[cups.bugs] [HIGH] STR #3662: Bug in scheduler/auth.c, Kerberos Context not initialized

Christer Bernérus bernerus at chalmers.se
Tue Sep 7 05:39:32 PDT 2010


DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

Hi.

I came across this bug while trying to figure out how kerberos
authentication on the Mac is supposed to work.
This bug affects all cups clients that connects through the UNIX socket
and that authenticates to the server using kerberos. 

(One might wonder why, but the server might just require this)

Anyway, here is a diff against SVN version 9294

+++ scheduler/auth.c	(working copy)

@@ -993,6 +996,24 @@
 		    "cupsdAuthorize: Copying credentials for UID %d...",
 		    CUPSD_UCRED_UID(peercred));
 
+if (!KerberosInitialized)
+  {
+   /*
+    * Setup a Kerberos context for the scheduler to use...
+    */
+
+    KerberosInitialized = 1;
+
+    if (krb5_init_context(&KerberosContext))
+    {
+      KerberosContext = NULL;
+
+      cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize Kerberos
context");
+      return;
+    }
+  }
+
+
     krb5_ipc_client_set_target_uid(CUPSD_UCRED_UID(peercred));
 
     if ((error = krb5_cc_default(KerberosContext, &peerccache)) != 0)

Caveat: Indenting is not correct in the above diff. You will want to fix
this.

What happens is that when the server gets a request that land in this
particular piece of code, the global KerberosContext might not be
initialized. This is a requirement for the call to krb5_cc_default, just
after the code that I added. 
The added code is of course borrowed from the cupsdCopyKrb5Creds() routine
a bit below in the same file.



-- Christer

Link: http://www.cups.org/str.php?L3662
Version: 1.4-current





More information about the cups-devel mailing list