Allow Local authentication for Negotiate

PeerCred is also possible if address family is AF_LOCAL. This will allow
the CGI programs to generate the authorization from the local
certificates based on PID also when Negotiate is used for local
connections:

Client                       CGI
Browser <- Remote conn -> admin.cgi <--- Localhost conn --->  Scheduler
  |                           |                                    |
  + --- HTTP/POST /admin/ --> |                                    |
  |                           + --- CUPS-Get-Devices ------------> |
  |                           |                                    |
  |                           | <-- 401 Unauthorized --------------+
  |                           |     WWW-Authenticate:              |
  |                           |       Negotiate, (PeerCred,) Local |
  |                           |                                    |
  | <-- 401 Unauthorized -----+                                    |
  |     WWW-Authenticate:     |                                    |
  |       Negotiate           |                                    |
  |                           |                                    |
  | --- HTTP/POST /admin/ --> |                                    |
  |     Authorization:        + --- IPP CUPS-GetDevices ---------> |
  |       Negotiate           |     Authorization: Local <cert>    |
  |                           |                                    |

Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>

diff --git a/cups/auth.c b/cups/auth.c
index 9661657fc7d76523d16535c52c04f15b2bdb60cd..b6fec6b983220947f5719808d9620ed6b621afdb 100644 (file)
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http)            /* I - HTTP connection to server */
   }
 #  endif /* HAVE_AUTHORIZATION_H */
 
-#  ifdef HAVE_GSSAPI
-  if (cups_auth_find(www_auth, "Negotiate"))
-    return (1);
-#  endif /* HAVE_GSSAPI */
-
 #  if defined(SO_PEERCRED) && defined(AF_LOCAL)
  /*
   * See if we can authenticate using the peer credentials provided over a

diff --git a/scheduler/client.c b/scheduler/client.c
index c2ee8f12a6e3a460790a1e664efcd1180f4587a0..56797d58d72c9f18a0349801c2d0afdfd4885b02 100644 (file)
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2109,18 +2109,13 @@ cupsdSendHeader(
     }
     else if (auth_type == CUPSD_AUTH_NEGOTIATE)
     {
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-      if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
-       strlcpy(auth_str, "PeerCred", sizeof(auth_str));
-      else
-#endif /* SO_PEERCRED && AF_LOCAL */
       strlcpy(auth_str, "Negotiate", sizeof(auth_str));
     }
 
-    if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+    if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
     {
      /*
-      * Add a "trc" (try root certification) parameter for local non-Kerberos
+      * Add a "trc" (try root certification) parameter for local
       * requests when the request requires system group membership - then the
       * client knows the root certificate can/should be used.
       *