- Remove domain from user name during local user authentication (e.g., "user@example.com" –> "user"). This practice can be beneficial for maintaining compatibility with older versions of Kerberos. However, enabling this option can have negative consequences. It may result in confusion between domain and local users with identical names, potentially leading to incorrect assignment of user permissions and unintentional permission escalation, thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
- Add "StripUserDomain" parameter to cups-files.conf
Co-authored-by: Irgaliev Amin <irgaliev01@mail.ru>
Co-authored-by: Artyom Proskurnyov <temap@mail.ru>
Reviewed-by: Alexander Pevzner <pzz@apevzner.com>
# List of events that are considered fatal errors for the scheduler...
#FatalErrors @CUPS_FATAL_ERRORS@
+# Strip domain in local username?
+#StripUserDomain No
+
# Do we call fsync() after writing configuration or status files?
#SyncOnClose @CUPS_SYNC_ON_CLOSE@
\fBStateDir \fIdirectory\fR
Specifies the directory to use for PID and local certificate files.
The default is "/var/run/cups" or "/etc/cups" depending on the platform.
+.\"#StripUserDomain
+.TP 5
+\StripUserDomain Yes\fR
+.TP 5
+\StripUserDomain No\fR
+Specifies whether to remove domain from user name during local user authentication (e.g., "user@example.com" –> "user").
+This practice can be beneficial for maintaining compatibility with older versions of Kerberos.
+However, enabling this option can have negative consequences.
+It may result in confusion between domain and local users with identical names, potentially leading
+to incorrect assignment of user permissions and unintentional permission escalation,
+thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
.\"#SyncOnClose
.TP 5
\fBSyncOnClose Yes\fR
* Strip any @domain or @KDC from the username and owner...
*/
- if ((ptr = strchr(username, '@')) != NULL)
+ if (StripUserDomain && (ptr = strchr(username, '@')) != NULL)
*ptr = '\0';
if (owner)
{
cupsCopyString(ownername, owner, sizeof(ownername));
- if ((ptr = strchr(ownername, '@')) != NULL)
+ if (StripUserDomain && (ptr = strchr(ownername, '@')) != NULL)
*ptr = '\0';
}
else
{ "ServerKeychain", &ServerKeychain, CUPSD_VARTYPE_PATHNAME },
{ "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME },
{ "StateDir", &StateDir, CUPSD_VARTYPE_STRING },
+ { "StripUserDomain", &StripUserDomain, CUPSD_VARTYPE_BOOLEAN },
{ "SyncOnClose", &SyncOnClose, CUPSD_VARTYPE_BOOLEAN },
#ifdef HAVE_AUTHORIZATION_H
{ "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING },
LogFilePerm = CUPS_DEFAULT_LOG_FILE_PERM;
LogFileGroup = Group;
LogLevel = CUPSD_LOG_WARN;
+ StripUserDomain = FALSE;
LogTimeFormat = CUPSD_TIME_STANDARD;
MaxClients = 100;
MaxClientsPerHost = 0;
/* Group ID for log files */
VAR cupsd_loglevel_t LogLevel VALUE(CUPSD_LOG_WARN);
/* Error log level */
+VAR int StripUserDomain VALUE(FALSE);
+ /* Strip domain in local username? */
VAR cupsd_time_t LogTimeFormat VALUE(CUPSD_TIME_STANDARD);
/* Log file time format */
VAR cups_file_t *LogStderr VALUE(NULL);
projects / thirdparty / cups.git / commitdiff
