Fix auth key defaults on OS X.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@10928 7a7537e8-13f0-0310-91df-b6672ffda945

diff --git a/CHANGES-1.6.txt b/CHANGES-1.6.txt
index 9de6bdb22f2e565bdedb6a19b85b39d803bd1b87..e85a29fa9f1d780b2a2b9d05d8f2e7c437aa26c6 100644 (file)
--- a/CHANGES-1.6.txt
+++ b/CHANGES-1.6.txt
@@ -3,6 +3,11 @@ CHANGES-1.6.txt
 
 CHANGES IN CUPS V1.6.3
 
+       - Fixed a regression on the handling of auth keys on OS X if the
+         cups-files.conf was not present or did not contain a SystemAuthKey
+         value.
+       - The scheduler incorrectly did a reverse lookup of the server address
+         when HostNameLookups was turned off (STR #4302)
        - The scheduler incorrectly computed the final content type value when
          null filters were present.
 

diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4
index 6c6a0d0cd761f9639833fb4664edcde9eabd3307..e0abfe1bcb2ed1468378ad7ddd541cd67a47a489 100644 (file)
--- a/config-scripts/cups-common.m4
+++ b/config-scripts/cups-common.m4
@@ -338,6 +338,7 @@ AC_SUBST(DBUS_NOTIFIERLIBS)
 
 dnl Extra platform-specific libraries...
 CUPS_DEFAULT_PRINTOPERATOR_AUTH="@SYSTEM"
+CUPS_DEFAULT_SYSTEM_AUTHKEY=""
 CUPS_SYSTEM_AUTHKEY=""
 INSTALLXPC=""
 
@@ -385,10 +386,13 @@ case $uname in
 
                        if test "x$default_adminkey" != xdefault; then
                                CUPS_SYSTEM_AUTHKEY="SystemGroupAuthKey $default_adminkey"
+                               CUPS_DEFAULT_SYSTEM_AUTHKEY="$default_adminkey"
                        elif grep -q system.print.operator /etc/authorization; then
                                CUPS_SYSTEM_AUTHKEY="SystemGroupAuthKey system.print.admin"
+                               CUPS_DEFAULT_SYSTEM_AUTHKEY="system.print.admin"
                        else
                                CUPS_SYSTEM_AUTHKEY="SystemGroupAuthKey system.preferences"
+                               CUPS_DEFAULT_SYSTEM_AUTHKEY="system.preferences"
                        fi
 
                        if test "x$default_operkey" != xdefault; then
@@ -426,6 +430,7 @@ esac
 
 AC_SUBST(CUPS_DEFAULT_PRINTOPERATOR_AUTH)
 AC_DEFINE_UNQUOTED(CUPS_DEFAULT_PRINTOPERATOR_AUTH, "$CUPS_DEFAULT_PRINTOPERATOR_AUTH")
+AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SYSTEM_AUTHKEY, "$CUPS_DEFAULT_SYSTEM_AUTHKEY")
 AC_SUBST(CUPS_SYSTEM_AUTHKEY)
 AC_SUBST(INSTALLXPC)
 

diff --git a/config.h.in b/config.h.in
index 1408ca9db60a7cc15c27374a817aa7222bba0b60..e708598aca0c4bb2d2c1cdd7fcf128dc4a0d3bc5 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -32,6 +32,7 @@
 #define CUPS_DEFAULT_GROUP     "sys"
 #define CUPS_DEFAULT_SYSTEM_GROUPS     "sys root system"
 #define CUPS_DEFAULT_PRINTOPERATOR_AUTH        "@SYSTEM"
+#define CUPS_DEFAULT_SYSTEM_AUTHKEY    "system.print.admin"
 
 
 /*

diff --git a/scheduler/auth.c b/scheduler/auth.c
index 6633d38bbc105645e2ea968c07ecc7ae76d90e83..5c7f05731e51acdccbf55a6be1700df3de5725ab 100644 (file)
--- a/scheduler/auth.c
+++ b/scheduler/auth.c
@@ -513,18 +513,37 @@ cupsdAuthorize(cupsd_client_t *con)       /* I - Client connection */
     socklen_t          peersize;       /* Size of peer credentials */
 #ifdef HAVE_AUTHORIZATION_H
     const char         *name;          /* Authorizing name */
+    int                        no_peer = 0;    /* Don't allow peer credentials? */
+
+   /*
+    * See if we should allow peer credentials...
+    */
 
     for (name = (char *)cupsArrayFirst(con->best->names);
          name;
          name = (char *)cupsArrayNext(con->best->names))
+    {
       if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
           !_cups_strcasecmp(name, "@SYSTEM"))
       {
-       cupsdLogMessage(CUPSD_LOG_ERROR,
-                       "[Client %d] PeerCred authentication not allowed for "
-                       "resource.", con->http.fd);
-       return;
+       /* Normally don't want peer credentials if we need an auth key... */
+       no_peer = 1;
       }
+      else if (!_cups_strcasecmp(name, "@OWNER"))
+      {
+       /* but if @OWNER is present then we allow it... */
+        no_peer = 0;
+        break;
+      }
+    }
+
+    if (no_peer)
+    {
+      cupsdLogMessage(CUPSD_LOG_ERROR,
+                     "[Client %d] PeerCred authentication not allowed for "
+                     "resource per AUTHKEY policy.", con->http.fd);
+      return;
+    }
 #endif /* HAVE_AUTHORIZATION_H */
 
     if ((pwd = getpwnam(authorization + 9)) == NULL)

diff --git a/scheduler/conf.c b/scheduler/conf.c
index 1613e9757e6a74782fa06f559de44b820043dc51..b812119356605c2e960fc30966759fdaa32c95db 100644 (file)
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -704,7 +704,7 @@ cupsdReadConfiguration(void)
   AccessLogLevel           = CUPSD_ACCESSLOG_ACTIONS;
   ConfigFilePerm           = CUPS_DEFAULT_CONFIG_FILE_PERM;
   FatalErrors              = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS);
-  default_auth_type          = CUPSD_AUTH_BASIC;
+  default_auth_type        = CUPSD_AUTH_BASIC;
 #ifdef HAVE_SSL
   DefaultEncryption        = HTTP_ENCRYPT_REQUIRED;
   SSLOptions               = CUPSD_SSL_NONE;
@@ -766,7 +766,7 @@ cupsdReadConfiguration(void)
   cupsdClearString(&DefaultPolicy);
 
 #ifdef HAVE_AUTHORIZATION_H
-  cupsdClearString(&SystemGroupAuthKey);
+  cupsdSetString(&SystemGroupAuthKey, CUPS_DEFAULT_SYSTEM_AUTHKEY);
 #endif /* HAVE_AUTHORIZATION_H */
 
   MaxSubscriptions           = 100;
@@ -3349,7 +3349,7 @@ read_cupsd_conf(cups_file_t *fp)  /* I - File to read from */
              !_cups_strcasecmp(line, "TempDir") ||
             !_cups_strcasecmp(line, "User"))
     {
-      cupsdLogMessage(CUPSD_LOG_WARN,
+      cupsdLogMessage(CUPSD_LOG_INFO,
                      "Please move \"%s%s%s\" on line %d of %s to the %s file; "
                      "this will become an error in a future release.",
                      line, value ? " " : "", value ? value : "", linenum,