/*
* Authorization routines for the CUPS scheduler.
*
- * Copyright © 2021-2022 by OpenPrinting.
+ * Copyright © 2021-2023 by OpenPrinting.
* Copyright © 2007-2019 by Apple Inc.
* Copyright © 1997-2007 by Easy Software Products, all rights reserved.
*
* Validate the username and password...
*/
- switch (type)
+ if (type == CUPSD_AUTH_BASIC)
{
- default :
- case CUPSD_AUTH_BASIC :
- {
#if HAVE_LIBPAM
- /*
- * Only use PAM to do authentication. This supports MD5
- * passwords, among other things...
- */
+ /*
+ * Only use PAM to do authentication. This supports MD5
+ * passwords, among other things...
+ */
- pam_handle_t *pamh; /* PAM authentication handle */
- int pamerr; /* PAM error code */
- struct pam_conv pamdata;/* PAM conversation data */
- cupsd_authdata_t data; /* Authentication data */
+ pam_handle_t *pamh; /* PAM authentication handle */
+ int pamerr; /* PAM error code */
+ struct pam_conv pamdata; /* PAM conversation data */
+ cupsd_authdata_t data; /* Authentication data */
- strlcpy(data.username, username, sizeof(data.username));
- strlcpy(data.password, password, sizeof(data.password));
+ strlcpy(data.username, username, sizeof(data.username));
+ strlcpy(data.password, password, sizeof(data.password));
# ifdef __sun
- pamdata.conv = (int (*)(int, struct pam_message **,
- struct pam_response **,
- void *))pam_func;
+ pamdata.conv = (int (*)(int, struct pam_message **,
+ struct pam_response **,
+ void *))pam_func;
# else
- pamdata.conv = pam_func;
+ pamdata.conv = pam_func;
# endif /* __sun */
- pamdata.appdata_ptr = &data;
+ pamdata.appdata_ptr = &data;
- pamerr = pam_start("cups", username, &pamdata, &pamh);
- if (pamerr != PAM_SUCCESS)
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
- return;
- }
+ pamerr = pam_start("cups", username, &pamdata, &pamh);
+ if (pamerr != PAM_SUCCESS)
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
+ return;
+ }
# ifdef HAVE_PAM_SET_ITEM
# ifdef PAM_RHOST
- pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
- if (pamerr != PAM_SUCCESS)
- cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
+ pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
# endif /* PAM_RHOST */
# ifdef PAM_TTY
- pamerr = pam_set_item(pamh, PAM_TTY, "cups");
- if (pamerr != PAM_SUCCESS)
- cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
+ pamerr = pam_set_item(pamh, PAM_TTY, "cups");
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
# endif /* PAM_TTY */
# endif /* HAVE_PAM_SET_ITEM */
- pamerr = pam_authenticate(pamh, PAM_SILENT);
- if (pamerr != PAM_SUCCESS)
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
- pam_end(pamh, 0);
- return;
- }
+ pamerr = pam_authenticate(pamh, PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
+ pam_end(pamh, 0);
+ return;
+ }
# ifdef HAVE_PAM_SETCRED
- pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
- if (pamerr != PAM_SUCCESS)
- cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
+ pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
# endif /* HAVE_PAM_SETCRED */
- pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
- if (pamerr != PAM_SUCCESS)
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
- pam_end(pamh, 0);
- return;
- }
+ pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
+ pam_end(pamh, 0);
+ return;
+ }
- pam_end(pamh, PAM_SUCCESS);
+ pam_end(pamh, PAM_SUCCESS);
#else
- /*
- * Use normal UNIX password file-based authentication...
- */
+ /*
+ * Use normal UNIX password file-based authentication...
+ */
- char *pass; /* Encrypted password */
- struct passwd *pw; /* User password data */
+ char *pass; /* Encrypted password */
+ struct passwd *pw; /* User password data */
# ifdef HAVE_SHADOW_H
- struct spwd *spw; /* Shadow password data */
+ struct spwd *spw; /* Shadow password data */
# endif /* HAVE_SHADOW_H */
- pw = getpwnam(username); /* Get the current password */
- endpwent(); /* Close the password file */
+ pw = getpwnam(username); /* Get the current password */
+ endpwent(); /* Close the password file */
- if (!pw)
- {
- /*
- * No such user...
- */
+ if (!pw)
+ {
+ /*
+ * No such user...
+ */
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username);
- return;
- }
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username);
+ return;
+ }
# ifdef HAVE_SHADOW_H
- spw = getspnam(username);
- endspent();
+ spw = getspnam(username);
+ endspent();
- if (!spw && !strcmp(pw->pw_passwd, "x"))
- {
- /*
- * Don't allow blank passwords!
- */
+ if (!spw && !strcmp(pw->pw_passwd, "x"))
+ {
+ /*
+ * Don't allow blank passwords!
+ */
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
- return;
- }
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
+ return;
+ }
- if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
+ if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
# else
- if (!pw->pw_passwd[0])
+ if (!pw->pw_passwd[0])
# endif /* HAVE_SHADOW_H */
- {
- /*
- * Don't allow blank passwords!
- */
+ {
+ /*
+ * Don't allow blank passwords!
+ */
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
- return;
- }
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
+ return;
+ }
- /*
- * OK, the password isn't blank, so compare with what came from the
- * client...
- */
+ /*
+ * OK, the password isn't blank, so compare with what came from the
+ * client...
+ */
- pass = crypt(password, pw->pw_passwd);
+ pass = crypt(password, pw->pw_passwd);
- if (!pass || strcmp(pw->pw_passwd, pass))
- {
+ if (!pass || strcmp(pw->pw_passwd, pass))
+ {
# ifdef HAVE_SHADOW_H
- if (spw)
- {
- pass = crypt(password, spw->sp_pwdp);
+ if (spw)
+ {
+ pass = crypt(password, spw->sp_pwdp);
- if (pass == NULL || strcmp(spw->sp_pwdp, pass))
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
- return;
- }
- }
- else
+ if (pass == NULL || strcmp(spw->sp_pwdp, pass))
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
+ return;
+ }
+ }
+ else
# endif /* HAVE_SHADOW_H */
- {
- cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
- return;
- }
- }
+ {
+ cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
+ return;
+ }
+ }
#endif /* HAVE_LIBPAM */
- }
-
- cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
- break;
}
+ cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
con->type = type;
}
#ifdef HAVE_GSSAPI
projects / thirdparty / cups.git / commitdiff
