From: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date: Mon, 1 Apr 2013 16:51:23 +0000 (+0000)
Subject: Fix auth key defaults on OS X.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99b1643fe18ffadf18989a6c5a4c080438a067b9;p=thirdparty%2Fcups.git

Fix auth key defaults on OS X.


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@10928 7a7537e8-13f0-0310-91df-b6672ffda945
---

diff --git a/CHANGES-1.6.txt b/CHANGES-1.6.txt
index 9de6bdb22f..e85a29fa9f 100644
--- a/CHANGES-1.6.txt
+++ b/CHANGES-1.6.txt
@@ -3,6 +3,11 @@ CHANGES-1.6.txt
 
 CHANGES IN CUPS V1.6.3
 
+	- Fixed a regression on the handling of auth keys on OS X if the
+	  cups-files.conf was not present or did not contain a SystemAuthKey
+	  value.
+	- The scheduler incorrectly did a reverse lookup of the server address
+	  when HostNameLookups was turned off (STR #4302)
 	- The scheduler incorrectly computed the final content type value when
 	  null filters were present.
 
diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4
index 6c6a0d0cd7..e0abfe1bcb 100644
--- a/config-scripts/cups-common.m4
+++ b/config-scripts/cups-common.m4
@@ -338,6 +338,7 @@ AC_SUBST(DBUS_NOTIFIERLIBS)
 
 dnl Extra platform-specific libraries...
 CUPS_DEFAULT_PRINTOPERATOR_AUTH="@SYSTEM"
+CUPS_DEFAULT_SYSTEM_AUTHKEY=""
 CUPS_SYSTEM_AUTHKEY=""
 INSTALLXPC=""
 
@@ -385,10 +386,13 @@ case $uname in
 
 			if test "x$default_adminkey" != xdefault; then
 				CUPS_SYSTEM_AUTHKEY="SystemGroupAuthKey $default_adminkey"
+				CUPS_DEFAULT_SYSTEM_AUTHKEY="$default_adminkey"
 			elif grep -q system.print.operator /etc/authorization; then
 				CUPS_SYSTEM_AUTHKEY="SystemGroupAuthKey system.print.admin"
+				CUPS_DEFAULT_SYSTEM_AUTHKEY="system.print.admin"
 			else
 				CUPS_SYSTEM_AUTHKEY="SystemGroupAuthKey system.preferences"
+				CUPS_DEFAULT_SYSTEM_AUTHKEY="system.preferences"
 			fi
 
 			if test "x$default_operkey" != xdefault; then
@@ -426,6 +430,7 @@ esac
 
 AC_SUBST(CUPS_DEFAULT_PRINTOPERATOR_AUTH)
 AC_DEFINE_UNQUOTED(CUPS_DEFAULT_PRINTOPERATOR_AUTH, "$CUPS_DEFAULT_PRINTOPERATOR_AUTH")
+AC_DEFINE_UNQUOTED(CUPS_DEFAULT_SYSTEM_AUTHKEY, "$CUPS_DEFAULT_SYSTEM_AUTHKEY")
 AC_SUBST(CUPS_SYSTEM_AUTHKEY)
 AC_SUBST(INSTALLXPC)
 
diff --git a/config.h.in b/config.h.in
index 1408ca9db6..e708598aca 100644
--- a/config.h.in
+++ b/config.h.in
@@ -32,6 +32,7 @@
 #define CUPS_DEFAULT_GROUP	"sys"
 #define CUPS_DEFAULT_SYSTEM_GROUPS	"sys root system"
 #define CUPS_DEFAULT_PRINTOPERATOR_AUTH	"@SYSTEM"
+#define CUPS_DEFAULT_SYSTEM_AUTHKEY	"system.print.admin"
 
 
 /*
diff --git a/scheduler/auth.c b/scheduler/auth.c
index 6633d38bbc..5c7f05731e 100644
--- a/scheduler/auth.c
+++ b/scheduler/auth.c
@@ -513,18 +513,37 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
     socklen_t		peersize;	/* Size of peer credentials */
 #ifdef HAVE_AUTHORIZATION_H
     const char		*name;		/* Authorizing name */
+    int			no_peer = 0;	/* Don't allow peer credentials? */
+
+   /*
+    * See if we should allow peer credentials...
+    */
 
     for (name = (char *)cupsArrayFirst(con->best->names);
          name;
          name = (char *)cupsArrayNext(con->best->names))
+    {
       if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
           !_cups_strcasecmp(name, "@SYSTEM"))
       {
-	cupsdLogMessage(CUPSD_LOG_ERROR,
-	                "[Client %d] PeerCred authentication not allowed for "
-	                "resource.", con->http.fd);
-	return;
+       /* Normally don't want peer credentials if we need an auth key... */
+	no_peer = 1;
       }
+      else if (!_cups_strcasecmp(name, "@OWNER"))
+      {
+       /* but if @OWNER is present then we allow it... */
+        no_peer = 0;
+        break;
+      }
+    }
+
+    if (no_peer)
+    {
+      cupsdLogMessage(CUPSD_LOG_ERROR,
+		      "[Client %d] PeerCred authentication not allowed for "
+		      "resource per AUTHKEY policy.", con->http.fd);
+      return;
+    }
 #endif /* HAVE_AUTHORIZATION_H */
 
     if ((pwd = getpwnam(authorization + 9)) == NULL)
diff --git a/scheduler/conf.c b/scheduler/conf.c
index 1613e9757e..b812119356 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -704,7 +704,7 @@ cupsdReadConfiguration(void)
   AccessLogLevel           = CUPSD_ACCESSLOG_ACTIONS;
   ConfigFilePerm           = CUPS_DEFAULT_CONFIG_FILE_PERM;
   FatalErrors              = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS);
-  default_auth_type          = CUPSD_AUTH_BASIC;
+  default_auth_type        = CUPSD_AUTH_BASIC;
 #ifdef HAVE_SSL
   DefaultEncryption        = HTTP_ENCRYPT_REQUIRED;
   SSLOptions               = CUPSD_SSL_NONE;
@@ -766,7 +766,7 @@ cupsdReadConfiguration(void)
   cupsdClearString(&DefaultPolicy);
 
 #ifdef HAVE_AUTHORIZATION_H
-  cupsdClearString(&SystemGroupAuthKey);
+  cupsdSetString(&SystemGroupAuthKey, CUPS_DEFAULT_SYSTEM_AUTHKEY);
 #endif /* HAVE_AUTHORIZATION_H */
 
   MaxSubscriptions           = 100;
@@ -3349,7 +3349,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
              !_cups_strcasecmp(line, "TempDir") ||
 	     !_cups_strcasecmp(line, "User"))
     {
-      cupsdLogMessage(CUPSD_LOG_WARN,
+      cupsdLogMessage(CUPSD_LOG_INFO,
 		      "Please move \"%s%s%s\" on line %d of %s to the %s file; "
 		      "this will become an error in a future release.",
 		      line, value ? " " : "", value ? value : "", linenum,