1 /*
2 * Authorization routines for the CUPS scheduler.
3 *
4 * Copyright © 2007-2019 by Apple Inc.
5 * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
6 *
7 * This file contains Kerberos support code, copyright 2006 by
8 * Jelmer Vernooij.
9 *
10 * Licensed under Apache License v2.0. See the file "LICENSE" for more
11 * information.
12 */
13
14 /*
15 * Include necessary headers...
16 */
17
18 #include "cupsd.h"
19 #include <grp.h>
20 #ifdef HAVE_SHADOW_H
21 # include <shadow.h>
22 #endif /* HAVE_SHADOW_H */
23 #ifdef HAVE_CRYPT_H
24 # include <crypt.h>
25 #endif /* HAVE_CRYPT_H */
26 #if HAVE_LIBPAM
27 # ifdef HAVE_PAM_PAM_APPL_H
28 # include <pam/pam_appl.h>
29 # else
30 # include <security/pam_appl.h>
31 # endif /* HAVE_PAM_PAM_APPL_H */
32 #endif /* HAVE_LIBPAM */
33 #ifdef HAVE_MEMBERSHIP_H
34 # include <membership.h>
35 #endif /* HAVE_MEMBERSHIP_H */
36 #ifdef HAVE_AUTHORIZATION_H
37 # include <Security/AuthorizationTags.h>
38 #endif /* HAVE_AUTHORIZATION_H */
39 #ifdef HAVE_SYS_PARAM_H
40 # include <sys/param.h>
41 #endif /* HAVE_SYS_PARAM_H */
42 #ifdef HAVE_SYS_UCRED_H
43 # include <sys/ucred.h>
44 typedef struct xucred cupsd_ucred_t;
45 # define CUPSD_UCRED_UID(c) (c).cr_uid
46 #else
47 # ifndef __OpenBSD__
48 typedef struct ucred cupsd_ucred_t;
49 # else
50 typedef struct sockpeercred cupsd_ucred_t;
51 # endif
52 # define CUPSD_UCRED_UID(c) (c).uid
53 #endif /* HAVE_SYS_UCRED_H */
54
55
56 /*
57 * Local functions...
58 */
59
60 #ifdef HAVE_AUTHORIZATION_H
61 static int check_authref(cupsd_client_t *con, const char *right);
62 #endif /* HAVE_AUTHORIZATION_H */
63 static int compare_locations(cupsd_location_t *a,
64 cupsd_location_t *b);
65 static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
66 static void free_authmask(cupsd_authmask_t *am, void *data);
67 #if HAVE_LIBPAM
68 static int pam_func(int, const struct pam_message **,
69 struct pam_response **, void *);
70 #endif /* HAVE_LIBPAM */
71
72
73 /*
74 * Local structures...
75 */
76
77 #if HAVE_LIBPAM
78 typedef struct cupsd_authdata_s /**** Authentication data ****/
79 {
80 char username[HTTP_MAX_VALUE], /* Username string */
81 password[HTTP_MAX_VALUE]; /* Password string */
82 } cupsd_authdata_t;
83 #endif /* HAVE_LIBPAM */
84
85
86 /*
87 * 'cupsdAddIPMask()' - Add an IP address authorization mask.
88 */
89
90 int /* O - 1 on success, 0 on failure */
cupsdAddIPMask(cups_array_t ** masks,const unsigned address[4],const unsigned netmask[4])91 cupsdAddIPMask(
92 cups_array_t **masks, /* IO - Masks array (created as needed) */
93 const unsigned address[4], /* I - IP address */
94 const unsigned netmask[4]) /* I - IP netmask */
95 {
96 cupsd_authmask_t temp; /* New host/domain mask */
97
98
99 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)", masks, *masks, address[0], address[1], address[2], address[3], netmask[0], netmask[1], netmask[2], netmask[3]);
100
101 temp.type = CUPSD_AUTH_IP;
102 memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address));
103 memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask));
104
105 /*
106 * Create the masks array as needed and add...
107 */
108
109 if (!*masks)
110 *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
111 (cups_acopy_func_t)copy_authmask,
112 (cups_afree_func_t)free_authmask);
113
114 return (cupsArrayAdd(*masks, &temp));
115 }
116
117
118 /*
119 * 'cupsdAddLocation()' - Add a location for authorization.
120 */
121
122 void
cupsdAddLocation(cupsd_location_t * loc)123 cupsdAddLocation(cupsd_location_t *loc) /* I - Location to add */
124 {
125 /*
126 * Make sure the locations array is created...
127 */
128
129 if (!Locations)
130 Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL,
131 (cups_ahash_func_t)NULL, 0,
132 (cups_acopy_func_t)NULL,
133 (cups_afree_func_t)cupsdFreeLocation);
134
135 if (Locations)
136 {
137 cupsArrayAdd(Locations, loc);
138
139 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"", loc->location ? loc->location : "(null)");
140 }
141 }
142
143
144 /*
145 * 'cupsdAddName()' - Add a name to a location...
146 */
147
148 void
cupsdAddName(cupsd_location_t * loc,char * name)149 cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */
150 char *name) /* I - Name to add */
151 {
152 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")", loc, name);
153
154 if (!loc->names)
155 loc->names = cupsArrayNew3(NULL, NULL, NULL, 0,
156 (cups_acopy_func_t)_cupsStrAlloc,
157 (cups_afree_func_t)_cupsStrFree);
158
159 if (!cupsArrayAdd(loc->names, name))
160 {
161 cupsdLogMessage(CUPSD_LOG_ERROR,
162 "Unable to duplicate name for location %s: %s",
163 loc->location ? loc->location : "nil", strerror(errno));
164 return;
165 }
166 }
167
168
169 /*
170 * 'cupsdAddNameMask()' - Add a host or interface name authorization mask.
171 */
172
173 int /* O - 1 on success, 0 on failure */
cupsdAddNameMask(cups_array_t ** masks,char * name)174 cupsdAddNameMask(cups_array_t **masks, /* IO - Masks array (created as needed) */
175 char *name) /* I - Host or interface name */
176 {
177 cupsd_authmask_t temp; /* New host/domain mask */
178 char ifname[32], /* Interface name */
179 *ifptr; /* Pointer to end of name */
180
181
182 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddNameMask(masks=%p(%p), name=\"%s\")", masks, *masks, name);
183
184 if (!_cups_strcasecmp(name, "@LOCAL"))
185 {
186 /*
187 * Deny *interface*...
188 */
189
190 temp.type = CUPSD_AUTH_INTERFACE;
191 temp.mask.name.name = (char *)"*";
192 }
193 else if (!_cups_strncasecmp(name, "@IF(", 4))
194 {
195 /*
196 * Deny *interface*...
197 */
198
199 strlcpy(ifname, name + 4, sizeof(ifname));
200
201 ifptr = ifname + strlen(ifname) - 1;
202
203 if (ifptr >= ifname && *ifptr == ')')
204 {
205 *ifptr = '\0';
206 }
207
208 temp.type = CUPSD_AUTH_INTERFACE;
209 temp.mask.name.name = ifname;
210 }
211 else
212 {
213 /*
214 * Deny name...
215 */
216
217 if (*name == '*')
218 name ++;
219
220 temp.type = CUPSD_AUTH_NAME;
221 temp.mask.name.name = (char *)name;
222 }
223
224 /*
225 * Set the name length...
226 */
227
228 temp.mask.name.length = strlen(temp.mask.name.name);
229
230 /*
231 * Create the masks array as needed and add...
232 */
233
234 if (!*masks)
235 *masks = cupsArrayNew3(NULL, NULL, NULL, 0,
236 (cups_acopy_func_t)copy_authmask,
237 (cups_afree_func_t)free_authmask);
238
239 return (cupsArrayAdd(*masks, &temp));
240 }
241
242
243 /*
244 * 'cupsdAuthorize()' - Validate any authorization credentials.
245 */
246
247 void
cupsdAuthorize(cupsd_client_t * con)248 cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
249 {
250 int type; /* Authentication type */
251 const char *authorization; /* Pointer into Authorization string */
252 char *ptr, /* Pointer into string */
253 username[HTTP_MAX_VALUE],
254 /* Username string */
255 password[HTTP_MAX_VALUE];
256 /* Password string */
257 cupsd_cert_t *localuser; /* Certificate username */
258
259
260 /*
261 * Locate the best matching location so we know what kind of
262 * authentication to expect...
263 */
264
265 con->best = cupsdFindBest(con->uri, httpGetState(con->http));
266 con->type = CUPSD_AUTH_NONE;
267
268 cupsdLogClient(con, CUPSD_LOG_DEBUG2, "con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location : "");
269
270 if (con->best && con->best->type != CUPSD_AUTH_NONE)
271 {
272 if (con->best->type == CUPSD_AUTH_DEFAULT)
273 type = cupsdDefaultAuthType();
274 else
275 type = con->best->type;
276 }
277 else
278 type = cupsdDefaultAuthType();
279
280 /*
281 * Decode the Authorization string...
282 */
283
284 authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION);
285
286 username[0] = '\0';
287 password[0] = '\0';
288
289 #ifdef HAVE_GSSAPI
290 con->gss_uid = 0;
291 #endif /* HAVE_GSSAPI */
292
293 #ifdef HAVE_AUTHORIZATION_H
294 if (con->authref)
295 {
296 AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
297 con->authref = NULL;
298 }
299 #endif /* HAVE_AUTHORIZATION_H */
300
301 if (!*authorization)
302 {
303 /*
304 * No authorization data provided, return early...
305 */
306
307 cupsdLogClient(con, CUPSD_LOG_DEBUG, "No authentication data provided.");
308 return;
309 }
310 #ifdef HAVE_AUTHORIZATION_H
311 else if (!strncmp(authorization, "AuthRef ", 8) &&
312 httpAddrLocalhost(httpGetAddress(con->http)))
313 {
314 OSStatus status; /* Status */
315 char authdata[HTTP_MAX_VALUE];
316 /* Nonce value from client */
317 int authlen; /* Auth string length */
318 AuthorizationItemSet *authinfo; /* Authorization item set */
319
320 /*
321 * Get the Authorization Services data...
322 */
323
324 authorization += 8;
325 while (isspace(*authorization & 255))
326 authorization ++;
327
328 authlen = sizeof(authdata);
329 httpDecode64_2(authdata, &authlen, authorization);
330
331 if (authlen != kAuthorizationExternalFormLength)
332 {
333 cupsdLogClient(con, CUPSD_LOG_ERROR, "External Authorization reference size is incorrect.");
334 return;
335 }
336
337 if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0)
338 {
339 cupsdLogClient(con, CUPSD_LOG_ERROR, "AuthorizationCreateFromExternalForm returned %d", (int)status);
340 return;
341 }
342
343 username[0] = '\0';
344
345 if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
346 &authinfo))
347 {
348 if (authinfo->count == 1 && authinfo->items[0].value &&
349 authinfo->items[0].valueLength >= 2)
350 {
351 strlcpy(username, authinfo->items[0].value, sizeof(username));
352
353 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef.", username);
354 }
355
356 AuthorizationFreeItemSet(authinfo);
357 }
358
359 if (!username[0])
360 {
361 /*
362 * No username in AuthRef, grab username using peer credentials...
363 */
364
365 struct passwd *pwd; /* Password entry for this user */
366 cupsd_ucred_t peercred; /* Peer credentials */
367 socklen_t peersize; /* Size of peer credentials */
368
369 peersize = sizeof(peercred);
370
371 if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
372 {
373 cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
374 return;
375 }
376
377 if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
378 {
379 cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to find UID %d for peer credentials.", (int)CUPSD_UCRED_UID(peercred));
380 return;
381 }
382
383 strlcpy(username, pwd->pw_name, sizeof(username));
384
385 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using AuthRef + PeerCred.", username);
386 }
387
388 con->type = CUPSD_AUTH_BASIC;
389 }
390 #endif /* HAVE_AUTHORIZATION_H */
391 #if defined(SO_PEERCRED) && defined(AF_LOCAL)
392 else if (!strncmp(authorization, "PeerCred ", 9) &&
393 con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
394 {
395 /*
396 * Use peer credentials from domain socket connection...
397 */
398
399 struct passwd *pwd; /* Password entry for this user */
400 cupsd_ucred_t peercred; /* Peer credentials */
401 socklen_t peersize; /* Size of peer credentials */
402 #ifdef HAVE_AUTHORIZATION_H
403 const char *name; /* Authorizing name */
404 int no_peer = 0; /* Don't allow peer credentials? */
405
406 /*
407 * See if we should allow peer credentials...
408 */
409
410 for (name = (char *)cupsArrayFirst(con->best->names);
411 name;
412 name = (char *)cupsArrayNext(con->best->names))
413 {
414 if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
415 !_cups_strcasecmp(name, "@SYSTEM"))
416 {
417 /* Normally don't want peer credentials if we need an auth key... */
418 no_peer = 1;
419 }
420 else if (!_cups_strcasecmp(name, "@OWNER"))
421 {
422 /* but if @OWNER is present then we allow it... */
423 no_peer = 0;
424 break;
425 }
426 }
427
428 if (no_peer)
429 {
430 cupsdLogClient(con, CUPSD_LOG_ERROR, "PeerCred authentication not allowed for resource per AUTHKEY policy.");
431 return;
432 }
433 #endif /* HAVE_AUTHORIZATION_H */
434
435 if ((pwd = getpwnam(authorization + 9)) == NULL)
436 {
437 cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
438 return;
439 }
440
441 peersize = sizeof(peercred);
442
443 # ifdef __APPLE__
444 if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
445 # else
446 if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
447 # endif /* __APPLE__ */
448 {
449 cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
450 return;
451 }
452
453 if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
454 {
455 cupsdLogClient(con, CUPSD_LOG_ERROR, "Invalid peer credentials for \"%s\" - got %d, expected %d.", authorization + 9, CUPSD_UCRED_UID(peercred), pwd->pw_uid);
456 # ifdef HAVE_SYS_UCRED_H
457 cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_version=%d", peercred.cr_version);
458 cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_uid=%d", peercred.cr_uid);
459 cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_ngroups=%d", peercred.cr_ngroups);
460 cupsdLogClient(con, CUPSD_LOG_DEBUG2, "cr_groups[0]=%d", peercred.cr_groups[0]);
461 # endif /* HAVE_SYS_UCRED_H */
462 return;
463 }
464
465 strlcpy(username, authorization + 9, sizeof(username));
466
467 # ifdef HAVE_GSSAPI
468 con->gss_uid = CUPSD_UCRED_UID(peercred);
469 # endif /* HAVE_GSSAPI */
470
471 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using PeerCred.", username);
472
473 con->type = CUPSD_AUTH_BASIC;
474 }
475 #endif /* SO_PEERCRED && AF_LOCAL */
476 else if (!strncmp(authorization, "Local", 5) &&
477 httpAddrLocalhost(httpGetAddress(con->http)))
478 {
479 /*
480 * Get Local certificate authentication data...
481 */
482
483 authorization += 5;
484 while (isspace(*authorization & 255))
485 authorization ++;
486
487 if ((localuser = cupsdFindCert(authorization)) == NULL)
488 {
489 cupsdLogClient(con, CUPSD_LOG_ERROR, "Local authentication certificate not found.");
490 return;
491 }
492
493 strlcpy(username, localuser->username, sizeof(username));
494 con->type = localuser->type;
495
496 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as %s using Local.", username);
497 }
498 else if (!strncmp(authorization, "Basic", 5))
499 {
500 /*
501 * Get the Basic authentication data...
502 */
503
504 int userlen; /* Username:password length */
505
506
507 authorization += 5;
508 while (isspace(*authorization & 255))
509 authorization ++;
510
511 userlen = sizeof(username);
512 httpDecode64_2(username, &userlen, authorization);
513
514 /*
515 * Pull the username and password out...
516 */
517
518 if ((ptr = strchr(username, ':')) == NULL)
519 {
520 cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing Basic password.");
521 return;
522 }
523
524 *ptr++ = '\0';
525
526 if (!username[0])
527 {
528 /*
529 * Username must not be empty...
530 */
531
532 cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic username.");
533 return;
534 }
535
536 if (!*ptr)
537 {
538 /*
539 * Password must not be empty...
540 */
541
542 cupsdLogClient(con, CUPSD_LOG_ERROR, "Empty Basic password.");
543 return;
544 }
545
546 strlcpy(password, ptr, sizeof(password));
547
548 /*
549 * Validate the username and password...
550 */
551
552 switch (type)
553 {
554 default :
555 case CUPSD_AUTH_BASIC :
556 {
557 #if HAVE_LIBPAM
558 /*
559 * Only use PAM to do authentication. This supports MD5
560 * passwords, among other things...
561 */
562
563 pam_handle_t *pamh; /* PAM authentication handle */
564 int pamerr; /* PAM error code */
565 struct pam_conv pamdata;/* PAM conversation data */
566 cupsd_authdata_t data; /* Authentication data */
567
568
569 strlcpy(data.username, username, sizeof(data.username));
570 strlcpy(data.password, password, sizeof(data.password));
571
572 # ifdef __sun
573 pamdata.conv = (int (*)(int, struct pam_message **,
574 struct pam_response **,
575 void *))pam_func;
576 # else
577 pamdata.conv = pam_func;
578 # endif /* __sun */
579 pamdata.appdata_ptr = &data;
580
581 pamerr = pam_start("cups", username, &pamdata, &pamh);
582 if (pamerr != PAM_SUCCESS)
583 {
584 cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_start() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
585 return;
586 }
587
588 # ifdef HAVE_PAM_SET_ITEM
589 # ifdef PAM_RHOST
590 pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
591 if (pamerr != PAM_SUCCESS)
592 cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_RHOST) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
593 # endif /* PAM_RHOST */
594
595 # ifdef PAM_TTY
596 pamerr = pam_set_item(pamh, PAM_TTY, "cups");
597 if (pamerr != PAM_SUCCESS)
598 cupsdLogClient(con, CUPSD_LOG_WARN, "pam_set_item(PAM_TTY) returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
599 # endif /* PAM_TTY */
600 # endif /* HAVE_PAM_SET_ITEM */
601
602 pamerr = pam_authenticate(pamh, PAM_SILENT);
603 if (pamerr != PAM_SUCCESS)
604 {
605 cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_authenticate() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
606 pam_end(pamh, 0);
607 return;
608 }
609
610 # ifdef HAVE_PAM_SETCRED
611 pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
612 if (pamerr != PAM_SUCCESS)
613 cupsdLogClient(con, CUPSD_LOG_WARN, "pam_setcred() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
614 # endif /* HAVE_PAM_SETCRED */
615
616 pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
617 if (pamerr != PAM_SUCCESS)
618 {
619 cupsdLogClient(con, CUPSD_LOG_ERROR, "pam_acct_mgmt() returned %d (%s)", pamerr, pam_strerror(pamh, pamerr));
620 pam_end(pamh, 0);
621 return;
622 }
623
624 pam_end(pamh, PAM_SUCCESS);
625
626 #else
627 /*
628 * Use normal UNIX password file-based authentication...
629 */
630
631 char *pass; /* Encrypted password */
632 struct passwd *pw; /* User password data */
633 # ifdef HAVE_SHADOW_H
634 struct spwd *spw; /* Shadow password data */
635 # endif /* HAVE_SHADOW_H */
636
637
638 pw = getpwnam(username); /* Get the current password */
639 endpwent(); /* Close the password file */
640
641 if (!pw)
642 {
643 /*
644 * No such user...
645 */
646
647 cupsdLogClient(con, CUPSD_LOG_ERROR, "Unknown username \"%s\".", username);
648 return;
649 }
650
651 # ifdef HAVE_SHADOW_H
652 spw = getspnam(username);
653 endspent();
654
655 if (!spw && !strcmp(pw->pw_passwd, "x"))
656 {
657 /*
658 * Don't allow blank passwords!
659 */
660
661 cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no shadow password.", username);
662 return;
663 }
664
665 if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
666 # else
667 if (!pw->pw_passwd[0])
668 # endif /* HAVE_SHADOW_H */
669 {
670 /*
671 * Don't allow blank passwords!
672 */
673
674 cupsdLogClient(con, CUPSD_LOG_ERROR, "Username \"%s\" has no password.", username);
675 return;
676 }
677
678 /*
679 * OK, the password isn't blank, so compare with what came from the
680 * client...
681 */
682
683 pass = crypt(password, pw->pw_passwd);
684
685 if (!pass || strcmp(pw->pw_passwd, pass))
686 {
687 # ifdef HAVE_SHADOW_H
688 if (spw)
689 {
690 pass = crypt(password, spw->sp_pwdp);
691
692 if (pass == NULL || strcmp(spw->sp_pwdp, pass))
693 {
694 cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
695 return;
696 }
697 }
698 else
699 # endif /* HAVE_SHADOW_H */
700 {
701 cupsdLogClient(con, CUPSD_LOG_ERROR, "Authentication failed for user \"%s\".", username);
702 return;
703 }
704 }
705 #endif /* HAVE_LIBPAM */
706 }
707
708 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
709 break;
710 }
711
712 con->type = type;
713 }
714 #ifdef HAVE_GSSAPI
715 else if (!strncmp(authorization, "Negotiate", 9))
716 {
717 int len; /* Length of authorization string */
718 gss_ctx_id_t context; /* Authorization context */
719 OM_uint32 major_status, /* Major status code */
720 minor_status; /* Minor status code */
721 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
722 /* Input token from string */
723 output_token = GSS_C_EMPTY_BUFFER;
724 /* Output token for username */
725 gss_name_t client_name; /* Client name */
726
727
728 # ifdef __APPLE__
729 /*
730 * If the weak-linked GSSAPI/Kerberos library is not present, don't try
731 * to use it...
732 */
733
734 if (&gss_init_sec_context == NULL)
735 {
736 cupsdLogClient(con, CUPSD_LOG_WARN, "GSSAPI/Kerberos authentication failed because the Kerberos framework is not present.");
737 return;
738 }
739 # endif /* __APPLE__ */
740
741 /*
742 * Find the start of the Kerberos input token...
743 */
744
745 authorization += 9;
746 while (isspace(*authorization & 255))
747 authorization ++;
748
749 if (!*authorization)
750 {
751 cupsdLogClient(con, CUPSD_LOG_DEBUG2, "No authentication data specified.");
752 return;
753 }
754
755 /*
756 * Decode the authorization string to get the input token...
757 */
758
759 len = (int)strlen(authorization) + 0;
760 input_token.value = malloc((size_t)len);
761 input_token.value = httpDecode64_2(input_token.value, &len,
762 authorization);
763 input_token.length = (size_t)len;
764
765 /*
766 * Accept the input token to get the authorization info...
767 */
768
769 context = GSS_C_NO_CONTEXT;
770 client_name = GSS_C_NO_NAME;
771 major_status = gss_accept_sec_context(&minor_status,
772 &context,
773 ServerCreds,
774 &input_token,
775 GSS_C_NO_CHANNEL_BINDINGS,
776 &client_name,
777 NULL,
778 &output_token,
779 NULL,
780 NULL,
781 NULL);
782
783 if (output_token.length > 0)
784 gss_release_buffer(&minor_status, &output_token);
785
786 if (GSS_ERROR(major_status))
787 {
788 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error accepting GSSAPI security context.", con->number);
789
790 if (context != GSS_C_NO_CONTEXT)
791 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
792 return;
793 }
794
795 con->have_gss = 1;
796
797 /*
798 * Get the username associated with the client's credentials...
799 */
800
801 if (major_status == GSS_S_CONTINUE_NEEDED)
802 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Credentials not complete.", con->number);
803 else if (major_status == GSS_S_COMPLETE)
804 {
805 major_status = gss_display_name(&minor_status, client_name,
806 &output_token, NULL);
807
808 if (GSS_ERROR(major_status))
809 {
810 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status, "[Client %d] Error getting username.", con->number);
811 gss_release_name(&minor_status, &client_name);
812 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
813 return;
814 }
815
816 strlcpy(username, output_token.value, sizeof(username));
817
818 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Negotiate.", username);
819
820 gss_release_name(&minor_status, &client_name);
821 gss_release_buffer(&minor_status, &output_token);
822
823 con->type = CUPSD_AUTH_NEGOTIATE;
824 }
825
826 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
827
828 # if defined(SO_PEERCRED) && defined(AF_LOCAL)
829 /*
830 * Get the client's UID if we are printing locally - that allows a backend
831 * to run as the correct user to get Kerberos credentials of its own.
832 */
833
834 if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL)
835 {
836 cupsd_ucred_t peercred; /* Peer credentials */
837 socklen_t peersize; /* Size of peer credentials */
838
839 peersize = sizeof(peercred);
840
841 # ifdef __APPLE__
842 if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
843 # else
844 if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred,
845 &peersize))
846 # endif /* __APPLE__ */
847 {
848 cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get peer credentials - %s", strerror(errno));
849 }
850 else
851 {
852 cupsdLogClient(con, CUPSD_LOG_DEBUG, "Using credentials for UID %d.", CUPSD_UCRED_UID(peercred));
853 con->gss_uid = CUPSD_UCRED_UID(peercred);
854 }
855 }
856 # endif /* SO_PEERCRED && AF_LOCAL */
857 }
858 #endif /* HAVE_GSSAPI */
859 else
860 {
861 char scheme[256]; /* Auth scheme... */
862
863
864 if (sscanf(authorization, "%255s", scheme) != 1)
865 strlcpy(scheme, "UNKNOWN", sizeof(scheme));
866
867 cupsdLogClient(con, CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\".", scheme);
868 return;
869 }
870
871 /*
872 * If we get here, then we were able to validate the username and
873 * password - copy the validated username and password to the client
874 * data and return...
875 */
876
877 strlcpy(con->username, username, sizeof(con->username));
878 strlcpy(con->password, password, sizeof(con->password));
879 }
880
881
882 /*
883 * 'cupsdCheckAccess()' - Check whether the given address is allowed to
884 * access a location.
885 */
886
887 int /* O - 1 if allowed, 0 otherwise */
cupsdCheckAccess(unsigned ip[4],const char * name,size_t namelen,cupsd_location_t * loc)888 cupsdCheckAccess(
889 unsigned ip[4], /* I - Client address */
890 const char *name, /* I - Client hostname */
891 size_t namelen, /* I - Length of hostname */
892 cupsd_location_t *loc) /* I - Location to check */
893 {
894 int allow; /* 1 if allowed, 0 otherwise */
895
896
897 if (!_cups_strcasecmp(name, "localhost"))
898 {
899 /*
900 * Access from localhost (127.0.0.1 or ::1) is always allowed...
901 */
902
903 return (1);
904 }
905 else
906 {
907 /*
908 * Do authorization checks on the domain/address...
909 */
910
911 switch (loc->order_type)
912 {
913 default :
914 allow = 0; /* anti-compiler-warning-code */
915 break;
916
917 case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
918 allow = 1;
919
920 if (cupsdCheckAuth(ip, name, namelen, loc->deny))
921 allow = 0;
922
923 if (cupsdCheckAuth(ip, name, namelen, loc->allow))
924 allow = 1;
925 break;
926
927 case CUPSD_AUTH_DENY : /* Order Allow,Deny */
928 allow = 0;
929
930 if (cupsdCheckAuth(ip, name, namelen, loc->allow))
931 allow = 1;
932
933 if (cupsdCheckAuth(ip, name, namelen, loc->deny))
934 allow = 0;
935 break;
936 }
937 }
938
939 return (allow);
940 }
941
942
943 /*
944 * 'cupsdCheckAuth()' - Check authorization masks.
945 */
946
947 int /* O - 1 if mask matches, 0 otherwise */
cupsdCheckAuth(unsigned ip[4],const char * name,size_t name_len,cups_array_t * masks)948 cupsdCheckAuth(unsigned ip[4], /* I - Client address */
949 const char *name, /* I - Client hostname */
950 size_t name_len, /* I - Length of hostname */
951 cups_array_t *masks) /* I - Masks */
952 {
953 int i; /* Looping var */
954 cupsd_authmask_t *mask; /* Current mask */
955 cupsd_netif_t *iface; /* Network interface */
956 unsigned netip4; /* IPv4 network address */
957 #ifdef AF_INET6
958 unsigned netip6[4]; /* IPv6 network address */
959 #endif /* AF_INET6 */
960
961
962 for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks);
963 mask;
964 mask = (cupsd_authmask_t *)cupsArrayNext(masks))
965 {
966 switch (mask->type)
967 {
968 case CUPSD_AUTH_INTERFACE :
969 /*
970 * Check for a match with a network interface...
971 */
972
973 netip4 = htonl(ip[3]);
974
975 #ifdef AF_INET6
976 netip6[0] = htonl(ip[0]);
977 netip6[1] = htonl(ip[1]);
978 netip6[2] = htonl(ip[2]);
979 netip6[3] = htonl(ip[3]);
980 #endif /* AF_INET6 */
981
982 cupsdNetIFUpdate();
983
984 if (!strcmp(mask->mask.name.name, "*"))
985 {
986 #ifdef __APPLE__
987 /*
988 * Allow Back-to-My-Mac addresses...
989 */
990
991 if ((ip[0] & 0xff000000) == 0xfd000000)
992 return (1);
993 #endif /* __APPLE__ */
994
995 /*
996 * Check against all local interfaces...
997 */
998
999 for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1000 iface;
1001 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1002 {
1003 /*
1004 * Only check local interfaces...
1005 */
1006
1007 if (!iface->is_local)
1008 continue;
1009
1010 if (iface->address.addr.sa_family == AF_INET)
1011 {
1012 /*
1013 * Check IPv4 address...
1014 */
1015
1016 if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1017 (iface->address.ipv4.sin_addr.s_addr &
1018 iface->mask.ipv4.sin_addr.s_addr))
1019 return (1);
1020 }
1021 #ifdef AF_INET6
1022 else
1023 {
1024 /*
1025 * Check IPv6 address...
1026 */
1027
1028 for (i = 0; i < 4; i ++)
1029 if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1030 (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1031 iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1032 break;
1033
1034 if (i == 4)
1035 return (1);
1036 }
1037 #endif /* AF_INET6 */
1038 }
1039 }
1040 else
1041 {
1042 /*
1043 * Check the named interface...
1044 */
1045
1046 for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1047 iface;
1048 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1049 {
1050 if (strcmp(mask->mask.name.name, iface->name))
1051 continue;
1052
1053 if (iface->address.addr.sa_family == AF_INET)
1054 {
1055 /*
1056 * Check IPv4 address...
1057 */
1058
1059 if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1060 (iface->address.ipv4.sin_addr.s_addr &
1061 iface->mask.ipv4.sin_addr.s_addr))
1062 return (1);
1063 }
1064 #ifdef AF_INET6
1065 else
1066 {
1067 /*
1068 * Check IPv6 address...
1069 */
1070
1071 for (i = 0; i < 4; i ++)
1072 if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1073 (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1074 iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1075 break;
1076
1077 if (i == 4)
1078 return (1);
1079 }
1080 #endif /* AF_INET6 */
1081 }
1082 }
1083 break;
1084
1085 case CUPSD_AUTH_NAME :
1086 /*
1087 * Check for exact name match...
1088 */
1089
1090 if (!_cups_strcasecmp(name, mask->mask.name.name))
1091 return (1);
1092
1093 /*
1094 * Check for domain match...
1095 */
1096
1097 if (name_len >= mask->mask.name.length &&
1098 mask->mask.name.name[0] == '.' &&
1099 !_cups_strcasecmp(name + name_len - mask->mask.name.length,
1100 mask->mask.name.name))
1101 return (1);
1102 break;
1103
1104 case CUPSD_AUTH_IP :
1105 /*
1106 * Check for IP/network address match...
1107 */
1108
1109 for (i = 0; i < 4; i ++)
1110 if ((ip[i] & mask->mask.ip.netmask[i]) !=
1111 mask->mask.ip.address[i])
1112 break;
1113
1114 if (i == 4)
1115 return (1);
1116 break;
1117 }
1118 }
1119
1120 return (0);
1121 }
1122
1123
1124 /*
1125 * 'cupsdCheckGroup()' - Check for a user's group membership.
1126 */
1127
1128 int /* O - 1 if user is a member, 0 otherwise */
cupsdCheckGroup(const char * username,struct passwd * user,const char * groupname)1129 cupsdCheckGroup(
1130 const char *username, /* I - User name */
1131 struct passwd *user, /* I - System user info */
1132 const char *groupname) /* I - Group name */
1133 {
1134 int i; /* Looping var */
1135 struct group *group; /* Group info */
1136 gid_t groupid; /* ID of named group */
1137 #ifdef HAVE_MBR_UID_TO_UUID
1138 uuid_t useruuid, /* UUID for username */
1139 groupuuid; /* UUID for groupname */
1140 int is_member; /* True if user is a member of group */
1141 #endif /* HAVE_MBR_UID_TO_UUID */
1142
1143
1144 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")", username, user, groupname);
1145
1146 /*
1147 * Validate input...
1148 */
1149
1150 if (!username || !groupname)
1151 return (0);
1152
1153 /*
1154 * Check to see if the user is a member of the named group...
1155 */
1156
1157 group = getgrnam(groupname);
1158 endgrent();
1159
1160 if (group != NULL)
1161 {
1162 /*
1163 * Group exists, check it...
1164 */
1165
1166 groupid = group->gr_gid;
1167
1168 for (i = 0; group->gr_mem[i]; i ++)
1169 {
1170 /*
1171 * User appears in the group membership...
1172 */
1173
1174 if (!_cups_strcasecmp(username, group->gr_mem[i]))
1175 return (1);
1176 }
1177
1178 #ifdef HAVE_GETGROUPLIST
1179 /*
1180 * If the user isn't in the group membership list, try the results from
1181 * getgrouplist() which is supposed to return the full list of groups a user
1182 * belongs to...
1183 */
1184
1185 if (user)
1186 {
1187 int ngroups; /* Number of groups */
1188 # ifdef __APPLE__
1189 int groups[2048]; /* Groups that user belongs to */
1190 # else
1191 gid_t groups[2048]; /* Groups that user belongs to */
1192 # endif /* __APPLE__ */
1193
1194 ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
1195 # ifdef __APPLE__
1196 getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
1197 # else
1198 getgrouplist(username, user->pw_gid, groups, &ngroups);
1199 #endif /* __APPLE__ */
1200
1201 for (i = 0; i < ngroups; i ++)
1202 if ((int)groupid == (int)groups[i])
1203 return (1);
1204 }
1205 #endif /* HAVE_GETGROUPLIST */
1206 }
1207 else
1208 groupid = (gid_t)-1;
1209
1210 /*
1211 * Group doesn't exist or user not in group list, check the group ID
1212 * against the user's group ID...
1213 */
1214
1215 if (user && groupid == user->pw_gid)
1216 return (1);
1217
1218 #ifdef HAVE_MBR_UID_TO_UUID
1219 /*
1220 * Check group membership through macOS membership API...
1221 */
1222
1223 if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
1224 {
1225 if (groupid != (gid_t)-1)
1226 {
1227 /*
1228 * Map group name to UUID and check membership...
1229 */
1230
1231 if (!mbr_gid_to_uuid(groupid, groupuuid))
1232 if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1233 if (is_member)
1234 return (1);
1235 }
1236 else if (groupname[0] == '#')
1237 {
1238 /*
1239 * Use UUID directly and check for equality (user UUID) and
1240 * membership (group UUID)...
1241 */
1242
1243 if (!uuid_parse((char *)groupname + 1, groupuuid))
1244 {
1245 if (!uuid_compare(useruuid, groupuuid))
1246 return (1);
1247 else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1248 if (is_member)
1249 return (1);
1250 }
1251
1252 return (0);
1253 }
1254 }
1255 else if (groupname[0] == '#')
1256 return (0);
1257 #endif /* HAVE_MBR_UID_TO_UUID */
1258
1259 /*
1260 * If we get this far, then the user isn't part of the named group...
1261 */
1262
1263 return (0);
1264 }
1265
1266
1267 /*
1268 * 'cupsdCopyLocation()' - Make a copy of a location...
1269 */
1270
1271 cupsd_location_t * /* O - New location */
cupsdCopyLocation(cupsd_location_t * loc)1272 cupsdCopyLocation(
1273 cupsd_location_t *loc) /* I - Original location */
1274 {
1275 cupsd_location_t *temp; /* New location */
1276
1277
1278 /*
1279 * Make a copy of the original location...
1280 */
1281
1282 if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
1283 return (NULL);
1284
1285 /*
1286 * Copy the information from the original location to the new one.
1287 */
1288
1289 if (!loc)
1290 return (temp);
1291
1292 if (loc->location)
1293 temp->location = _cupsStrAlloc(loc->location);
1294
1295 temp->length = loc->length;
1296 temp->limit = loc->limit;
1297 temp->order_type = loc->order_type;
1298 temp->type = loc->type;
1299 temp->level = loc->level;
1300 temp->satisfy = loc->satisfy;
1301 temp->encryption = loc->encryption;
1302
1303 if (loc->names)
1304 {
1305 if ((temp->names = cupsArrayDup(loc->names)) == NULL)
1306 {
1307 cupsdLogMessage(CUPSD_LOG_ERROR,
1308 "Unable to allocate memory for %d names: %s",
1309 cupsArrayCount(loc->names), strerror(errno));
1310
1311 cupsdFreeLocation(temp);
1312 return (NULL);
1313 }
1314 }
1315
1316 if (loc->allow)
1317 {
1318 /*
1319 * Copy allow rules...
1320 */
1321
1322 if ((temp->allow = cupsArrayDup(loc->allow)) == NULL)
1323 {
1324 cupsdLogMessage(CUPSD_LOG_ERROR,
1325 "Unable to allocate memory for %d allow rules: %s",
1326 cupsArrayCount(loc->allow), strerror(errno));
1327 cupsdFreeLocation(temp);
1328 return (NULL);
1329 }
1330 }
1331
1332 if (loc->deny)
1333 {
1334 /*
1335 * Copy deny rules...
1336 */
1337
1338 if ((temp->deny = cupsArrayDup(loc->deny)) == NULL)
1339 {
1340 cupsdLogMessage(CUPSD_LOG_ERROR,
1341 "Unable to allocate memory for %d deny rules: %s",
1342 cupsArrayCount(loc->deny), strerror(errno));
1343 cupsdFreeLocation(temp);
1344 return (NULL);
1345 }
1346 }
1347
1348 return (temp);
1349 }
1350
1351
1352 /*
1353 * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization.
1354 */
1355
1356 void
cupsdDeleteAllLocations(void)1357 cupsdDeleteAllLocations(void)
1358 {
1359 /*
1360 * Free the location array, which will free all of the locations...
1361 */
1362
1363 cupsArrayDelete(Locations);
1364 Locations = NULL;
1365 }
1366
1367
1368 /*
1369 * 'cupsdFindBest()' - Find the location entry that best matches the resource.
1370 */
1371
1372 cupsd_location_t * /* O - Location that matches */
cupsdFindBest(const char * path,http_state_t state)1373 cupsdFindBest(const char *path, /* I - Resource path */
1374 http_state_t state) /* I - HTTP state/request */
1375 {
1376 char uri[HTTP_MAX_URI],
1377 /* URI in request... */
1378 *uriptr; /* Pointer into URI */
1379 cupsd_location_t *loc, /* Current location */
1380 *best; /* Best match for location so far */
1381 size_t bestlen; /* Length of best match */
1382 int limit; /* Limit field */
1383 static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
1384 {
1385 CUPSD_AUTH_LIMIT_ALL,
1386 CUPSD_AUTH_LIMIT_OPTIONS,
1387 CUPSD_AUTH_LIMIT_GET,
1388 CUPSD_AUTH_LIMIT_GET,
1389 CUPSD_AUTH_LIMIT_HEAD,
1390 CUPSD_AUTH_LIMIT_POST,
1391 CUPSD_AUTH_LIMIT_POST,
1392 CUPSD_AUTH_LIMIT_POST,
1393 CUPSD_AUTH_LIMIT_PUT,
1394 CUPSD_AUTH_LIMIT_PUT,
1395 CUPSD_AUTH_LIMIT_DELETE,
1396 CUPSD_AUTH_LIMIT_TRACE,
1397 CUPSD_AUTH_LIMIT_ALL,
1398 CUPSD_AUTH_LIMIT_ALL,
1399 CUPSD_AUTH_LIMIT_ALL,
1400 CUPSD_AUTH_LIMIT_ALL
1401 };
1402
1403
1404 /*
1405 * First copy the connection URI to a local string so we have drop
1406 * any .ppd extension from the pathname in /printers or /classes
1407 * URIs...
1408 */
1409
1410 strlcpy(uri, path, sizeof(uri));
1411
1412 if ((uriptr = strchr(uri, '?')) != NULL)
1413 *uriptr = '\0'; /* Drop trailing query string */
1414
1415 if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/')
1416 *uriptr = '\0'; /* Remove trailing '/' */
1417
1418 if (!strncmp(uri, "/printers/", 10) ||
1419 !strncmp(uri, "/classes/", 9))
1420 {
1421 /*
1422 * Check if the URI has .ppd on the end...
1423 */
1424
1425 uriptr = uri + strlen(uri) - 4; /* len > 4 if we get here... */
1426
1427 if (!strcmp(uriptr, ".ppd"))
1428 *uriptr = '\0';
1429 }
1430
1431 /*
1432 * Loop through the list of locations to find a match...
1433 */
1434
1435 limit = limits[state];
1436 best = NULL;
1437 bestlen = 0;
1438
1439 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri=\"%s\", limit=%x...", uri, limit);
1440
1441
1442 for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1443 loc;
1444 loc = (cupsd_location_t *)cupsArrayNext(Locations))
1445 {
1446 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit);
1447
1448 if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
1449 {
1450 /*
1451 * Use case-insensitive comparison for queue names...
1452 */
1453
1454 if (loc->length > bestlen && loc->location &&
1455 !_cups_strncasecmp(uri, loc->location, loc->length) &&
1456 loc->location[0] == '/' &&
1457 (limit & loc->limit) != 0)
1458 {
1459 best = loc;
1460 bestlen = loc->length;
1461 }
1462 }
1463 else
1464 {
1465 /*
1466 * Use case-sensitive comparison for other URIs...
1467 */
1468
1469 if (loc->length > bestlen && loc->location &&
1470 !strncmp(uri, loc->location, loc->length) &&
1471 loc->location[0] == '/' &&
1472 (limit & loc->limit) != 0)
1473 {
1474 best = loc;
1475 bestlen = loc->length;
1476 }
1477 }
1478 }
1479
1480 /*
1481 * Return the match, if any...
1482 */
1483
1484 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best=%s", best ? best->location : "NONE");
1485
1486 return (best);
1487 }
1488
1489
1490 /*
1491 * 'cupsdFindLocation()' - Find the named location.
1492 */
1493
1494 cupsd_location_t * /* O - Location that matches */
cupsdFindLocation(const char * location)1495 cupsdFindLocation(const char *location) /* I - Connection */
1496 {
1497 cupsd_location_t key; /* Search key */
1498
1499
1500 key.location = (char *)location;
1501
1502 return ((cupsd_location_t *)cupsArrayFind(Locations, &key));
1503 }
1504
1505
1506 /*
1507 * 'cupsdFreeLocation()' - Free all memory used by a location.
1508 */
1509
1510 void
cupsdFreeLocation(cupsd_location_t * loc)1511 cupsdFreeLocation(cupsd_location_t *loc)/* I - Location to free */
1512 {
1513 cupsArrayDelete(loc->names);
1514 cupsArrayDelete(loc->allow);
1515 cupsArrayDelete(loc->deny);
1516
1517 _cupsStrFree(loc->location);
1518 free(loc);
1519 }
1520
1521
1522 /*
1523 * 'cupsdIsAuthorized()' - Check to see if the user is authorized...
1524 */
1525
1526 http_status_t /* O - HTTP_OK if authorized or error code */
cupsdIsAuthorized(cupsd_client_t * con,const char * owner)1527 cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
1528 const char *owner)/* I - Owner of object */
1529 {
1530 int i, /* Looping vars */
1531 auth, /* Authorization status */
1532 type; /* Type of authentication */
1533 http_addr_t *hostaddr = httpGetAddress(con->http);
1534 /* Client address */
1535 const char *hostname = httpGetHostname(con->http, NULL, 0);
1536 /* Client hostname */
1537 unsigned address[4]; /* Authorization address */
1538 cupsd_location_t *best; /* Best match for location so far */
1539 size_t hostlen; /* Length of hostname */
1540 char *name, /* Current username */
1541 username[256], /* Username to authorize */
1542 ownername[256], /* Owner name to authorize */
1543 *ptr; /* Pointer into username */
1544 struct passwd *pw; /* User password data */
1545 static const char * const levels[] = /* Auth levels */
1546 {
1547 "ANON",
1548 "USER",
1549 "GROUP"
1550 };
1551 static const char * const types[] = /* Auth types */
1552 {
1553 "None",
1554 "Basic",
1555 "Negotiate"
1556 };
1557
1558
1559 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)", con->uri, con->best, con->best ? con->best->location ? con->best->location : "(null)" : "");
1560 if (owner)
1561 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: owner=\"%s\"", owner);
1562
1563 /*
1564 * If there is no "best" authentication rule for this request, then
1565 * access is allowed from the local system and denied from other
1566 * addresses...
1567 */
1568
1569 if (!con->best)
1570 {
1571 if (httpAddrLocalhost(httpGetAddress(con->http)) ||
1572 !strcmp(hostname, ServerName) ||
1573 cupsArrayFind(ServerAlias, (void *)hostname))
1574 return (HTTP_OK);
1575 else
1576 return (HTTP_FORBIDDEN);
1577 }
1578
1579 best = con->best;
1580
1581 if ((type = best->type) == CUPSD_AUTH_DEFAULT)
1582 type = cupsdDefaultAuthType();
1583
1584 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d", levels[best->level], types[type], best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
1585
1586 if (best->limit == CUPSD_AUTH_LIMIT_IPP)
1587 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)", best->op, ippOpString(best->op));
1588
1589 /*
1590 * Check host/ip-based accesses...
1591 */
1592
1593 #ifdef AF_INET6
1594 if (httpAddrFamily(hostaddr) == AF_INET6)
1595 {
1596 /*
1597 * Copy IPv6 address...
1598 */
1599
1600 address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]);
1601 address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]);
1602 address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]);
1603 address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]);
1604 }
1605 else
1606 #endif /* AF_INET6 */
1607 if (con->http->hostaddr->addr.sa_family == AF_INET)
1608 {
1609 /*
1610 * Copy IPv4 address...
1611 */
1612
1613 address[0] = 0;
1614 address[1] = 0;
1615 address[2] = 0;
1616 address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr);
1617 }
1618 else
1619 memset(address, 0, sizeof(address));
1620
1621 hostlen = strlen(hostname);
1622
1623 auth = cupsdCheckAccess(address, hostname, hostlen, best)
1624 ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
1625
1626 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...", auth ? "DENY" : "ALLOW");
1627
1628 if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
1629 return (HTTP_FORBIDDEN);
1630
1631 #ifdef HAVE_SSL
1632 /*
1633 * See if encryption is required...
1634 */
1635
1636 if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls &&
1637 _cups_strcasecmp(hostname, "localhost") &&
1638 !httpAddrLocalhost(hostaddr) &&
1639 best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
1640 !(type == CUPSD_AUTH_NEGOTIATE ||
1641 (type == CUPSD_AUTH_NONE &&
1642 cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE)))
1643 {
1644 cupsdLogMessage(CUPSD_LOG_DEBUG,
1645 "cupsdIsAuthorized: Need upgrade to TLS...");
1646 return (HTTP_UPGRADE_REQUIRED);
1647 }
1648 #endif /* HAVE_SSL */
1649
1650 /*
1651 * Now see what access level is required...
1652 */
1653
1654 if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
1655 (type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0))
1656 return (HTTP_OK);
1657
1658 if (!con->username[0] && type == CUPSD_AUTH_NONE &&
1659 best->limit == CUPSD_AUTH_LIMIT_IPP)
1660 {
1661 /*
1662 * Check for unauthenticated username...
1663 */
1664
1665 ipp_attribute_t *attr; /* requesting-user-name attribute */
1666
1667
1668 attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
1669 if (attr)
1670 {
1671 cupsdLogMessage(CUPSD_LOG_DEBUG,
1672 "cupsdIsAuthorized: requesting-user-name=\"%s\"",
1673 attr->values[0].string.text);
1674 strlcpy(username, attr->values[0].string.text, sizeof(username));
1675 }
1676 else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
1677 return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
1678 else
1679 return (HTTP_OK); /* unless overridden with Satisfy */
1680 }
1681 else
1682 {
1683 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
1684 con->username);
1685
1686 #ifdef HAVE_AUTHORIZATION_H
1687 if (!con->username[0] && !con->authref)
1688 #else
1689 if (!con->username[0])
1690 #endif /* HAVE_AUTHORIZATION_H */
1691 {
1692 if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
1693 return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
1694 else
1695 return (HTTP_OK); /* unless overridden with Satisfy */
1696 }
1697
1698
1699 if (con->type != type && type != CUPSD_AUTH_NONE &&
1700 #ifdef HAVE_GSSAPI
1701 (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
1702 #endif /* HAVE_GSSAPI */
1703 con->type != CUPSD_AUTH_BASIC)
1704 {
1705 cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.",
1706 types[con->type], types[type]);
1707
1708 return (HTTP_UNAUTHORIZED);
1709 }
1710
1711 strlcpy(username, con->username, sizeof(username));
1712 }
1713
1714 /*
1715 * OK, got a username. See if we need normal user access, or group
1716 * access... (root always matches)
1717 */
1718
1719 if (!strcmp(username, "root"))
1720 return (HTTP_OK);
1721
1722 /*
1723 * Strip any @domain or @KDC from the username and owner...
1724 */
1725
1726 if ((ptr = strchr(username, '@')) != NULL)
1727 *ptr = '\0';
1728
1729 if (owner)
1730 {
1731 strlcpy(ownername, owner, sizeof(ownername));
1732
1733 if ((ptr = strchr(ownername, '@')) != NULL)
1734 *ptr = '\0';
1735 }
1736 else
1737 ownername[0] = '\0';
1738
1739 /*
1740 * Get the user info...
1741 */
1742
1743 if (username[0])
1744 {
1745 pw = getpwnam(username);
1746 endpwent();
1747 }
1748 else
1749 pw = NULL;
1750
1751 if (best->level == CUPSD_AUTH_USER)
1752 {
1753 /*
1754 * If there are no names associated with this location, then
1755 * any valid user is OK...
1756 */
1757
1758 if (cupsArrayCount(best->names) == 0)
1759 return (HTTP_OK);
1760
1761 /*
1762 * Otherwise check the user list and return OK if this user is
1763 * allowed...
1764 */
1765
1766 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking user membership...");
1767
1768 #ifdef HAVE_AUTHORIZATION_H
1769 /*
1770 * If an authorization reference was supplied it must match a right name...
1771 */
1772
1773 if (con->authref)
1774 {
1775 for (name = (char *)cupsArrayFirst(best->names);
1776 name;
1777 name = (char *)cupsArrayNext(best->names))
1778 {
1779 if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
1780 return (HTTP_OK);
1781 else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
1782 check_authref(con, SystemGroupAuthKey))
1783 return (HTTP_OK);
1784 }
1785
1786 return (HTTP_FORBIDDEN);
1787 }
1788 #endif /* HAVE_AUTHORIZATION_H */
1789
1790 for (name = (char *)cupsArrayFirst(best->names);
1791 name;
1792 name = (char *)cupsArrayNext(best->names))
1793 {
1794 if (!_cups_strcasecmp(name, "@OWNER") && owner &&
1795 !_cups_strcasecmp(username, ownername))
1796 return (HTTP_OK);
1797 else if (!_cups_strcasecmp(name, "@SYSTEM"))
1798 {
1799 for (i = 0; i < NumSystemGroups; i ++)
1800 if (cupsdCheckGroup(username, pw, SystemGroups[i]))
1801 return (HTTP_OK);
1802 }
1803 else if (name[0] == '@')
1804 {
1805 if (cupsdCheckGroup(username, pw, name + 1))
1806 return (HTTP_OK);
1807 }
1808 else if (!_cups_strcasecmp(username, name))
1809 return (HTTP_OK);
1810 }
1811
1812 return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
1813 }
1814
1815 /*
1816 * Check to see if this user is in any of the named groups...
1817 */
1818
1819 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group membership...");
1820
1821 /*
1822 * Check to see if this user is in any of the named groups...
1823 */
1824
1825 for (name = (char *)cupsArrayFirst(best->names);
1826 name;
1827 name = (char *)cupsArrayNext(best->names))
1828 {
1829 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: Checking group \"%s\" membership...", name);
1830
1831 if (!_cups_strcasecmp(name, "@SYSTEM"))
1832 {
1833 for (i = 0; i < NumSystemGroups; i ++)
1834 if (cupsdCheckGroup(username, pw, SystemGroups[i]))
1835 return (HTTP_OK);
1836 }
1837 else if (cupsdCheckGroup(username, pw, name))
1838 return (HTTP_OK);
1839 }
1840
1841 /*
1842 * The user isn't part of the specified group, so deny access...
1843 */
1844
1845 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: User not in group(s).");
1846
1847 return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
1848 }
1849
1850
1851 /*
1852 * 'cupsdNewLocation()' - Create a new location for authorization.
1853 *
1854 * Note: Still need to call cupsdAddLocation() to add it to the list of global
1855 * locations.
1856 */
1857
1858 cupsd_location_t * /* O - Pointer to new location record */
cupsdNewLocation(const char * location)1859 cupsdNewLocation(const char *location) /* I - Location path */
1860 {
1861 cupsd_location_t *temp; /* New location */
1862
1863
1864 /*
1865 * Try to allocate memory for the new location.
1866 */
1867
1868 if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
1869 return (NULL);
1870
1871 /*
1872 * Initialize the record and copy the name over...
1873 */
1874
1875 if ((temp->location = _cupsStrAlloc(location)) == NULL)
1876 {
1877 free(temp);
1878 return (NULL);
1879 }
1880
1881 temp->length = strlen(temp->location);
1882
1883 /*
1884 * Return the new record...
1885 */
1886
1887 return (temp);
1888 }
1889
1890
1891 #ifdef HAVE_AUTHORIZATION_H
1892 /*
1893 * 'check_authref()' - Check if an authorization services reference has the
1894 * supplied right.
1895 */
1896
1897 static int /* O - 1 if right is valid, 0 otherwise */
check_authref(cupsd_client_t * con,const char * right)1898 check_authref(cupsd_client_t *con, /* I - Connection */
1899 const char *right) /* I - Right name */
1900 {
1901 OSStatus status; /* OS Status */
1902 AuthorizationItem authright; /* Authorization right */
1903 AuthorizationRights authrights; /* Authorization rights */
1904 AuthorizationFlags authflags; /* Authorization flags */
1905
1906
1907 /*
1908 * Check to see if the user is allowed to perform the task...
1909 */
1910
1911 if (!con->authref)
1912 return (0);
1913
1914 authright.name = right;
1915 authright.valueLength = 0;
1916 authright.value = NULL;
1917 authright.flags = 0;
1918
1919 authrights.count = 1;
1920 authrights.items = &authright;
1921
1922 authflags = kAuthorizationFlagDefaults |
1923 kAuthorizationFlagExtendRights;
1924
1925 if ((status = AuthorizationCopyRights(con->authref, &authrights,
1926 kAuthorizationEmptyEnvironment,
1927 authflags, NULL)) != 0)
1928 {
1929 cupsdLogMessage(CUPSD_LOG_ERROR, "AuthorizationCopyRights(\"%s\") returned %d", authright.name, (int)status);
1930 return (0);
1931 }
1932
1933 cupsdLogMessage(CUPSD_LOG_DEBUG2, "AuthorizationCopyRights(\"%s\") succeeded.", authright.name);
1934
1935 return (1);
1936 }
1937 #endif /* HAVE_AUTHORIZATION_H */
1938
1939
1940 /*
1941 * 'compare_locations()' - Compare two locations.
1942 */
1943
1944 static int /* O - Result of comparison */
compare_locations(cupsd_location_t * a,cupsd_location_t * b)1945 compare_locations(cupsd_location_t *a, /* I - First location */
1946 cupsd_location_t *b) /* I - Second location */
1947 {
1948 return (strcmp(b->location, a->location));
1949 }
1950
1951
1952 /*
1953 * 'copy_authmask()' - Copy function for auth masks.
1954 */
1955
1956 static cupsd_authmask_t * /* O - New auth mask */
copy_authmask(cupsd_authmask_t * mask,void * data)1957 copy_authmask(cupsd_authmask_t *mask, /* I - Existing auth mask */
1958 void *data) /* I - User data (unused) */
1959 {
1960 cupsd_authmask_t *temp; /* New auth mask */
1961
1962
1963 (void)data;
1964
1965 if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL)
1966 {
1967 memcpy(temp, mask, sizeof(cupsd_authmask_t));
1968
1969 if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE)
1970 {
1971 /*
1972 * Make a copy of the name...
1973 */
1974
1975 if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL)
1976 {
1977 /*
1978 * Failed to make copy...
1979 */
1980
1981 free(temp);
1982 temp = NULL;
1983 }
1984 }
1985 }
1986
1987 return (temp);
1988 }
1989
1990
1991 /*
1992 * 'free_authmask()' - Free function for auth masks.
1993 */
1994
1995 static void
free_authmask(cupsd_authmask_t * mask,void * data)1996 free_authmask(cupsd_authmask_t *mask, /* I - Auth mask to free */
1997 void *data) /* I - User data (unused) */
1998 {
1999 (void)data;
2000
2001 if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
2002 _cupsStrFree(mask->mask.name.name);
2003
2004 free(mask);
2005 }
2006
2007
2008 #if HAVE_LIBPAM
2009 /*
2010 * 'pam_func()' - PAM conversation function.
2011 */
2012
2013 static int /* O - Success or failure */
pam_func(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata_ptr)2014 pam_func(
2015 int num_msg, /* I - Number of messages */
2016 const struct pam_message **msg, /* I - Messages */
2017 struct pam_response **resp, /* O - Responses */
2018 void *appdata_ptr)
2019 /* I - Pointer to connection */
2020 {
2021 int i; /* Looping var */
2022 struct pam_response *replies; /* Replies */
2023 cupsd_authdata_t *data; /* Pointer to auth data */
2024
2025
2026 /*
2027 * Allocate memory for the responses...
2028 */
2029
2030 if ((replies = malloc(sizeof(struct pam_response) * (size_t)num_msg)) == NULL)
2031 return (PAM_CONV_ERR);
2032
2033 /*
2034 * Answer all of the messages...
2035 */
2036
2037 data = (cupsd_authdata_t *)appdata_ptr;
2038
2039 for (i = 0; i < num_msg; i ++)
2040 {
2041 switch (msg[i]->msg_style)
2042 {
2043 case PAM_PROMPT_ECHO_ON:
2044 replies[i].resp_retcode = PAM_SUCCESS;
2045 replies[i].resp = strdup(data->username);
2046 break;
2047
2048 case PAM_PROMPT_ECHO_OFF:
2049 replies[i].resp_retcode = PAM_SUCCESS;
2050 replies[i].resp = strdup(data->password);
2051 break;
2052
2053 case PAM_TEXT_INFO:
2054 replies[i].resp_retcode = PAM_SUCCESS;
2055 replies[i].resp = NULL;
2056 break;
2057
2058 case PAM_ERROR_MSG:
2059 replies[i].resp_retcode = PAM_SUCCESS;
2060 replies[i].resp = NULL;
2061 break;
2062
2063 default:
2064 free(replies);
2065 return (PAM_CONV_ERR);
2066 }
2067 }
2068
2069 /*
2070 * Return the responses back to PAM...
2071 */
2072
2073 *resp = replies;
2074
2075 return (PAM_SUCCESS);
2076 }
2077 #endif /* HAVE_LIBPAM */
2078