From 0563a28b18b21d5574a5e0e38b74246146074bbf Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:18:03 +0100
Subject: [PATCH] Allow Local authentication for Negotiate

PeerCred is also possible if address family is AF_LOCAL. This will allow
the CGI programs to generate the authorization from the local
certificates based on PID also when Negotiate is used for local
connections:

Client                       CGI
Browser <- Remote conn -> admin.cgi <--- Localhost conn --->  Scheduler
  |                           |                                    |
  + --- HTTP/POST /admin/ --> |                                    |
  |                           + --- CUPS-Get-Devices ------------> |
  |                           |                                    |
  |                           | <-- 401 Unauthorized --------------+
  |                           |     WWW-Authenticate:              |
  |                           |       Negotiate, (PeerCred,) Local |
  |                           |                                    |
  | <-- 401 Unauthorized -----+                                    |
  |     WWW-Authenticate:     |                                    |
  |       Negotiate           |                                    |
  |                           |                                    |
  | --- HTTP/POST /admin/ --> |                                    |
  |     Authorization:        + --- IPP CUPS-GetDevices ---------> |
  |       Negotiate           |     Authorization: Local <cert>    |
  |                           |                                    |

Fixes: #5596

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
 cups/auth.c        | 5 -----
 scheduler/client.c | 9 ++-------
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/cups/auth.c b/cups/auth.c
index 9661657fc7..b6fec6b983 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -1043,11 +1043,6 @@ cups_local_auth(http_t *http)		/* I - HTTP connection to server */
   }
 #  endif /* HAVE_AUTHORIZATION_H */
 
-#  ifdef HAVE_GSSAPI
-  if (cups_auth_find(www_auth, "Negotiate"))
-    return (1);
-#  endif /* HAVE_GSSAPI */
-
 #  if defined(SO_PEERCRED) && defined(AF_LOCAL)
  /*
   * See if we can authenticate using the peer credentials provided over a
diff --git a/scheduler/client.c b/scheduler/client.c
index c2ee8f12a6..56797d58d7 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2109,18 +2109,13 @@ cupsdSendHeader(
     }
     else if (auth_type == CUPSD_AUTH_NEGOTIATE)
     {
-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
-      if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
-	strlcpy(auth_str, "PeerCred", sizeof(auth_str));
-      else
-#endif /* SO_PEERCRED && AF_LOCAL */
       strlcpy(auth_str, "Negotiate", sizeof(auth_str));
     }
 
-    if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+    if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
     {
      /*
-      * Add a "trc" (try root certification) parameter for local non-Kerberos
+      * Add a "trc" (try root certification) parameter for local
       * requests when the request requires system group membership - then the
       * client knows the root certificate can/should be used.
       *
-- 
2.47.2