From: Zdenek Dohnal Date: Wed, 14 Aug 2024 08:11:06 +0000 (+0200) Subject: Fixed HTTP PeerCred authentication for domain users (Issue #1001) X-Git-Tag: v2.4.11~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ccfbec6b417adca1285eeb56d26f53b7189bb89;p=thirdparty%2Fcups.git Fixed HTTP PeerCred authentication for domain users (Issue #1001) --- diff --git a/CHANGES.md b/CHANGES.md index a3c07a9fa3..15ee4100f7 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -11,6 +11,7 @@ Changes in CUPS v2.4.11 (YYYY-MM-DD) (Issue #990) - Fixed issues with cupsGetDestMediaByXxx (Issue #993) - Fixed adding and modifying of printers via the web interface (Issue #998) +- Fixed HTTP PeerCred authentication for domain users (Issue #1001) - Fixed checkbox support (Issue #1008) - Fixed printer state notifications (Issue #1013) diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in index 93584a16d0..f96f745ae1 100644 --- a/conf/cups-files.conf.in +++ b/conf/cups-files.conf.in @@ -6,6 +6,9 @@ # List of events that are considered fatal errors for the scheduler... #FatalErrors @CUPS_FATAL_ERRORS@ +# Strip domain in local username? +#StripUserDomain No + # Do we call fsync() after writing configuration or status files? #SyncOnClose @CUPS_SYNC_ON_CLOSE@ diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html index 74047d98ab..c0c775dec9 100644 --- a/doc/help/man-cups-files.conf.html +++ b/doc/help/man-cups-files.conf.html @@ -146,6 +146,14 @@ Note: the standard CUPS filter and backend environment variables cannot be overr
StateDir directory
Specifies the directory to use for PID and local certificate files. The default is "/var/run/cups" or "/etc/cups" depending on the platform. +
StripUserDomain Yes +
StripUserDomain No +
Specifies whether to remove domain from user name during local user authentication (e.g., "user@example.com" –> "user"). +This practice can be beneficial for maintaining compatibility with older versions of Kerberos. +However, enabling this option can have negative consequences. +It may result in confusion between domain and local users with identical names, potentially leading +to incorrect assignment of user permissions and unintentional permission escalation, +thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
SyncOnClose Yes
SyncOnClose No
Specifies whether the scheduler calls diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5 index 29c90aa49a..8358b62a14 100644 --- a/man/cups-files.conf.5 +++ b/man/cups-files.conf.5 @@ -210,6 +210,17 @@ Note: the standard CUPS filter and backend environment variables cannot be overr \fBStateDir \fIdirectory\fR Specifies the directory to use for PID and local certificate files. The default is "/var/run/cups" or "/etc/cups" depending on the platform. +.\"#StripUserDomain +.TP 5 +\StripUserDomain Yes\fR +.TP 5 +\StripUserDomain No\fR +Specifies whether to remove domain from user name during local user authentication (e.g., "user@example.com" –> "user"). +This practice can be beneficial for maintaining compatibility with older versions of Kerberos. +However, enabling this option can have negative consequences. +It may result in confusion between domain and local users with identical names, potentially leading +to incorrect assignment of user permissions and unintentional permission escalation, +thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases. .\"#SyncOnClose .TP 5 \fBSyncOnClose Yes\fR diff --git a/scheduler/auth.c b/scheduler/auth.c index d0430b4811..5fa53644de 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -1722,14 +1722,14 @@ cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */ * Strip any @domain or @KDC from the username and owner... */ - if ((ptr = strchr(username, '@')) != NULL) + if (StripUserDomain && (ptr = strchr(username, '@')) != NULL) *ptr = '\0'; if (owner) { strlcpy(ownername, owner, sizeof(ownername)); - if ((ptr = strchr(ownername, '@')) != NULL) + if (StripUserDomain && (ptr = strchr(ownername, '@')) != NULL) *ptr = '\0'; } else diff --git a/scheduler/conf.c b/scheduler/conf.c index 0d4bb6ae3d..3184d72f01 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -154,6 +154,7 @@ static const cupsd_var_t cupsfiles_vars[] = #endif /* HAVE_TLS */ { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME }, { "StateDir", &StateDir, CUPSD_VARTYPE_STRING }, + { "StripUserDomain", &StripUserDomain, CUPSD_VARTYPE_BOOLEAN }, { "SyncOnClose", &SyncOnClose, CUPSD_VARTYPE_BOOLEAN }, #ifdef HAVE_AUTHORIZATION_H { "SystemGroupAuthKey", &SystemGroupAuthKey, CUPSD_VARTYPE_STRING }, @@ -729,6 +730,7 @@ cupsdReadConfiguration(void) LogFilePerm = CUPS_DEFAULT_LOG_FILE_PERM; LogFileGroup = Group; LogLevel = CUPSD_LOG_WARN; + StripUserDomain = FALSE; LogTimeFormat = CUPSD_TIME_STANDARD; MaxClients = 100; MaxClientsPerHost = 0; diff --git a/scheduler/conf.h b/scheduler/conf.h index 2e5aac6ce8..a607bf85c4 100644 --- a/scheduler/conf.h +++ b/scheduler/conf.h @@ -176,6 +176,8 @@ VAR gid_t LogFileGroup VALUE(0); /* Group ID for log files */ VAR cupsd_loglevel_t LogLevel VALUE(CUPSD_LOG_WARN); /* Error log level */ +VAR int StripUserDomain VALUE(FALSE); + /* Strip domain in local username? */ VAR cupsd_time_t LogTimeFormat VALUE(CUPSD_TIME_STANDARD); /* Log file time format */ VAR cups_file_t *LogStderr VALUE(NULL);