Fixed HTTP PeerCred authentication for domain users (Issue #1001)

OpenPrinting · Aug 14, 2024 · 4ccfbec · 4ccfbec
1 parent f8c6b8c
commit 4ccfbec
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -11,6 +11,7 @@ Changes in CUPS v2.4.11 (YYYY-MM-DD)
   (Issue #990)
 - Fixed issues with cupsGetDestMediaByXxx (Issue #993)
 - Fixed adding and modifying of printers via the web interface (Issue #998)
+- Fixed HTTP PeerCred authentication for domain users (Issue #1001)
 - Fixed checkbox support (Issue #1008)
 - Fixed printer state notifications (Issue #1013)
 

diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in
@@ -6,6 +6,9 @@
 # List of events that are considered fatal errors for the scheduler...
 #FatalErrors @CUPS_FATAL_ERRORS@
 
+# Strip domain in local username?
+#StripUserDomain No
+
 # Do we call fsync() after writing configuration or status files?
 #SyncOnClose @CUPS_SYNC_ON_CLOSE@
 

diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html
@@ -146,6 +146,14 @@ <h3><a name="DIRECTIVES">Directives</a></h3>
 <dt><a name="StateDir"></a><b>StateDir </b><i>directory</i>
 <dd style="margin-left: 5.0em">Specifies the directory to use for PID and local certificate files.
 The default is "/var/run/cups" or "/etc/cups" depending on the platform.
+<dt><a name="StripUserDomain"></a><b>StripUserDomain Yes</b>
+<dd style="margin-left: 5.0em"><dt><b>StripUserDomain No</b>
+<dd style="margin-left: 5.0em">Specifies whether to remove domain from user name during local user authentication (e.g., "[email protected]" –> "user").
+This practice can be beneficial for maintaining compatibility with older versions of Kerberos.
+However, enabling this option can have negative consequences.
+It may result in confusion between domain and local users with identical names, potentially leading
+to incorrect assignment of user permissions and unintentional permission escalation,
+thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
 <dt><a name="SyncOnClose"></a><b>SyncOnClose Yes</b>
 <dd style="margin-left: 5.0em"><dt><b>SyncOnClose No</b>
 <dd style="margin-left: 5.0em">Specifies whether the scheduler calls

diff --git a/man/cups-files.conf.5 b/man/cups-files.conf.5
@@ -210,6 +210,17 @@ Note: the standard CUPS filter and backend environment variables cannot be overr
 \fBStateDir \fIdirectory\fR
 Specifies the directory to use for PID and local certificate files.
 The default is "/var/run/cups" or "/etc/cups" depending on the platform.
+.\"#StripUserDomain
+.TP 5
+\StripUserDomain Yes\fR
+.TP 5
+\StripUserDomain No\fR
+Specifies whether to remove domain from user name during local user authentication (e.g., "[email protected]" –> "user").
+This practice can be beneficial for maintaining compatibility with older versions of Kerberos.
+However, enabling this option can have negative consequences.
+It may result in confusion between domain and local users with identical names, potentially leading
+to incorrect assignment of user permissions and unintentional permission escalation,
+thus creating a security risk. Therefore, it is advisable to avoid using this option in most cases.
 .\"#SyncOnClose
 .TP 5
 \fBSyncOnClose Yes\fR

diff --git a/scheduler/auth.c b/scheduler/auth.c
@@ -1722,14 +1722,14 @@ cupsdIsAuthorized(cupsd_client_t *con,	/* I - Connection */
   * Strip any @domain or @KDC from the username and owner...
   */
 
-  if ((ptr = strchr(username, '@')) != NULL)
+  if (StripUserDomain && (ptr = strchr(username, '@')) != NULL)
     *ptr = '\0';
 
   if (owner)
   {
     strlcpy(ownername, owner, sizeof(ownername));
 
-    if ((ptr = strchr(ownername, '@')) != NULL)
+    if (StripUserDomain && (ptr = strchr(ownername, '@')) != NULL)
       *ptr = '\0';
   }
   else

diff --git a/scheduler/conf.c b/scheduler/conf.c
@@ -154,6 +154,7 @@ static const cupsd_var_t	cupsfiles_vars[] =
 #endif /* HAVE_TLS */
   { "ServerRoot",		&ServerRoot,		CUPSD_VARTYPE_PATHNAME },
   { "StateDir",			&StateDir,		CUPSD_VARTYPE_STRING },
+  { "StripUserDomain",		&StripUserDomain,	CUPSD_VARTYPE_BOOLEAN },
   { "SyncOnClose",		&SyncOnClose,		CUPSD_VARTYPE_BOOLEAN },
 #ifdef HAVE_AUTHORIZATION_H
   { "SystemGroupAuthKey",	&SystemGroupAuthKey,	CUPSD_VARTYPE_STRING },
@@ -729,6 +730,7 @@ cupsdReadConfiguration(void)
   LogFilePerm              = CUPS_DEFAULT_LOG_FILE_PERM;
   LogFileGroup             = Group;
   LogLevel                 = CUPSD_LOG_WARN;
+  StripUserDomain          = FALSE;
   LogTimeFormat            = CUPSD_TIME_STANDARD;
   MaxClients               = 100;
   MaxClientsPerHost        = 0;

diff --git a/scheduler/conf.h b/scheduler/conf.h
@@ -176,6 +176,8 @@ VAR gid_t		LogFileGroup		VALUE(0);
 					/* Group ID for log files */
 VAR cupsd_loglevel_t	LogLevel		VALUE(CUPSD_LOG_WARN);
 					/* Error log level */
+VAR int			StripUserDomain		VALUE(FALSE);
+					/* Strip domain in local username? */
 VAR cupsd_time_t	LogTimeFormat		VALUE(CUPSD_TIME_STANDARD);
 					/* Log file time format */
 VAR cups_file_t		*LogStderr		VALUE(NULL);