[cups.bugs] [HIGH] STR #3670: Kerberos authentication fetches wrong username from peer cache

Christer Bernérus bernerus at chalmers.se
Fri Sep 10 06:44:41 PDT 2010 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

The code in scheduler/auth.c (around line 1000) seems to attempt to fetch
the name of the connected user from the peer cache.
However, the current code fetches the name OF the peer cache instead,
which on the Mac gives the username "Initial default ccache"

Here is my suggested fix:

@@ -974,7 +979,8 @@
     cupsd_ucred_t	peercred;	/* Peer credentials */
     socklen_t		peersize;	/* Size of peer credentials */
     krb5_ccache		peerccache;	/* Peer Kerberos credentials */
-    const char		*peername;	/* Peer username */
+    char		*peername;	/* Peer username */
+    krb5_principal      peerprinc;	/* Default principal from user's ccace
*/

@@ -1002,23 +1026,31 @@
 		      (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
       return;
     }
-
-    if ((peername = krb5_cc_get_name(KerberosContext, peerccache)) !=
NULL)
+	  
+    if ((error = krb5_cc_get_principal(KerberosContext, peerccache,
&peerprinc)) != 0)
     {
-      strlcpy(username, peername, sizeof(username));
-
-      con->have_gss = 1;
-      con->type     = CUPSD_AUTH_NEGOTIATE;
-
-      cupsdLogMessage(CUPSD_LOG_DEBUG,
-		      "cupsdAuthorize: Authorized as %s using Negotiate",
-		      username);
+      cupsdLogMessage(CUPSD_LOG_ERROR,
+			"Unable to get default Kerberos principal for UID %d",
+			(int)CUPSD_UCRED_UID(peercred));
+      return;
     }
-    else
+    if ((error = krb5_unparse_name(KerberosContext, peerprinc,
&peername)) != 0) 
+    {
       cupsdLogMessage(CUPSD_LOG_ERROR,
-		      "Unable to get Kerberos name for UID %d",
-		      (int)CUPSD_UCRED_UID(peercred));
+		        "Unable to unparse default Kerberos principal for UID %d",
+		        (int)CUPSD_UCRED_UID(peercred));
+      return;
+    }
+	  
+    strlcpy(username, peername, sizeof(username));
 
+    con->have_gss = 1;
+    con->type     = CUPSD_AUTH_NEGOTIATE;
+
+    cupsdLogMessage(CUPSD_LOG_DEBUG,
+                    "cupsdAuthorize: Authorized as %s using Negotiate",
+		    username);
+

Unfortunately, svn diff seems to have been a bit confused here. The
changes are more understandable when seen side by side.

-- Christer

Link: http://www.cups.org/str.php?L3670
Version: 1.4-current

More information about the cups mailing list