ @@ -108,18 +107,14 @@ INSTALLSTATIC = @INSTALLSTATIC@ # for extra debug info) # -ALL_CFLAGS = $(CFLAGS) $(SSLFLAGS) @LARGEFILE@ @PTHREAD_FLAGS@ \ - $(OPTIONS) +ALL_CFLAGS = -I.. -D_CUPS_SOURCE $(CFLAGS) $(SSLFLAGS) \ + @LARGEFILE@ @PTHREAD_FLAGS@ $(OPTIONS) ARCHFLAGS = @ARCHFLAGS@ ARFLAGS = @ARFLAGS@ BACKLIBS = @BACKLIBS@ -CFLAGS = -I.. -D_CUPS_SOURCE @CPPFLAGS@ @CFLAGS@ \ - @LARGEFILE@ @PTHREAD_FLAGS@ $(OPTIONS) +CFLAGS = @CPPFLAGS@ @CFLAGS@ COMMONLIBS = @LIBS@ CUPSDLIBS = @CUPSDLIBS@ -CXXFLAGS = -I.. -D_CUPS_SOURCE $(SSLFLAGS) @CPPFLAGS@ @CXXFLAGS@ \ - @LARGEFILE@ @PTHREAD_FLAGS@ $(OPTIONS) -CXXLIBS = @CXXLIBS@ DSOFLAGS = @DSOFLAGS@ DSOLIBS = @DSOLIBS@ $(COMMONLIBS) DNSSDLIBS = @DNSSDLIBS@ @@ -242,7 +237,7 @@ DBUSDIR = @DBUSDIR@ # .SILENT: -.SUFFIXES: .1 .1.gz .1m .1m.gz .5 .5.gz .7 .7.gz .8 .8.gz .a .c .cxx .h .man .o .32.o .64.o .gz +.SUFFIXES: .1 .1.gz .1m .1m.gz .5 .5.gz .7 .7.gz .8 .8.gz .a .c .h .man .o .32.o .64.o .gz .c.o: echo Compiling $<... @@ -256,10 +251,6 @@ DBUSDIR = @DBUSDIR@ echo Compiling 64-bit $<... $(CC) $(ARCH64FLAGS) $(OPTIM) $(ALL_CFLAGS) -c -o $@ $< -.cxx.o: - echo Compiling $<... - $(CXX) $(ARCHFLAGS) $(OPTIM) $(CXXFLAGS) -c $< - .man.1 .man.1m .man.5 .man.7 .man.8: echo Linking $<... $(RM) $@ diff --git a/README.txt b/README.txt index 10d723239..5fed8da52 100644 --- a/README.txt +++ b/README.txt @@ -1,4 +1,4 @@ -README - CUPS v1.4svn - 2008-01-02 +*README - CUPS v1.4svn - 2008-01-02 ---------------------------------- Looking for compile instructions? Read the file "INSTALL.txt" @@ -159,9 +159,6 @@ LEGAL STUFF The MD5 Digest code is Copyright 1999 Aladdin Enterprises. - The PDF filter (pdftops) is based on the Xpdf software, - Copyright 1996-2005 by Derek B. Noonburg. - This software is based in part on the work of the Independent JPEG Group. diff --git a/cgi-bin/ipp-var.c b/cgi-bin/ipp-var.c index 098d08630..8f8619127 100644 --- a/cgi-bin/ipp-var.c +++ b/cgi-bin/ipp-var.c @@ -595,6 +595,11 @@ cgiPrintTestPage(http_t *http, /* I - Connection to server */ snprintf(refresh, sizeof(refresh), "2;URL=%s", uri); cgiSetVariable("refresh_page", refresh); } + else if (cupsLastError() == IPP_NOT_AUTHORIZED) + { + puts("Status: 401\n"); + exit(0); + } cgiStartHTML(cgiText(_("Print Test Page"))); diff --git a/cgi-bin/jobs.c b/cgi-bin/jobs.c index 20a541727..41d58a038 100644 --- a/cgi-bin/jobs.c +++ b/cgi-bin/jobs.c @@ -3,7 +3,7 @@ * * Job status CGI for the Common UNIX Printing System (CUPS). * - * Copyright 2007 by Apple Inc. + * Copyright 2007-2008 by Apple Inc. * Copyright 1997-2006 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -185,6 +185,11 @@ do_job_op(http_t *http, /* I - HTTP connection */ cgiFormEncode(url + 6, getenv("HTTP_REFERER"), sizeof(url) - 6); cgiSetVariable("refresh_page", url); } + else if (cupsLastError() == IPP_NOT_AUTHORIZED) + { + puts("Status: 401\n"); + exit(0); + } cgiStartHTML(cgiText(_("Jobs"))); diff --git a/cgi-bin/printers.c b/cgi-bin/printers.c index 82e19a16f..0d817f75e 100644 --- a/cgi-bin/printers.c +++ b/cgi-bin/printers.c @@ -3,7 +3,7 @@ * * Printer status CGI for the Common UNIX Printing System (CUPS). * - * Copyright 2007 by Apple Inc. + * Copyright 2007-2008 by Apple Inc. * Copyright 1997-2006 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -280,6 +280,11 @@ print_command(http_t *http, /* I - Connection to server */ snprintf(refresh, sizeof(refresh), "2;URL=%s", uri); cgiSetVariable("refresh_page", refresh); } + else if (cupsLastError() == IPP_NOT_AUTHORIZED) + { + puts("Status: 401\n"); + exit(0); + } cgiStartHTML(cgiText(_("Printer Maintenance"))); diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4 index a23014309..dcd126655 100644 --- a/config-scripts/cups-common.m4 +++ b/config-scripts/cups-common.m4 @@ -3,7 +3,7 @@ dnl "$Id: cups-common.m4 6964 2007-09-17 21:33:57Z mike $" dnl dnl Common configuration stuff for the Common UNIX Printing System (CUPS). dnl -dnl Copyright 2007 by Apple Inc. +dnl Copyright 2007-2008 by Apple Inc. dnl Copyright 1997-2007 by Easy Software Products, all rights reserved. dnl dnl These coded instructions, statements, and computer programs are the @@ -34,13 +34,11 @@ AC_DEFINE_UNQUOTED(CUPS_MINIMAL, "CUPS/$CUPS_VERSION$CUPS_REVISION") dnl Default compiler flags... CFLAGS="${CFLAGS:=}" CPPFLAGS="${CPPFLAGS:=}" -CXXFLAGS="${CXXFLAGS:=}" LDFLAGS="${LDFLAGS:=}" dnl Checks for programs... AC_PROG_AWK AC_PROG_CC -AC_PROG_CXX AC_PROG_CPP AC_PROG_INSTALL if test "$INSTALL" = "$ac_install_sh"; then @@ -64,9 +62,6 @@ fi if test "x$CC" = x; then AC_MSG_ERROR([Unable to find required C compiler command.]) fi -if test "x$CXX" = x; then - AC_MSG_ERROR([Unable to find required C++ compiler command.]) -fi dnl Static library option... INSTALLSTATIC="" diff --git a/config-scripts/cups-compiler.m4 b/config-scripts/cups-compiler.m4 index f3e369acb..0414f200e 100644 --- a/config-scripts/cups-compiler.m4 +++ b/config-scripts/cups-compiler.m4 @@ -3,7 +3,7 @@ dnl "$Id: cups-compiler.m4 6975 2007-09-18 20:37:09Z mike $" dnl dnl Compiler stuff for the Common UNIX Printing System (CUPS). dnl -dnl Copyright 2007 by Apple Inc. +dnl Copyright 2007-2008 by Apple Inc. dnl Copyright 1997-2007 by Easy Software Products, all rights reserved. dnl dnl These coded instructions, statements, and computer programs are the @@ -60,9 +60,6 @@ dnl Read-only data/program support on Linux... AC_ARG_ENABLE(relro, [ --enable-relro use GCC relro option, default=no]) dnl Update compiler options... -CXXLIBS="" -AC_SUBST(CXXLIBS) - PIEFLAGS="" AC_SUBST(PIEFLAGS) @@ -313,9 +310,6 @@ else fi CFLAGS="-Ae $CFLAGS" - # Warning 336 is "empty translation unit" - # Warning 829 is passing constant string as char * - CXXFLAGS="+W336,829 $CXXFLAGS" if test $PICFLAG = 1; then OPTIM="+z $OPTIM" @@ -487,8 +481,8 @@ else # cups-support@cups.org... echo "Building CUPS with default compiler optimizations; contact" echo "cups-bugs@cups.org with uname and compiler options needed" - echo "for your platform, or set the CFLAGS and CXXFLAGS" - echo "environment variable before running configure." + echo "for your platform, or set the CFLAGS and LDFLAGS environment" + echo "variables before running configure." ;; esac fi diff --git a/config-scripts/cups-dnssd.m4 b/config-scripts/cups-dnssd.m4 index fd8270048..eaab2c194 100644 --- a/config-scripts/cups-dnssd.m4 +++ b/config-scripts/cups-dnssd.m4 @@ -7,7 +7,7 @@ dnl http://www.dns-sd.org dnl http://www.multicastdns.org/ dnl http://developer.apple.com/networking/bonjour/ dnl -dnl Copyright 2007 by Apple Inc. +dnl Copyright 2007-2008 by Apple Inc. dnl dnl These coded instructions, statements, and computer programs are the dnl property of Apple Inc. and are protected by Federal copyright @@ -22,7 +22,6 @@ AC_ARG_WITH(dnssd-libs, [ --with-dnssd-libs set directory for DNS Service DSOFLAGS="-L$withval $DSOFLAGS",) AC_ARG_WITH(dnssd-includes, [ --with-dnssd-includes set directory for DNS Service Discovery includes], CFLAGS="-I$withval $CFLAGS" - CXXFLAGS="-I$withval $CXXFLAGS" CPPFLAGS="-I$withval $CPPFLAGS",) DNSSDLIBS="" diff --git a/config-scripts/cups-ldap.m4 b/config-scripts/cups-ldap.m4 index 153c0dca6..14fd549d8 100644 --- a/config-scripts/cups-ldap.m4 +++ b/config-scripts/cups-ldap.m4 @@ -3,7 +3,7 @@ dnl "$Id: cups-ldap.m4 6649 2007-07-11 21:46:42Z mike $" dnl dnl LDAP configuration stuff for the Common UNIX Printing System (CUPS). dnl -dnl Copyright 2007 by Apple Inc. +dnl Copyright 2007-2008 by Apple Inc. dnl Copyright 2003-2006 by Easy Software Products, all rights reserved. dnl dnl These coded instructions, statements, and computer programs are the @@ -20,7 +20,6 @@ AC_ARG_WITH(openldap-libs, [ --with-openldap-libs set directory for OpenLDAP AC_ARG_WITH(openldap-includes, [ --with-openldap-includes set directory for OpenLDAP includes], CFLAGS="-I$withval $CFLAGS" - CXXFLAGS="-I$withval $CXXFLAGS" CPPFLAGS="-I$withval $CPPFLAGS",) LIBLDAP="" diff --git a/config-scripts/cups-slp.m4 b/config-scripts/cups-slp.m4 index 60141d49a..cbeb48527 100644 --- a/config-scripts/cups-slp.m4 +++ b/config-scripts/cups-slp.m4 @@ -3,7 +3,7 @@ dnl "$Id: cups-slp.m4 6649 2007-07-11 21:46:42Z mike $" dnl dnl OpenSLP configuration stuff for the Common UNIX Printing System (CUPS). dnl -dnl Copyright 2007 by Apple Inc. +dnl Copyright 2007-2008 by Apple Inc. dnl Copyright 1997-2005 by Easy Software Products, all rights reserved. dnl dnl These coded instructions, statements, and computer programs are the @@ -19,7 +19,6 @@ AC_ARG_WITH(openslp-libs, [ --with-openslp-libs set directory for OpenSLP l DSOFLAGS="-L$withval $DSOFLAGS",) AC_ARG_WITH(openslp-includes, [ --with-openslp-includes set directory for OpenSLP includes], CFLAGS="-I$withval $CFLAGS" - CXXFLAGS="-I$withval $CXXFLAGS" CPPFLAGS="-I$withval $CPPFLAGS",) LIBSLP="" diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4 index b239bbaaf..cacf94bef 100644 --- a/config-scripts/cups-ssl.m4 +++ b/config-scripts/cups-ssl.m4 @@ -3,7 +3,7 @@ dnl "$Id: cups-ssl.m4 6649 2007-07-11 21:46:42Z mike $" dnl dnl OpenSSL/GNUTLS stuff for the Common UNIX Printing System (CUPS). dnl -dnl Copyright 2007 by Apple Inc. +dnl Copyright 2007-2008 by Apple Inc. dnl Copyright 1997-2007 by Easy Software Products, all rights reserved. dnl dnl These coded instructions, statements, and computer programs are the @@ -22,7 +22,6 @@ AC_ARG_WITH(openssl-libs, [ --with-openssl-libs set directory for OpenSSL l DSOFLAGS="-L$withval $DSOFLAGS",) AC_ARG_WITH(openssl-includes, [ --with-openssl-includes set directory for OpenSSL includes], CFLAGS="-I$withval $CFLAGS" - CXXFLAGS="-I$withval $CXXFLAGS" CPPFLAGS="-I$withval $CPPFLAGS",) SSLFLAGS="" diff --git a/cups/versioning.h b/cups/versioning.h index cdb2308f4..659d55bef 100644 --- a/cups/versioning.h +++ b/cups/versioning.h @@ -71,7 +71,7 @@ # define _CUPS_API_1_2 # define _CUPS_API_1_3 # define _CUPS_API_1_4 -# endif /* __APPLE__ */ +# endif /* __APPLE__ && !_CUPS_SOURCE */ /* * With GCC 3.0 and higher, we can mark old APIs "deprecated" so you get diff --git a/scheduler/auth.c b/scheduler/auth.c index 5b2dd3e96..d6c128293 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -265,7 +265,7 @@ cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */ * Allow *interface*... */ - temp->type = AUTH_INTERFACE; + temp->type = CUPSD_AUTH_INTERFACE; temp->mask.name.name = strdup("*"); temp->mask.name.length = 1; } @@ -285,7 +285,7 @@ cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */ *ifptr = '\0'; } - temp->type = AUTH_INTERFACE; + temp->type = CUPSD_AUTH_INTERFACE; temp->mask.name.name = strdup(ifname); temp->mask.name.length = ifptr - ifname; } @@ -295,7 +295,7 @@ cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */ * Allow name... */ - temp->type = AUTH_NAME; + temp->type = CUPSD_AUTH_NAME; temp->mask.name.name = strdup(name); temp->mask.name.length = strlen(name); } @@ -324,7 +324,7 @@ cupsdAllowIP(cupsd_location_t *loc, /* I - Location to add to */ if ((temp = add_allow(loc)) == NULL) return; - temp->type = AUTH_IP; + temp->type = CUPSD_AUTH_IP; memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address)); memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask)); } @@ -371,15 +371,15 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ */ con->best = cupsdFindBest(con->uri, con->http.state); - con->type = AUTH_NONE; + con->type = CUPSD_AUTH_NONE; cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : ""); - if (con->best && con->best->type != AUTH_NONE) + if (con->best && con->best->type != CUPSD_AUTH_NONE) { - if (con->best->type == AUTH_DEFAULT) + if (con->best->type == CUPSD_AUTH_DEFAULT) type = DefaultAuthType; else type = con->best->type; @@ -471,7 +471,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ AuthorizationFreeItemSet(authinfo); - con->type = AUTH_BASIC; + con->type = CUPSD_AUTH_BASIC; } #endif /* HAVE_AUTHORIZATION_H */ #if defined(SO_PEERCRED) && defined(AF_LOCAL) @@ -528,7 +528,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ "cupsdAuthorize: Authorized as %s using PeerCred", username); - con->type = AUTH_BASIC; + con->type = CUPSD_AUTH_BASIC; } #endif /* SO_PEERCRED && AF_LOCAL */ else if (!strncmp(authorization, "Local", 5) && @@ -558,7 +558,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ return; } - con->type = AUTH_BASIC; + con->type = CUPSD_AUTH_BASIC; } else if (!strncmp(authorization, "Basic", 5)) { @@ -620,7 +620,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ switch (type) { default : - case AUTH_BASIC : + case CUPSD_AUTH_BASIC : { #if HAVE_LIBPAM /* @@ -827,7 +827,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ username); break; - case AUTH_BASICDIGEST : + case CUPSD_AUTH_BASICDIGEST : /* * Do Basic authentication with the Digest password file... */ @@ -931,7 +931,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ "cupsdAuthorize: Authorized as %s using Digest", username); - con->type = AUTH_DIGEST; + con->type = CUPSD_AUTH_DIGEST; } #ifdef HAVE_GSSAPI else if (!strncmp(authorization, "Negotiate", 9)) @@ -1072,7 +1072,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ con->gss_have_creds = 1; - con->type = AUTH_NEGOTIATE; + con->type = CUPSD_AUTH_NEGOTIATE; } else gss_release_name(&minor_status, &client_name); @@ -1137,7 +1137,7 @@ cupsdCheckAccess( allow = 0; /* anti-compiler-warning-code */ break; - case AUTH_ALLOW : /* Order Deny,Allow */ + case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */ allow = 1; if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny)) @@ -1147,7 +1147,7 @@ cupsdCheckAccess( allow = 1; break; - case AUTH_DENY : /* Order Allow,Deny */ + case CUPSD_AUTH_DENY : /* Order Allow,Deny */ allow = 0; if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow)) @@ -1186,7 +1186,7 @@ cupsdCheckAuth( { switch (masks->type) { - case AUTH_INTERFACE : + case CUPSD_AUTH_INTERFACE : /* * Check for a match with a network interface... */ @@ -1294,7 +1294,7 @@ cupsdCheckAuth( } break; - case AUTH_NAME : + case CUPSD_AUTH_NAME : /* * Check for exact name match... */ @@ -1313,7 +1313,7 @@ cupsdCheckAuth( return (1); break; - case AUTH_IP : + case CUPSD_AUTH_IP : /* * Check for IP/network address match... */ @@ -1504,7 +1504,7 @@ cupsdCopyLocation( for (i = 0; i < temp->num_allow; i ++) switch (temp->allow[i].type = (*loc)->allow[i].type) { - case AUTH_NAME : + case CUPSD_AUTH_NAME : temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length; temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name); @@ -1517,7 +1517,7 @@ cupsdCopyLocation( return (NULL); } break; - case AUTH_IP : + case CUPSD_AUTH_IP : memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip), sizeof(cupsd_ipmask_t)); break; @@ -1542,7 +1542,7 @@ cupsdCopyLocation( for (i = 0; i < temp->num_deny; i ++) switch (temp->deny[i].type = (*loc)->deny[i].type) { - case AUTH_NAME : + case CUPSD_AUTH_NAME : temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length; temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name); @@ -1555,7 +1555,7 @@ cupsdCopyLocation( return (NULL); } break; - case AUTH_IP : + case CUPSD_AUTH_IP : memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip), sizeof(cupsd_ipmask_t)); break; @@ -1615,14 +1615,14 @@ cupsdDeleteLocation( free(loc->names); for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++) - if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE) + if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE) free(mask->mask.name.name); if (loc->num_allow > 0) free(loc->allow); for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++) - if (mask->type == AUTH_NAME || mask->type == AUTH_INTERFACE) + if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE) free(mask->mask.name.name); if (loc->num_deny > 0) @@ -1659,7 +1659,7 @@ cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */ * Deny *interface*... */ - temp->type = AUTH_INTERFACE; + temp->type = CUPSD_AUTH_INTERFACE; temp->mask.name.name = strdup("*"); temp->mask.name.length = 1; } @@ -1679,7 +1679,7 @@ cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */ *ifptr = '\0'; } - temp->type = AUTH_INTERFACE; + temp->type = CUPSD_AUTH_INTERFACE; temp->mask.name.name = strdup(ifname); temp->mask.name.length = ifptr - ifname; } @@ -1689,7 +1689,7 @@ cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */ * Deny name... */ - temp->type = AUTH_NAME; + temp->type = CUPSD_AUTH_NAME; temp->mask.name.name = strdup(name); temp->mask.name.length = strlen(name); } @@ -1718,7 +1718,7 @@ cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */ if ((temp = add_deny(loc)) == NULL) return; - temp->type = AUTH_IP; + temp->type = CUPSD_AUTH_IP; memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address)); memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask)); } @@ -1739,22 +1739,22 @@ cupsdFindBest(const char *path, /* I - Resource path */ *best; /* Best match for location so far */ int bestlen; /* Length of best match */ int limit; /* Limit field */ - static const int limits[] = /* Map http_status_t to AUTH_LIMIT_xyz */ + static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */ { - AUTH_LIMIT_ALL, - AUTH_LIMIT_OPTIONS, - AUTH_LIMIT_GET, - AUTH_LIMIT_GET, - AUTH_LIMIT_HEAD, - AUTH_LIMIT_POST, - AUTH_LIMIT_POST, - AUTH_LIMIT_POST, - AUTH_LIMIT_PUT, - AUTH_LIMIT_PUT, - AUTH_LIMIT_DELETE, - AUTH_LIMIT_TRACE, - AUTH_LIMIT_ALL, - AUTH_LIMIT_ALL + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_OPTIONS, + CUPSD_AUTH_LIMIT_GET, + CUPSD_AUTH_LIMIT_GET, + CUPSD_AUTH_LIMIT_HEAD, + CUPSD_AUTH_LIMIT_POST, + CUPSD_AUTH_LIMIT_POST, + CUPSD_AUTH_LIMIT_POST, + CUPSD_AUTH_LIMIT_PUT, + CUPSD_AUTH_LIMIT_PUT, + CUPSD_AUTH_LIMIT_DELETE, + CUPSD_AUTH_LIMIT_TRACE, + CUPSD_AUTH_LIMIT_ALL, + CUPSD_AUTH_LIMIT_ALL }; @@ -1914,16 +1914,16 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ best = con->best; - if ((type = best->type) == AUTH_DEFAULT) + if ((type = best->type) == CUPSD_AUTH_DEFAULT) type = DefaultAuthType; cupsdLogMessage(CUPSD_LOG_DEBUG2, - "cupsdIsAuthorized: level=AUTH_%s, type=%s, " - "satisfy=AUTH_SATISFY_%s, num_names=%d", + "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, " + "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", best->num_names); - if (best->limit == AUTH_LIMIT_IPP) + if (best->limit == CUPSD_AUTH_LIMIT_IPP) cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op)); @@ -1962,12 +1962,12 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ hostlen = strlen(con->http.hostname); auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best) - ? AUTH_ALLOW : AUTH_DENY; + ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY; - cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=AUTH_%s...", + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW"); - if (auth == AUTH_DENY && best->satisfy == AUTH_SATISFY_ALL) + if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL) return (HTTP_FORBIDDEN); #ifdef HAVE_SSL @@ -1977,9 +1977,9 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls && strcasecmp(con->http.hostname, "localhost") && - best->satisfy == AUTH_SATISFY_ALL) && - !(type == AUTH_NEGOTIATE || - (type == AUTH_NONE && DefaultAuthType == AUTH_NEGOTIATE))) + best->satisfy == CUPSD_AUTH_SATISFY_ALL) && + !(type == CUPSD_AUTH_NEGOTIATE || + (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE))) { cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: Need upgrade to TLS..."); @@ -1991,12 +1991,12 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * Now see what access level is required... */ - if (best->level == AUTH_ANON || /* Anonymous access - allow it */ - (type == AUTH_NONE && best->num_names == 0)) + if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */ + (type == CUPSD_AUTH_NONE && best->num_names == 0)) return (HTTP_OK); - if (!con->username[0] && type == AUTH_NONE && - best->limit == AUTH_LIMIT_IPP) + if (!con->username[0] && type == CUPSD_AUTH_NONE && + best->limit == CUPSD_AUTH_LIMIT_IPP) { /* * Check for unauthenticated username... @@ -2013,7 +2013,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ attr->values[0].string.text); strlcpy(username, attr->values[0].string.text, sizeof(username)); } - else if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY) + else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY) return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */ else return (HTTP_OK); /* unless overridden with Satisfy */ @@ -2029,14 +2029,14 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ if (!con->username[0]) #endif /* HAVE_AUTHORIZATION_H */ { - if (best->satisfy == AUTH_SATISFY_ALL || auth == AUTH_DENY) + if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY) return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */ else return (HTTP_OK); /* unless overridden with Satisfy */ } - if (con->type != type && type != AUTH_NONE && - (con->type != AUTH_BASIC || type != AUTH_BASICDIGEST)) + if (con->type != type && type != CUPSD_AUTH_NONE && + (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST)) { cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!", types[con->type], types[type]); @@ -2084,7 +2084,7 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ else pw = NULL; - if (best->level == AUTH_USER) + if (best->level == CUPSD_AUTH_USER) { /* * If there are no names associated with this location, then diff --git a/scheduler/auth.h b/scheduler/auth.h index 6e00a1939..e1434400b 100644 --- a/scheduler/auth.h +++ b/scheduler/auth.h @@ -25,36 +25,36 @@ * HTTP authorization types and levels... */ -#define AUTH_DEFAULT -1 /* Use DefaultAuthType */ -#define AUTH_NONE 0 /* No authentication */ -#define AUTH_BASIC 1 /* Basic authentication */ -#define AUTH_DIGEST 2 /* Digest authentication */ -#define AUTH_BASICDIGEST 3 /* Basic authentication w/passwd.md5 */ -#define AUTH_NEGOTIATE 4 /* Kerberos authentication */ - -#define AUTH_ANON 0 /* Anonymous access */ -#define AUTH_USER 1 /* Must have a valid username/password */ -#define AUTH_GROUP 2 /* Must also be in a named group */ - -#define AUTH_ALLOW 0 /* Allow access */ -#define AUTH_DENY 1 /* Deny access */ - -#define AUTH_NAME 0 /* Authorize host by name */ -#define AUTH_IP 1 /* Authorize host by IP */ -#define AUTH_INTERFACE 2 /* Authorize host by interface */ - -#define AUTH_SATISFY_ALL 0 /* Satisfy both address and auth */ -#define AUTH_SATISFY_ANY 1 /* Satisfy either address or auth */ - -#define AUTH_LIMIT_DELETE 1 /* Limit DELETE requests */ -#define AUTH_LIMIT_GET 2 /* Limit GET requests */ -#define AUTH_LIMIT_HEAD 4 /* Limit HEAD requests */ -#define AUTH_LIMIT_OPTIONS 8 /* Limit OPTIONS requests */ -#define AUTH_LIMIT_POST 16 /* Limit POST requests */ -#define AUTH_LIMIT_PUT 32 /* Limit PUT requests */ -#define AUTH_LIMIT_TRACE 64 /* Limit TRACE requests */ -#define AUTH_LIMIT_ALL 127 /* Limit all requests */ -#define AUTH_LIMIT_IPP 128 /* Limit IPP requests */ +#define CUPSD_AUTH_DEFAULT -1 /* Use DefaultAuthType */ +#define CUPSD_AUTH_NONE 0 /* No authentication */ +#define CUPSD_AUTH_BASIC 1 /* Basic authentication */ +#define CUPSD_AUTH_DIGEST 2 /* Digest authentication */ +#define CUPSD_AUTH_BASICDIGEST 3 /* Basic authentication w/passwd.md5 */ +#define CUPSD_AUTH_NEGOTIATE 4 /* Kerberos authentication */ + +#define CUPSD_AUTH_ANON 0 /* Anonymous access */ +#define CUPSD_AUTH_USER 1 /* Must have a valid username/password */ +#define CUPSD_AUTH_GROUP 2 /* Must also be in a named group */ + +#define CUPSD_AUTH_ALLOW 0 /* Allow access */ +#define CUPSD_AUTH_DENY 1 /* Deny access */ + +#define CUPSD_AUTH_NAME 0 /* Authorize host by name */ +#define CUPSD_AUTH_IP 1 /* Authorize host by IP */ +#define CUPSD_AUTH_INTERFACE 2 /* Authorize host by interface */ + +#define CUPSD_AUTH_SATISFY_ALL 0 /* Satisfy both address and auth */ +#define CUPSD_AUTH_SATISFY_ANY 1 /* Satisfy either address or auth */ + +#define CUPSD_AUTH_LIMIT_DELETE 1 /* Limit DELETE requests */ +#define CUPSD_AUTH_LIMIT_GET 2 /* Limit GET requests */ +#define CUPSD_AUTH_LIMIT_HEAD 4 /* Limit HEAD requests */ +#define CUPSD_AUTH_LIMIT_OPTIONS 8 /* Limit OPTIONS requests */ +#define CUPSD_AUTH_LIMIT_POST 16 /* Limit POST requests */ +#define CUPSD_AUTH_LIMIT_PUT 32 /* Limit PUT requests */ +#define CUPSD_AUTH_LIMIT_TRACE 64 /* Limit TRACE requests */ +#define CUPSD_AUTH_LIMIT_ALL 127 /* Limit all requests */ +#define CUPSD_AUTH_LIMIT_IPP 128 /* Limit IPP requests */ #define IPP_ANY_OPERATION (ipp_op_t)0 /* Any IPP operation */ @@ -116,7 +116,7 @@ typedef struct cupsd_client_s cupsd_client_t; VAR cups_array_t *Locations VALUE(NULL); /* Authorization locations */ -VAR int DefaultAuthType VALUE(AUTH_BASIC); +VAR int DefaultAuthType VALUE(CUPSD_AUTH_BASIC); /* Default AuthType, if not specified */ #ifdef HAVE_SSL VAR http_encryption_t DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED); diff --git a/scheduler/cert.c b/scheduler/cert.c index 77f23b7de..665595632 100644 --- a/scheduler/cert.c +++ b/scheduler/cert.c @@ -4,7 +4,7 @@ * Authentication certificate routines for the Common UNIX * Printing System (CUPS). * - * Copyright 2007 by Apple Inc. + * Copyright 2007-2008 by Apple Inc. * Copyright 1997-2006 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -42,7 +42,8 @@ void cupsdAddCert(int pid, /* I - Process ID */ - const char *username) /* I - Username */ + const char *username, /* I - Username */ + void *ccache) /* I - Kerberos credentials or NULL */ { int i; /* Looping var */ cupsd_cert_t *cert; /* Current certificate */ @@ -243,6 +244,16 @@ cupsdAddCert(int pid, /* I - Process ID */ write(fd, cert->certificate, strlen(cert->certificate)); close(fd); + /* + * Add Kerberos credentials as needed... + */ + +#ifdef HAVE_GSSAPI + cert->ccache = (krb5_ccache)ccache; +#else + (void)ccache; +#endif /* HAVE_GSSAPI */ + /* * Insert the certificate at the front of the list... */ @@ -282,6 +293,15 @@ cupsdDeleteCert(int pid) /* I - Process ID */ else prev->next = cert->next; +#ifdef HAVE_GSSAPI + /* + * Release Kerberos credentials as needed... + */ + + if (cert->ccache) + krb5_cc_destroy(KerberosContext, cert->ccache); +#endif /* HAVE_GSSAPI */ + free(cert); /* @@ -412,7 +432,7 @@ cupsdInitCerts(void) */ if (!RunUser) - cupsdAddCert(0, "root"); + cupsdAddCert(0, "root", NULL); } diff --git a/scheduler/cert.h b/scheduler/cert.h index 614017149..bac490ae6 100644 --- a/scheduler/cert.h +++ b/scheduler/cert.h @@ -4,7 +4,7 @@ * Authentication certificate definitions for the Common UNIX * Printing System (CUPS). * - * Copyright 2007 by Apple Inc. + * Copyright 2007-2008 by Apple Inc. * Copyright 1997-2005 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -24,6 +24,9 @@ typedef struct cupsd_cert_s int pid; /* Process ID (0 for root certificate) */ char certificate[33]; /* 32 hex characters, or 128 bits */ char username[33]; /* Authenticated username */ +#ifdef HAVE_GSSAPI + krb5_ccache ccache; /* Kerberos credential cache */ +#endif /* HAVE_GSSAPI */ } cupsd_cert_t; @@ -39,7 +42,8 @@ VAR time_t RootCertTime; /* Root certificate update time */ * Prototypes... */ -extern void cupsdAddCert(int pid, const char *username); +extern void cupsdAddCert(int pid, const char *username, + void *ccache); extern void cupsdDeleteCert(int pid); extern void cupsdDeleteAllCerts(void); extern const char *cupsdFindCert(const char *certificate); diff --git a/scheduler/client.c b/scheduler/client.c index 38e1c76f7..98e1b7cf0 100644 --- a/scheduler/client.c +++ b/scheduler/client.c @@ -853,7 +853,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ cupsdLogMessage(CUPSD_LOG_ERROR, "Bad request line \"%s\" from %s!", line, con->http.hostname); - cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE); + cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; case 2 : @@ -865,7 +865,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ cupsdLogMessage(CUPSD_LOG_ERROR, "Bad request line \"%s\" from %s!", line, con->http.hostname); - cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE); + cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -880,7 +880,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ } else { - cupsdSendError(con, HTTP_NOT_SUPPORTED, AUTH_NONE); + cupsdSendError(con, HTTP_NOT_SUPPORTED, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -926,7 +926,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ cupsdLogMessage(CUPSD_LOG_ERROR, "Bad URI \"%s\" in request!", con->uri); - cupsdSendError(con, HTTP_METHOD_NOT_ALLOWED, AUTH_NONE); + cupsdSendError(con, HTTP_METHOD_NOT_ALLOWED, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -960,7 +960,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ else { cupsdLogMessage(CUPSD_LOG_ERROR, "Bad operation \"%s\"!", operation); - cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE); + cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -992,7 +992,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ if (status != HTTP_OK && status != HTTP_CONTINUE) { - cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE); + cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -1060,7 +1060,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * HTTP/1.1 and higher require the "Host:" field... */ - if (!cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1072,9 +1072,9 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Do OPTIONS command... */ - if (con->best && con->best->type != AUTH_NONE) + if (con->best && con->best->type != CUPSD_AUTH_NONE) { - if (!cupsdSendHeader(con, HTTP_UNAUTHORIZED, NULL, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_UNAUTHORIZED, NULL, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1089,7 +1089,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Do encryption stuff... */ - if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1112,7 +1112,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ return; } #else - if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1120,7 +1120,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ #endif /* HAVE_SSL */ } - if (!cupsdSendHeader(con, HTTP_OK, NULL, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_OK, NULL, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1142,7 +1142,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Protect against malicious users! */ - if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1158,7 +1158,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Do encryption stuff... */ - if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_SWITCHING_PROTOCOLS, NULL, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1181,7 +1181,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ return; } #else - if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_IMPLEMENTED, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1194,7 +1194,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdReadClient: Unauthorized request for %s...\n", con->uri); - cupsdSendError(con, status, AUTH_NONE); + cupsdSendError(con, status, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -1208,7 +1208,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Send 100-continue header... */ - if (!cupsdSendHeader(con, HTTP_CONTINUE, NULL, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_CONTINUE, NULL, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1220,7 +1220,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Send 417-expectation-failed header... */ - if (!cupsdSendHeader(con, HTTP_EXPECTATION_FAILED, NULL, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_EXPECTATION_FAILED, NULL, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1254,7 +1254,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ snprintf(con->uri, sizeof(con->uri), "/ppd/%s.ppd", p->name); else { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1326,7 +1326,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ if (!cupsdSendCommand(con, con->command, con->options, 0)) { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1350,7 +1350,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * /admin/conf... */ - if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1367,7 +1367,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ if ((filename = get_file(con, &filestats, buf, sizeof(buf))) == NULL) { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1387,7 +1387,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ if (!cupsdSendCommand(con, con->command, con->options, 0)) { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1403,7 +1403,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ if (!check_if_modified(con, &filestats)) { - if (!cupsdSendError(con, HTTP_NOT_MODIFIED, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_MODIFIED, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1443,7 +1443,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Request too large... */ - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1457,7 +1457,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Negative content lengths are invalid! */ - if (!cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1552,7 +1552,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ if ((filename = get_file(con, &filestats, buf, sizeof(buf))) == NULL) { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1569,7 +1569,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Only POST to CGI's... */ - if (!cupsdSendError(con, HTTP_UNAUTHORIZED, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_UNAUTHORIZED, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1592,7 +1592,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * /admin/conf... */ - if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1618,7 +1618,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Request too large... */ - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1632,7 +1632,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Negative content lengths are invalid! */ - if (!cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1655,7 +1655,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ "Unable to create request file %s: %s", con->filename, strerror(errno)); - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1673,7 +1673,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ case HTTP_DELETE : case HTTP_TRACE : - cupsdSendError(con, HTTP_NOT_IMPLEMENTED, AUTH_NONE); + cupsdSendError(con, HTTP_NOT_IMPLEMENTED, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; @@ -1692,7 +1692,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ snprintf(con->uri, sizeof(con->uri), "/ppd/%s.ppd", p->name); else { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1714,7 +1714,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * CGI output... */ - if (!cupsdSendHeader(con, HTTP_OK, "text/html", AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_OK, "text/html", CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1746,7 +1746,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * /admin/conf... */ - if (!cupsdSendError(con, HTTP_FORBIDDEN, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_FORBIDDEN, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1757,7 +1757,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ else if ((filename = get_file(con, &filestats, buf, sizeof(buf))) == NULL) { - if (!cupsdSendHeader(con, HTTP_NOT_FOUND, "text/html", AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_NOT_FOUND, "text/html", CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1767,7 +1767,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ } else if (!check_if_modified(con, &filestats)) { - if (!cupsdSendError(con, HTTP_NOT_MODIFIED, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_MODIFIED, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1787,7 +1787,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ else snprintf(line, sizeof(line), "%s/%s", type->super, type->type); - if (!cupsdSendHeader(con, HTTP_OK, line, AUTH_NONE)) + if (!cupsdSendHeader(con, HTTP_OK, line, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1876,7 +1876,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ unlink(con->filename); cupsdClearString(&con->filename); - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1916,7 +1916,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ unlink(con->filename); cupsdClearString(&con->filename); - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1933,7 +1933,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ * Return the status to the client... */ - if (!cupsdSendError(con, status, AUTH_NONE)) + if (!cupsdSendError(con, status, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -1964,7 +1964,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ "cupsdReadClient: %d IPP Read Error!", con->http.fd); - cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE); + cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -1972,7 +1972,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ { if (con->http.state == HTTP_POST_SEND) { - cupsdSendError(con, HTTP_BAD_REQUEST, AUTH_NONE); + cupsdSendError(con, HTTP_BAD_REQUEST, CUPSD_AUTH_NONE); cupsdCloseClient(con); return; } @@ -1998,7 +1998,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ "Unable to create request file %s: %s", con->filename, strerror(errno)); - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -2043,7 +2043,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ unlink(con->filename); cupsdClearString(&con->filename); - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -2099,7 +2099,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ con->request = NULL; } - if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_REQUEST_TOO_LARGE, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -2110,7 +2110,7 @@ cupsdReadClient(cupsd_client_t *con) /* I - Client to read from */ { if (!cupsdSendCommand(con, con->command, con->options, 0)) { - if (!cupsdSendError(con, HTTP_NOT_FOUND, AUTH_NONE)) + if (!cupsdSendError(con, HTTP_NOT_FOUND, CUPSD_AUTH_NONE)) { cupsdCloseClient(con); return; @@ -2250,7 +2250,7 @@ cupsdSendError(cupsd_client_t *con, /* I - Connection */ * never disable it in that case. */ - if (code >= HTTP_BAD_REQUEST && con->http.auth_type != AUTH_NEGOTIATE) + if (code >= HTTP_BAD_REQUEST && con->http.auth_type != CUPSD_AUTH_NEGOTIATE) con->http.keep_alive = HTTP_KEEPALIVE_OFF; /* @@ -2412,9 +2412,9 @@ cupsdSendHeader( if (code == HTTP_UNAUTHORIZED) { - if (auth_type == AUTH_NONE) + if (auth_type == CUPSD_AUTH_NONE) { - if (!con->best || con->best->type <= AUTH_NONE) + if (!con->best || con->best->type <= CUPSD_AUTH_NONE) auth_type = DefaultAuthType; else auth_type = con->best->type; @@ -2422,18 +2422,18 @@ cupsdSendHeader( auth_str[0] = '\0'; - if (auth_type == AUTH_BASIC || auth_type == AUTH_BASICDIGEST) + if (auth_type == CUPSD_AUTH_BASIC || auth_type == CUPSD_AUTH_BASICDIGEST) strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str)); - else if (auth_type == AUTH_DIGEST) + else if (auth_type == CUPSD_AUTH_DIGEST) snprintf(auth_str, sizeof(auth_str), "Digest realm=\"CUPS\", nonce=\"%s\"", con->http.hostname); #ifdef HAVE_GSSAPI - else if (auth_type == AUTH_NEGOTIATE && con->gss_output_token.length == 0) + else if (auth_type == CUPSD_AUTH_NEGOTIATE && con->gss_output_token.length == 0) strlcpy(auth_str, "Negotiate", sizeof(auth_str)); #endif /* HAVE_GSSAPI */ #ifdef HAVE_AUTHORIZATION_H - if (con->best && auth_type != AUTH_NEGOTIATE) + if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE) { int i; /* Looping var */ char *auth_key; /* Auth key buffer */ @@ -2637,7 +2637,7 @@ cupsdWriteClient(cupsd_client_t *con) /* I - Client connection */ if (!strncasecmp(buf, "Location:", 9)) { - cupsdSendHeader(con, HTTP_SEE_OTHER, NULL, AUTH_NONE); + cupsdSendHeader(con, HTTP_SEE_OTHER, NULL, CUPSD_AUTH_NONE); con->sent_header = 2; if (httpPrintf(HTTP(con), "Content-Length: 0\r\n") < 0) @@ -2645,12 +2645,12 @@ cupsdWriteClient(cupsd_client_t *con) /* I - Client connection */ } else if (!strncasecmp(buf, "Status:", 7)) { - cupsdSendError(con, (http_status_t)atoi(buf + 7), AUTH_NONE); + cupsdSendError(con, (http_status_t)atoi(buf + 7), CUPSD_AUTH_NONE); con->sent_header = 2; } else { - cupsdSendHeader(con, HTTP_OK, NULL, AUTH_NONE); + cupsdSendHeader(con, HTTP_OK, NULL, CUPSD_AUTH_NONE); con->sent_header = 1; if (con->http.version == HTTP_1_1) @@ -4241,7 +4241,7 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ char argbuf[10240], /* Argument buffer */ *argv[100], /* Argument strings */ *envp[MAX_ENV + 20]; /* Environment variables */ - char auth_type[256], /* AUTH_TYPE environment variable */ + char auth_type[256], /* CUPSD_AUTH_TYPE environment variable */ content_length[1024], /* CONTENT_LENGTH environment variable */ content_type[1024], /* CONTENT_TYPE environment variable */ http_cookie[32768], /* HTTP_COOKIE environment variable */ @@ -4257,6 +4257,10 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ server_name[1024], /* SERVER_NAME environment variable */ server_port[1024]; /* SERVER_PORT environment variable */ ipp_attribute_t *attr; /* attributes-natural-language attribute */ +#ifdef HAVE_GSSAPI + krb5_ccache ccache = NULL; /* Kerberos credentials */ + char krb5ccname[1024]; /* KRB5CCNAME environment variable */ +#endif /* HAVE_GSSAPI */ /* @@ -4383,7 +4387,7 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ if (con->username[0]) { - snprintf(auth_type, sizeof(auth_type), "AUTH_TYPE=%s", + snprintf(auth_type, sizeof(auth_type), "CUPSD_AUTH_TYPE=%s", httpGetField(HTTP(con), HTTP_FIELD_AUTHORIZATION)); if ((uriptr = strchr(auth_type + 10, ' ')) != NULL) @@ -4476,6 +4480,120 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ snprintf(remote_user, sizeof(remote_user), "REMOTE_USER=%s", con->username); envp[envc ++] = remote_user; + + /* + * Save Kerberos credentials, if any... + */ + +#ifdef HAVE_GSSAPI + if (con->gss_have_creds) + { +# if !defined(HAVE_KRB5_CC_NEW_UNIQUE) && !defined(HAVE_HEIMDAL) + cupsdLogMessage(CUPSD_LOG_INFO, + "Sorry, your version of Kerberos does not support " + "delegated credentials!"); + +# else + krb5_error_code error; /* Kerberos error code */ + OM_uint32 major_status, /* Major status code */ + minor_status; /* Minor status code */ + krb5_principal principal; /* Kerberos principal */ + + +# ifdef __APPLE__ + /* + * If the weak-linked GSSAPI/Kerberos library is not present, don't try + * to use it... + */ + + if (krb5_init_context != NULL) + { +# endif /* __APPLE__ */ + + /* + * We MUST create a file-based cache because memory-based caches are + * only valid for the current process/address space. + * + * Due to various bugs/features in different versions of Kerberos, we + * need either the krb5_cc_new_unique() function or Heimdal's version + * of krb5_cc_gen_new() to create a new FILE: credential cache that + * can be passed to the backend. These functions create a temporary + * file (typically in /tmp) containing the cached credentials, which + * are removed when we have successfully printed a job. + */ + +# ifdef HAVE_KRB5_CC_NEW_UNIQUE + if ((error = krb5_cc_new_unique(KerberosContext, "FILE", NULL, + &ccache)) != 0) +# else /* HAVE_HEIMDAL */ + if ((error = krb5_cc_gen_new(KerberosContext, &krb5_fcc_ops, + &ccache)) != 0) +# endif /* HAVE_KRB5_CC_NEW_UNIQUE */ + { + cupsdLogMessage(CUPSD_LOG_ERROR, + "Unable to create new credentials cache (%d/%s)", + error, strerror(errno)); + ccache = NULL; + } + else if ((error = krb5_parse_name(KerberosContext, con->username, + &principal)) != 0) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + "Unable to parse kerberos username (%d/%s)", error, + strerror(errno)); + krb5_cc_destroy(KerberosContext, ccache); + ccache = NULL; + } + else if ((error = krb5_cc_initialize(KerberosContext, ccache, + principal))) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + "Unable to initialize credentials cache (%d/%s)", error, + strerror(errno)); + krb5_cc_destroy(KerberosContext, ccache); + krb5_free_principal(KerberosContext, principal); + ccache = NULL; + } + else + { + krb5_free_principal(KerberosContext, principal); + + /* + * Copy the user's credentials to the new cache file... + */ + + major_status = gss_krb5_copy_ccache(&minor_status, + con->gss_delegated_cred, ccache); + + if (GSS_ERROR(major_status)) + { + cupsdLogGSSMessage(CUPSD_LOG_ERROR, major_status, minor_status, + "Unable to import client credentials cache"); + krb5_cc_destroy(KerberosContext, ccache); + ccache = NULL; + } + else + { + /* + * Add the KRB5CCNAME environment variable to the job so that the + * backend can use the credentials when printing. + */ + + snprintf(krb5ccname, sizeof(krb5ccname), "KRB5CCNAME=FILE:%s", + krb5_cc_get_name(KerberosContext, ccache)); + envp[envc++] = krb5ccname; + + if (!RunUser) + chown(krb5_cc_get_name(KerberosContext, ccache), User, Group); + } + } +# ifdef __APPLE__ + } +# endif /* __APPLE__ */ +# endif /* HAVE_KRB5_CC_NEW_UNIQUE || HAVE_HEIMDAL */ + } +#endif /* HAVE_GSSAPI */ + } if (con->http.version == HTTP_1_1) @@ -4589,7 +4707,11 @@ pipe_command(cupsd_client_t *con, /* I - Client connection */ */ if (con->username[0]) - cupsdAddCert(pid, con->username); +#ifdef HAVE_GSSAPI + cupsdAddCert(pid, con->username, ccache); +#else + cupsdAddCert(pid, con->username, NULL); +#endif /* HAVE_GSSAPI */ cupsdLogMessage(CUPSD_LOG_DEBUG, "[CGI] %s started - PID = %d", command, pid); @@ -4625,7 +4747,7 @@ write_file(cupsd_client_t *con, /* I - Client connection */ con->pipe_pid = 0; - if (!cupsdSendHeader(con, code, type, AUTH_NONE)) + if (!cupsdSendHeader(con, code, type, CUPSD_AUTH_NONE)) return (0); if (httpPrintf(HTTP(con), "Last-Modified: %s\r\n", diff --git a/scheduler/conf.c b/scheduler/conf.c index 9aa003ad6..977ef4352 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -387,7 +387,7 @@ cupsdReadConfiguration(void) if (NumRelays > 0) { for (i = 0; i < NumRelays; i ++) - if (Relays[i].from.type == AUTH_NAME) + if (Relays[i].from.type == CUPSD_AUTH_NAME) free(Relays[i].from.mask.name.name); free(Relays); @@ -511,7 +511,7 @@ cupsdReadConfiguration(void) */ ConfigFilePerm = CUPS_DEFAULT_CONFIG_FILE_PERM; - DefaultAuthType = AUTH_BASIC; + DefaultAuthType = CUPSD_AUTH_BASIC; #ifdef HAVE_SSL DefaultEncryption = HTTP_ENCRYPT_REQUIRED; #endif /* HAVE_SSL */ @@ -967,8 +967,8 @@ cupsdReadConfiguration(void) cupsdLogMessage(CUPSD_LOG_INFO, "Order Deny,Allow"); po = cupsdAddPolicyOp(p, NULL, IPP_SEND_DOCUMENT); - po->order_type = AUTH_ALLOW; - po->level = AUTH_USER; + po->order_type = CUPSD_AUTH_ALLOW; + po->level = CUPSD_AUTH_USER; cupsdAddName(po, "@OWNER"); cupsdAddName(po, "@SYSTEM"); @@ -1009,9 +1009,9 @@ cupsdReadConfiguration(void) cupsdLogMessage(CUPSD_LOG_INFO, "AuthType Default"); po = cupsdAddPolicyOp(p, NULL, IPP_PAUSE_PRINTER); - po->order_type = AUTH_ALLOW; - po->type = AUTH_DEFAULT; - po->level = AUTH_USER; + po->order_type = CUPSD_AUTH_ALLOW; + po->type = CUPSD_AUTH_DEFAULT; + po->level = CUPSD_AUTH_USER; cupsdAddName(po, "@SYSTEM"); cupsdLogMessage(CUPSD_LOG_INFO, "Require user @SYSTEM"); @@ -1044,7 +1044,7 @@ cupsdReadConfiguration(void) cupsdLogMessage(CUPSD_LOG_INFO, "Order Deny,Allow"); po = cupsdAddPolicyOp(p, NULL, IPP_ANY_OPERATION); - po->order_type = AUTH_ALLOW; + po->order_type = CUPSD_AUTH_ALLOW; cupsdLogMessage(CUPSD_LOG_INFO, ""); cupsdLogMessage(CUPSD_LOG_INFO, ""); @@ -1583,9 +1583,9 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ */ if (!strncasecmp(value, "deny", 4)) - loc->order_type = AUTH_ALLOW; + loc->order_type = CUPSD_AUTH_ALLOW; else if (!strncasecmp(value, "allow", 5)) - loc->order_type = AUTH_DENY; + loc->order_type = CUPSD_AUTH_DENY; else { cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown Order value %s on line %d.", @@ -1696,44 +1696,44 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ if (!strcasecmp(value, "none")) { - loc->type = AUTH_NONE; - loc->level = AUTH_ANON; + loc->type = CUPSD_AUTH_NONE; + loc->level = CUPSD_AUTH_ANON; } else if (!strcasecmp(value, "basic")) { - loc->type = AUTH_BASIC; + loc->type = CUPSD_AUTH_BASIC; - if (loc->level == AUTH_ANON) - loc->level = AUTH_USER; + if (loc->level == CUPSD_AUTH_ANON) + loc->level = CUPSD_AUTH_USER; } else if (!strcasecmp(value, "digest")) { - loc->type = AUTH_DIGEST; + loc->type = CUPSD_AUTH_DIGEST; - if (loc->level == AUTH_ANON) - loc->level = AUTH_USER; + if (loc->level == CUPSD_AUTH_ANON) + loc->level = CUPSD_AUTH_USER; } else if (!strcasecmp(value, "basicdigest")) { - loc->type = AUTH_BASICDIGEST; + loc->type = CUPSD_AUTH_BASICDIGEST; - if (loc->level == AUTH_ANON) - loc->level = AUTH_USER; + if (loc->level == CUPSD_AUTH_ANON) + loc->level = CUPSD_AUTH_USER; } else if (!strcasecmp(value, "default")) { - loc->type = AUTH_DEFAULT; + loc->type = CUPSD_AUTH_DEFAULT; - if (loc->level == AUTH_ANON) - loc->level = AUTH_USER; + if (loc->level == CUPSD_AUTH_ANON) + loc->level = CUPSD_AUTH_USER; } #ifdef HAVE_GSSAPI else if (!strcasecmp(value, "negotiate")) { - loc->type = AUTH_NEGOTIATE; + loc->type = CUPSD_AUTH_NEGOTIATE; - if (loc->level == AUTH_ANON) - loc->level = AUTH_USER; + if (loc->level == CUPSD_AUTH_ANON) + loc->level = CUPSD_AUTH_USER; } #endif /* HAVE_GSSAPI */ else @@ -1752,8 +1752,8 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ if (!strcasecmp(value, "anonymous")) { - loc->type = AUTH_NONE; - loc->level = AUTH_ANON; + loc->type = CUPSD_AUTH_NONE; + loc->level = CUPSD_AUTH_ANON; cupsdLogMessage(CUPSD_LOG_WARN, "\"AuthClass %s\" is deprecated; consider removing " @@ -1762,7 +1762,7 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ } else if (!strcasecmp(value, "user")) { - loc->level = AUTH_USER; + loc->level = CUPSD_AUTH_USER; cupsdLogMessage(CUPSD_LOG_WARN, "\"AuthClass %s\" is deprecated; consider using " @@ -1771,7 +1771,7 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ } else if (!strcasecmp(value, "group")) { - loc->level = AUTH_GROUP; + loc->level = CUPSD_AUTH_GROUP; cupsdLogMessage(CUPSD_LOG_WARN, "\"AuthClass %s\" is deprecated; consider using " @@ -1780,7 +1780,7 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ } else if (!strcasecmp(value, "system")) { - loc->level = AUTH_GROUP; + loc->level = CUPSD_AUTH_GROUP; cupsdAddName(loc, "@SYSTEM"); @@ -1825,9 +1825,9 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ if (!strcasecmp(value, "valid-user") || !strcasecmp(value, "user")) - loc->level = AUTH_USER; + loc->level = CUPSD_AUTH_USER; else if (!strcasecmp(value, "group")) - loc->level = AUTH_GROUP; + loc->level = CUPSD_AUTH_GROUP; else { cupsdLogMessage(CUPSD_LOG_WARN, "Unknown Require type %s on line %d.", @@ -1888,9 +1888,9 @@ parse_aaa(cupsd_location_t *loc, /* I - Location */ else if (!strcasecmp(line, "Satisfy")) { if (!strcasecmp(value, "all")) - loc->satisfy = AUTH_SATISFY_ALL; + loc->satisfy = CUPSD_AUTH_SATISFY_ALL; else if (!strcasecmp(value, "any")) - loc->satisfy = AUTH_SATISFY_ANY; + loc->satisfy = CUPSD_AUTH_SATISFY_ANY; else { cupsdLogMessage(CUPSD_LOG_WARN, "Unknown Satisfy value %s on line %d.", @@ -2372,9 +2372,9 @@ read_configuration(cups_file_t *fp) /* I - File to read from */ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize browse access control list!"); else if (!strncasecmp(value, "deny", 4)) - location->order_type = AUTH_ALLOW; + location->order_type = CUPSD_AUTH_ALLOW; else if (!strncasecmp(value, "allow", 5)) - location->order_type = AUTH_DENY; + location->order_type = CUPSD_AUTH_DENY; else cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown BrowseOrder value %s on line %d.", @@ -2578,7 +2578,7 @@ read_configuration(cups_file_t *fp) /* I - File to read from */ if ((ptr = strchr(temp, ' ')) != NULL) *ptr = '\0'; - relay->from.type = AUTH_NAME; + relay->from.type = CUPSD_AUTH_NAME; if ((relay->from.mask.name.name = strdup(temp)) == NULL) { @@ -2603,7 +2603,7 @@ read_configuration(cups_file_t *fp) /* I - File to read from */ break; } - relay->from.type = AUTH_IP; + relay->from.type = CUPSD_AUTH_IP; memcpy(relay->from.mask.ip.address, ip, sizeof(relay->from.mask.ip.address)); memcpy(relay->from.mask.ip.netmask, mask, @@ -2653,7 +2653,7 @@ read_configuration(cups_file_t *fp) /* I - File to read from */ httpAddrString(&(relay->to), temp, sizeof(temp)); - if (relay->from.type == AUTH_IP) + if (relay->from.type == CUPSD_AUTH_IP) snprintf(temp2, sizeof(temp2), "%u.%u.%u.%u/%u.%u.%u.%u", relay->from.mask.ip.address[0] >> 24, (relay->from.mask.ip.address[0] >> 16) & 255, @@ -2679,7 +2679,7 @@ read_configuration(cups_file_t *fp) /* I - File to read from */ } else { - if (relay->from.type == AUTH_NAME) + if (relay->from.type == CUPSD_AUTH_NAME) free(relay->from.mask.name.name); cupsdLogMessage(CUPSD_LOG_ERROR, "Bad relay address %s at line %d.", @@ -2755,16 +2755,16 @@ read_configuration(cups_file_t *fp) /* I - File to read from */ */ if (!strcasecmp(value, "none")) - DefaultAuthType = AUTH_NONE; + DefaultAuthType = CUPSD_AUTH_NONE; else if (!strcasecmp(value, "basic")) - DefaultAuthType = AUTH_BASIC; + DefaultAuthType = CUPSD_AUTH_BASIC; else if (!strcasecmp(value, "digest")) - DefaultAuthType = AUTH_DIGEST; + DefaultAuthType = CUPSD_AUTH_DIGEST; else if (!strcasecmp(value, "basicdigest")) - DefaultAuthType = AUTH_BASICDIGEST; + DefaultAuthType = CUPSD_AUTH_BASICDIGEST; #ifdef HAVE_GSSAPI else if (!strcasecmp(value, "negotiate")) - DefaultAuthType = AUTH_NEGOTIATE; + DefaultAuthType = CUPSD_AUTH_NEGOTIATE; #endif /* HAVE_GSSAPI */ else { @@ -3152,7 +3152,7 @@ read_location(cups_file_t *fp, /* I - Configuration file */ if ((parent = cupsdAddLocation(location)) == NULL) return (0); - parent->limit = AUTH_LIMIT_ALL; + parent->limit = CUPSD_AUTH_LIMIT_ALL; loc = parent; while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum)) @@ -3184,19 +3184,19 @@ read_location(cups_file_t *fp, /* I - Configuration file */ *valptr++ = '\0'; if (!strcmp(value, "ALL")) - loc->limit = AUTH_LIMIT_ALL; + loc->limit = CUPSD_AUTH_LIMIT_ALL; else if (!strcmp(value, "GET")) - loc->limit |= AUTH_LIMIT_GET; + loc->limit |= CUPSD_AUTH_LIMIT_GET; else if (!strcmp(value, "HEAD")) - loc->limit |= AUTH_LIMIT_HEAD; + loc->limit |= CUPSD_AUTH_LIMIT_HEAD; else if (!strcmp(value, "OPTIONS")) - loc->limit |= AUTH_LIMIT_OPTIONS; + loc->limit |= CUPSD_AUTH_LIMIT_OPTIONS; else if (!strcmp(value, "POST")) - loc->limit |= AUTH_LIMIT_POST; + loc->limit |= CUPSD_AUTH_LIMIT_POST; else if (!strcmp(value, "PUT")) - loc->limit |= AUTH_LIMIT_PUT; + loc->limit |= CUPSD_AUTH_LIMIT_PUT; else if (!strcmp(value, "TRACE")) - loc->limit |= AUTH_LIMIT_TRACE; + loc->limit |= CUPSD_AUTH_LIMIT_TRACE; else cupsdLogMessage(CUPSD_LOG_WARN, "Unknown request type %s on line %d!", value, linenum); @@ -3205,7 +3205,7 @@ read_location(cups_file_t *fp, /* I - Configuration file */ } if (!strcasecmp(line, "limit = AUTH_LIMIT_ALL ^ loc->limit; + loc->limit = CUPSD_AUTH_LIMIT_ALL ^ loc->limit; parent->limit &= ~loc->limit; } diff --git a/scheduler/dirsvc.c b/scheduler/dirsvc.c index a1d8fe1c9..13ce3bfd8 100644 --- a/scheduler/dirsvc.c +++ b/scheduler/dirsvc.c @@ -3683,7 +3683,7 @@ update_cups_browse(void) * Access from localhost (127.0.0.1) is always allowed... */ - auth = AUTH_ALLOW; + auth = CUPSD_AUTH_ALLOW; } else { @@ -3694,39 +3694,39 @@ update_cups_browse(void) switch (BrowseACL->order_type) { default : - auth = AUTH_DENY; /* anti-compiler-warning-code */ + auth = CUPSD_AUTH_DENY; /* anti-compiler-warning-code */ break; - case AUTH_ALLOW : /* Order Deny,Allow */ - auth = AUTH_ALLOW; + case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */ + auth = CUPSD_AUTH_ALLOW; if (cupsdCheckAuth(address, srcname, len, BrowseACL->num_deny, BrowseACL->deny)) - auth = AUTH_DENY; + auth = CUPSD_AUTH_DENY; if (cupsdCheckAuth(address, srcname, len, BrowseACL->num_allow, BrowseACL->allow)) - auth = AUTH_ALLOW; + auth = CUPSD_AUTH_ALLOW; break; - case AUTH_DENY : /* Order Allow,Deny */ - auth = AUTH_DENY; + case CUPSD_AUTH_DENY : /* Order Allow,Deny */ + auth = CUPSD_AUTH_DENY; if (cupsdCheckAuth(address, srcname, len, BrowseACL->num_allow, BrowseACL->allow)) - auth = AUTH_ALLOW; + auth = CUPSD_AUTH_ALLOW; if (cupsdCheckAuth(address, srcname, len, BrowseACL->num_deny, BrowseACL->deny)) - auth = AUTH_DENY; + auth = CUPSD_AUTH_DENY; break; } } } else - auth = AUTH_ALLOW; + auth = CUPSD_AUTH_ALLOW; - if (auth == AUTH_DENY) + if (auth == CUPSD_AUTH_DENY) { cupsdLogMessage(CUPSD_LOG_DEBUG, "update_cups_browse: Refused %d bytes from %s", bytes, diff --git a/scheduler/ipp.c b/scheduler/ipp.c index 7b2a77fef..62eaa8a10 100644 --- a/scheduler/ipp.c +++ b/scheduler/ipp.c @@ -664,7 +664,7 @@ cupsdProcessIPPRequest( con->http.fd, con->response->request.status.status_code, ippErrorString(con->response->request.status.status_code)); - if (cupsdSendHeader(con, HTTP_OK, "application/ipp", AUTH_NONE)) + if (cupsdSendHeader(con, HTTP_OK, "application/ipp", CUPSD_AUTH_NONE)) { #ifdef CUPSD_USE_CHUNKING /* @@ -8434,13 +8434,13 @@ save_auth_info( cupsFilePrintf(fp, "%s\n", line); if (!strcmp(dest->auth_info_required[i], "username")) - cupsdSetStringf(&job->auth_username, "AUTH_USERNAME=%s", + cupsdSetStringf(&job->auth_username, "CUPSD_AUTH_USERNAME=%s", auth_info->values[i].string.text); else if (!strcmp(dest->auth_info_required[i], "domain")) - cupsdSetStringf(&job->auth_domain, "AUTH_DOMAIN=%s", + cupsdSetStringf(&job->auth_domain, "CUPSD_AUTH_DOMAIN=%s", auth_info->values[i].string.text); else if (!strcmp(dest->auth_info_required[i], "password")) - cupsdSetStringf(&job->auth_password, "AUTH_PASSWORD=%s", + cupsdSetStringf(&job->auth_password, "CUPSD_AUTH_PASSWORD=%s", auth_info->values[i].string.text); } } @@ -8453,7 +8453,7 @@ save_auth_info( httpEncode64_2(line, sizeof(line), con->username, strlen(con->username)); cupsFilePrintf(fp, "%s\n", line); - cupsdSetStringf(&job->auth_username, "AUTH_USERNAME=%s", con->username); + cupsdSetStringf(&job->auth_username, "CUPSD_AUTH_USERNAME=%s", con->username); cupsdClearString(&job->auth_domain); /* @@ -8463,7 +8463,7 @@ save_auth_info( httpEncode64_2(line, sizeof(line), con->password, strlen(con->password)); cupsFilePrintf(fp, "%s\n", line); - cupsdSetStringf(&job->auth_password, "AUTH_PASSWORD=%s", con->password); + cupsdSetStringf(&job->auth_password, "CUPSD_AUTH_PASSWORD=%s", con->password); } /* @@ -9000,7 +9000,7 @@ send_http_error( if (status == HTTP_UNAUTHORIZED && printer && printer->num_auth_info_required > 0 && !strcmp(printer->auth_info_required[0], "negotiate")) - cupsdSendError(con, status, AUTH_NEGOTIATE); + cupsdSendError(con, status, CUPSD_AUTH_NEGOTIATE); else if (printer) { char resource[HTTP_MAX_URI]; /* Resource portion of URI */ @@ -9013,13 +9013,13 @@ send_http_error( snprintf(resource, sizeof(resource), "/printers/%s", printer->name); if ((auth = cupsdFindBest(resource, HTTP_POST)) == NULL || - auth->type == AUTH_NONE) + auth->type == CUPSD_AUTH_NONE) auth = cupsdFindPolicyOp(printer->op_policy_ptr, IPP_PRINT_JOB); - cupsdSendError(con, status, auth ? auth->type : AUTH_NONE); + cupsdSendError(con, status, auth ? auth->type : CUPSD_AUTH_NONE); } else - cupsdSendError(con, status, AUTH_NONE); + cupsdSendError(con, status, CUPSD_AUTH_NONE); ippDelete(con->response); con->response = NULL; @@ -9975,6 +9975,8 @@ user_allowed(cupsd_printer_t *p, /* I - Printer or class */ { int i; /* Looping var */ struct passwd *pw; /* User password data */ + char baseuser[256], /* Base username */ + *baseptr; /* Pointer to "@" in base username */ if (p->num_users == 0) @@ -9983,6 +9985,20 @@ user_allowed(cupsd_printer_t *p, /* I - Printer or class */ if (!strcmp(username, "root")) return (1); + if (strchr(username, '@')) + { + /* + * Strip @REALM for username check... + */ + + strlcpy(baseuser, username, sizeof(baseuser)); + + if ((baseptr = strchr(baseuser, '@')) != NULL) + *baseptr = '\0'; + + username = baseuser; + } + pw = getpwnam(username); endpwent(); diff --git a/scheduler/job.c b/scheduler/job.c index 459a17b4c..c4e5b20df 100644 --- a/scheduler/job.c +++ b/scheduler/job.c @@ -1820,6 +1820,7 @@ free_job(cupsd_job_t *job) /* I - Job */ cupsdClearString(&job->auth_username); cupsdClearString(&job->auth_domain); cupsdClearString(&job->auth_password); + #ifdef HAVE_GSSAPI /* * Destroy the credential cache and clear the KRB5CCNAME env var string. @@ -3146,8 +3147,8 @@ start_job(cupsd_job_t *job, /* I - Job ID */ envp[envc] = NULL; for (i = 0; i < envc; i ++) - if (!strncmp(envp[i], "AUTH_", 5)) - cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"AUTH_%c****\"", + if (!strncmp(envp[i], "CUPSD_AUTH_", 5)) + cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"CUPSD_AUTH_%c****\"", job->id, i, envp[i][5]); else if (strncmp(envp[i], "DEVICE_URI=", 11)) cupsdLogMessage(CUPSD_LOG_DEBUG, "[Job %d] envp[%d]=\"%s\"", diff --git a/scheduler/main.c b/scheduler/main.c index 8aeb5e90d..8d33ffb52 100644 --- a/scheduler/main.c +++ b/scheduler/main.c @@ -133,10 +133,7 @@ main(int argc, /* I - Number of command-line args */ browse_time, /* Next browse send time */ senddoc_time, /* Send-Document time */ expire_time, /* Subscription expire time */ - mallinfo_time; /* Malloc information time */ - size_t string_count, /* String count */ - alloc_bytes, /* Allocated string bytes */ - total_bytes; /* Total string bytes */ + report_time; /* Malloc/client/job report time */ long timeout; /* Timeout for cupsdDoSelect() */ struct rlimit limit; /* Runtime limit */ #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) @@ -666,11 +663,11 @@ main(int argc, /* I - Number of command-line args */ * Loop forever... */ - mallinfo_time = 0; browse_time = time(NULL); - senddoc_time = time(NULL); expire_time = time(NULL); fds = 1; + report_time = 0; + senddoc_time = time(NULL); while (!stop_scheduler) { @@ -949,7 +946,7 @@ main(int argc, /* I - Number of command-line args */ */ cupsdDeleteCert(0); - cupsdAddCert(0, "root"); + cupsdAddCert(0, "root", NULL); } /* @@ -997,30 +994,49 @@ main(int argc, /* I - Number of command-line args */ } /* - * Log memory usage every minute... + * Log statistics at most once a minute when in debug mode... */ - if ((current_time - mallinfo_time) >= 60 && LogLevel >= CUPSD_LOG_DEBUG2) + if ((current_time - report_time) >= 60 && LogLevel >= CUPSD_LOG_DEBUG) { + size_t string_count, /* String count */ + alloc_bytes, /* Allocated string bytes */ + total_bytes; /* Total string bytes */ #ifdef HAVE_MALLINFO - struct mallinfo mem; /* Malloc information */ + struct mallinfo mem; /* Malloc information */ mem = mallinfo(); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "mallinfo: arena = %d, used = %d, free = %d\n", - mem.arena, mem.usmblks + mem.uordblks, + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: malloc-arena=%lu", mem.arena); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: malloc-used=%lu", + mem.usmblks + mem.uordblks); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: malloc-free=%lu", mem.fsmblks + mem.fordblks); #endif /* HAVE_MALLINFO */ + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: clients=%d", + cupsArrayCount(Clients)); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: jobs=%d", + cupsArrayCount(Jobs)); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: jobs-active=%d", + cupsArrayCount(ActiveJobs)); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: printers=%d", + cupsArrayCount(Printers)); + cupsdLogMessage(CUPSD_LOG_DEBUG, "Report: printers-implicit=%d", + cupsArrayCount(ImplicitPrinters)); + string_count = _cupsStrStatistics(&alloc_bytes, &total_bytes); - cupsdLogMessage(CUPSD_LOG_DEBUG2, - "stringpool: " CUPS_LLFMT " strings, " - CUPS_LLFMT " allocated, " CUPS_LLFMT " total bytes", - CUPS_LLCAST string_count, CUPS_LLCAST alloc_bytes, + cupsdLogMessage(CUPSD_LOG_DEBUG, + "Report: stringpool-string-count=" CUPS_LLFMT, + CUPS_LLCAST string_count); + cupsdLogMessage(CUPSD_LOG_DEBUG, + "Report: stringpool-alloc-bytes=" CUPS_LLFMT, + CUPS_LLCAST alloc_bytes); + cupsdLogMessage(CUPSD_LOG_DEBUG, + "Report: stringpool-total-bytes=" CUPS_LLFMT, CUPS_LLCAST total_bytes); - mallinfo_time = current_time; + report_time = current_time; } /* diff --git a/scheduler/policy.c b/scheduler/policy.c index 25204ee89..d550af4c8 100644 --- a/scheduler/policy.c +++ b/scheduler/policy.c @@ -3,7 +3,7 @@ * * Policy routines for the Common UNIX Printing System (CUPS). * - * Copyright 2007 by Apple Inc. + * Copyright 2007-2008 by Apple Inc. * Copyright 1997-2006 by Easy Software Products, all rights reserved. * * These coded instructions, statements, and computer programs are the @@ -98,7 +98,7 @@ cupsdAddPolicyOp(cupsd_policy_t *p, /* I - Policy */ if ((temp = calloc(1, sizeof(cupsd_location_t))) != NULL) { temp->op = op; - temp->limit = AUTH_LIMIT_IPP; + temp->limit = CUPSD_AUTH_LIMIT_IPP; cupsArrayAdd(p->ops, temp); @@ -120,12 +120,12 @@ cupsdAddPolicyOp(cupsd_policy_t *p, /* I - Policy */ for (i = 0; i < po->num_allow; i ++) switch (po->allow[i].type) { - case AUTH_IP : + case CUPSD_AUTH_IP : cupsdAllowIP(temp, po->allow[i].mask.ip.address, po->allow[i].mask.ip.netmask); break; - case AUTH_INTERFACE : + case CUPSD_AUTH_INTERFACE : snprintf(name, sizeof(name), "@IF(%s)", po->allow[i].mask.name.name); cupsdAllowHost(temp, name); @@ -139,12 +139,12 @@ cupsdAddPolicyOp(cupsd_policy_t *p, /* I - Policy */ for (i = 0; i < po->num_deny; i ++) switch (po->deny[i].type) { - case AUTH_IP : + case CUPSD_AUTH_IP : cupsdDenyIP(temp, po->deny[i].mask.ip.address, po->deny[i].mask.ip.netmask); break; - case AUTH_INTERFACE : + case CUPSD_AUTH_INTERFACE : snprintf(name, sizeof(name), "@IF(%s)", po->deny[i].mask.name.name); cupsdDenyHost(temp, name); diff --git a/scheduler/printers.c b/scheduler/printers.c index 61b6f6ef9..c55126f51 100644 --- a/scheduler/printers.c +++ b/scheduler/printers.c @@ -1745,25 +1745,25 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)/* I - Printer to setup */ snprintf(resource, sizeof(resource), "/printers/%s", p->name); if ((auth = cupsdFindBest(resource, HTTP_POST)) == NULL || - auth->type == AUTH_NONE) + auth->type == CUPSD_AUTH_NONE) auth = cupsdFindPolicyOp(p->op_policy_ptr, IPP_PRINT_JOB); if (auth) { - if (auth->type == AUTH_BASIC || auth->type == AUTH_BASICDIGEST) + if (auth->type == CUPSD_AUTH_BASIC || auth->type == CUPSD_AUTH_BASICDIGEST) { auth_supported = "basic"; num_air = 2; air = air_userpass; } - else if (auth->type == AUTH_DIGEST) + else if (auth->type == CUPSD_AUTH_DIGEST) { auth_supported = "digest"; num_air = 2; air = air_userpass; } #ifdef HAVE_GSSAPI - else if (auth->type == AUTH_NEGOTIATE) + else if (auth->type == CUPSD_AUTH_NEGOTIATE) { auth_supported = "negotiate"; num_air = 1; @@ -1771,7 +1771,7 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)/* I - Printer to setup */ } #endif /* HAVE_GSSAPI */ - if (auth->type != AUTH_NONE) + if (auth->type != CUPSD_AUTH_NONE) p->type |= CUPS_PRINTER_AUTHENTICATED; else p->type &= ~CUPS_PRINTER_AUTHENTICATED; diff --git a/scheduler/process.c b/scheduler/process.c index 4b83abd37..a22548e8f 100644 --- a/scheduler/process.c +++ b/scheduler/process.c @@ -99,11 +99,11 @@ cupsdCreateProfile(int job_id) /* I - Job ID or 0 for none */ cupsFilePuts(fp, "(allow default)\n"); cupsFilePrintf(fp, "(deny file-write* file-read-data file-read-metadata\n" - " (regex #\"^%s\"))\n", request); + " (regex #\"^%s/\"))\n", request); cupsFilePrintf(fp, "(deny file-write*\n" " (regex #\"^%s\" #\"^/private/etc\" #\"^/usr/local/etc\" " - "#\"^/Library\" #\"^/System\"))\n", root); + "#\"^/Library\" #\"^/System\" #\"^/Users\"))\n", root); cupsFilePrintf(fp, "(allow file-write* file-read-data file-read-metadata\n" " (regex #\"^%s$\" #\"^%s/\" #\"^%s$\" #\"^%s/\"))\n", @@ -112,10 +112,12 @@ cupsdCreateProfile(int job_id) /* I - Job ID or 0 for none */ cupsFilePrintf(fp, "(allow file-read-data file-read-metadata\n" " (regex #\"^%s/([ac]%05d|d%05d-[0-9][0-9][0-9])$\"))\n", - request); + request, job_id, job_id); cupsFileClose(fp); + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d) = \"%s\"", + job_id, profile); return ((void *)strdup(profile)); #else @@ -134,6 +136,8 @@ cupsdDestroyProfile(void *profile) /* I - Profile */ #ifdef HAVE_SANDBOX_H if (profile) { + cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteProfile(profile=\"%s\")", + (char *)profile); unlink((char *)profile); free(profile); } @@ -312,12 +316,30 @@ cupsdStartProcess( /* * Change the priority of the process based on the FilterNice setting. - * (this is not done for backends...) + * (this is not done for root processes...) */ if (!root) nice(FilterNice); +#ifdef HAVE_SANDBOX_H + /* + * Run in a separate security profile... + */ + + if (profile) + { + char *error = NULL; /* Sandbox error, if any */ + + if (sandbox_init((char *)profile, SANDBOX_NAMED_EXTERNAL, &error)) + { + fprintf(stderr, "ERROR: sandbox_init failed: %s (%s)\n", error, + strerror(errno)); + sandbox_free_error(error); + } + } +#endif /* HAVE_SANDBOX_H */ + /* * Change user to something "safe"... */ @@ -375,24 +397,6 @@ cupsdStartProcess( cupsdReleaseSignals(); -#ifdef HAVE_SANDBOX_H - /* - * Run in a separate security profile... - */ - - if (profile) - { - char *error; /* Sandbox error, if any */ - - if (sandbox_init((char *)profile, SANDBOX_NAMED_EXTERNAL, &error)) - { - fprintf(stderr, "ERROR: sandbox_init failed: %s (%s)\n", error, - strerror(errno)); - sandbox_free_error(error); - } - } -#endif /* HAVE_SANDBOX_H */ - /* * Execute the command; if for some reason this doesn't work, * return the error code... -- 2.39.2