[cups-devel] Authorization check fails on local connections when kerberos is enabled
Samuel Cabrero
scabrero at suse.de
Thu Aug 24 07:29:02 PDT 2017
Hello,
this is a question about Kerberos authentication when a client connects
throuhg local socket. It looks like in this case the client is always
authenticated using Basic:
scheduler/client.c:2354
....
#ifdef AF_LOCAL
if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
else
#endif /* AF_LOCAL */
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
....
scheduler/auth.c:600
...
else if (!strncmp(authorization, "PeerCred ", 9) &&
con->http.hostaddr->addr.sa_family == AF_LOCAL)
{
...
con->gss_uid = CUPSD_UCRED_UID(peercred);
....
con->type = CUPSD_AUTH_BASIC;
}
but then cupsdIsAuthorized function fails with 'Authorized using Basic,
expected Negotiate' on cups 1.7.5 (scheduler/auth.c:1992)
...
if (con->type != type && type != CUPSD_AUTH_NONE &&
#ifdef HAVE_GSSAPI
(type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
#endif /* HAVE_GSSAPI */
(con->type != CUPSD_AUTH_BASIC || type !=
CUPSD_AUTH_BASICDIGEST)) {
...
Shouldn't this check be avoided when connected through local socket?
I think cups >= 2.0 is not affected because digest auth has been dropt,
so this change
- (con->type != CUPSD_AUTH_BASIC || type !=
CUPSD_AUTH_BASICDIGEST))
+ con->type != CUPSD_AUTH_BASIC)
makes the whole condition to evaluate to false.
If I am right, please review the attached patch.
Regards,
--
Samuel Cabrero / SUSE Labs Samba Team
GPG: D7D6 E259 F91C F0B3 2E61 1239 3655 6EC9 7051 0856
scabrero at suse.com
scabrero at suse.de
More information about the cups-devel
mailing list