[cups-devel] Authorization check fails on local connections when kerberos is enabled

[Samuel Cabrero]

Hello,

this is a question about Kerberos authentication when a client connects
throuhg local socket. It looks like in this case the client is always
authenticated using Basic:

scheduler/client.c:2354
....
#ifdef AF_LOCAL
      if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
        strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
      else
#endif /* AF_LOCAL */
      strlcpy(auth_str, "Negotiate", sizeof(auth_str));
....


scheduler/auth.c:600
...
else if (!strncmp(authorization, "PeerCred ", 9) &&
           con->http.hostaddr->addr.sa_family == AF_LOCAL)
{
...
    con->gss_uid = CUPSD_UCRED_UID(peercred);
....
    con->type = CUPSD_AUTH_BASIC;
}

but then cupsdIsAuthorized function fails with 'Authorized using Basic,
expected Negotiate' on cups 1.7.5 (scheduler/auth.c:1992)

...
if (con->type != type && type != CUPSD_AUTH_NONE &&
#ifdef HAVE_GSSAPI
        (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
#endif /* HAVE_GSSAPI */
        (con->type != CUPSD_AUTH_BASIC || type !=
CUPSD_AUTH_BASICDIGEST)) {
...

Shouldn't this check be avoided when connected through local socket? 

I think cups >= 2.0 is not affected because digest auth has been dropt,
so this change
-        (con->type != CUPSD_AUTH_BASIC || type !=
CUPSD_AUTH_BASICDIGEST))
+        con->type != CUPSD_AUTH_BASIC)
makes the whole condition to evaluate to false.

If I am right, please review the attached patch.

Regards,

-- 
Samuel Cabrero / SUSE Labs Samba Team
GPG: D7D6 E259 F91C F0B3 2E61 1239 3655 6EC9 7051 0856
scabrero at suse.com
scabrero at suse.de