From 83856ec846700bfd38834397ca8549d2f61b58e1 Mon Sep 17 00:00:00 2001
From: Tim Waugh <twaugh@fedoraproject.org>
Date: Mar 29 2007 16:35:20 +0000
Subject: - Small improvement for AF_UNIX auth patch.


---

diff --git a/cups-af_unix-auth.patch b/cups-af_unix-auth.patch
new file mode 100644
index 0000000..e983159
--- /dev/null
+++ b/cups-af_unix-auth.patch
@@ -0,0 +1,191 @@
+--- cups-1.2.10/cups/auth.c.af_unix-auth	2007-01-10 16:48:37.000000000 +0000
++++ cups-1.2.10/cups/auth.c	2007-03-29 16:59:51.000000000 +0100
+@@ -26,6 +26,8 @@
+  * Contents:
+  *
+  *   cupsDoAuthentication() - Authenticate a request.
++ *   cups_peercred_auth()   - Find out if SO_PEERCRED authentication
++ *                            is possible
+  *   cups_local_auth()      - Get the local authorization certificate if
+  *                            available/applicable...
+  */
+@@ -40,7 +42,9 @@
+ #include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <pwd.h>
+ #include <sys/stat.h>
++#include <sys/types.h>
+ #if defined(WIN32) || defined(__EMX__)
+ #  include <io.h>
+ #else
+@@ -177,6 +181,76 @@
+   return (0);
+ }
+ 
++/*
++ * 'cups_peercred_auth()'
++ *                     - UNIX Domain Sockets authentication
++ */
++
++static int				/* O - 0 if available, -1 if not */
++cups_peercred_auth(http_t *http)	/* I - HTTP connection to server */
++{
++#ifdef SO_PEERCRED
++  long buflen;
++  char *buf, *newbuf;
++  struct passwd pwbuf, *pwbufptr;
++  int r;
++
++  if (http->hostaddr->addr.sa_family != AF_LOCAL)
++    return (-1);
++
++ /*
++  * Are we trying to authenticate as ourselves?  If not, SO_PEERCRED
++  * is no use.
++  */
++  buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
++  buf = NULL;
++  do
++  {
++    newbuf = realloc (buf, buflen);
++    if (newbuf == NULL)
++    {
++      free (buf);
++      return (-1);
++    }
++
++    buf = newbuf;
++    r = getpwnam_r (cupsUser(), &pwbuf, buf, buflen, &pwbufptr);
++    if (r != 0)
++    {
++      if (r == ERANGE)
++      {
++	buflen *= 2;
++	continue;
++      }
++
++      free (buf);
++      return (-1);
++    }
++  }
++  while (r != 0);
++
++  if (pwbuf.pw_uid != getuid())
++  {
++    free (buf);
++    return (-1);
++  }
++
++  free (buf);
++
++ /*
++  * Set the authorization string and return...
++  */
++
++  snprintf(http->authstring, sizeof(http->authstring), "SO_PEERCRED");
++
++  DEBUG_printf(("cups_peercred_auth: Returning authstring = \"%s\"\n",
++		http->authstring));
++
++  return (0);
++#else
++  return (-1);
++#endif /* SO_PEERCRED */
++}
+ 
+ /*
+  * 'cups_local_auth()' - Get the local authorization certificate if
+@@ -234,7 +308,7 @@
+   {
+     DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
+                   filename, strerror(errno)));
+-    return (-1);
++    return cups_peercred_auth(http);
+   }
+ 
+  /*
+--- cups-1.2.10/scheduler/auth.c.af_unix-auth	2006-09-12 14:58:39.000000000 +0100
++++ cups-1.2.10/scheduler/auth.c	2007-03-29 17:03:53.000000000 +0100
+@@ -60,6 +60,9 @@
+ 
+ #include "cupsd.h"
+ #include <grp.h>
++#include <pwd.h>
++#include <sys/socket.h>
++#include <sys/types.h>
+ #ifdef HAVE_SHADOW_H
+ #  include <shadow.h>
+ #endif /* HAVE_SHADOW_H */
+@@ -79,6 +82,9 @@
+ #ifdef HAVE_MEMBERSHIP_H
+ #  include <membership.h>
+ #endif /* HAVE_MEMBERSHIP_H */
++#if !defined(WIN32) && !defined(__EMX__)
++#  include <unistd.h>
++#endif
+ 
+ 
+ /*
+@@ -384,6 +390,61 @@
+                     "cupsdAuthorize: No authentication data provided.");
+     return;
+   }
++#ifdef SO_PEERCRED
++  else if (!strncmp(authorization, "SO_PEERCRED", 3) &&
++	   con->http.hostaddr->addr.sa_family == AF_LOCAL)
++  {
++    long buflen;
++    char *buf, *newbuf;
++    struct passwd pwbuf, *pwbufptr;
++    struct ucred u;
++    socklen_t ulen = sizeof(u);
++    int r;
++
++    if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &u, &ulen) == -1)
++    {
++      cupsdLogMessage(CUPSD_LOG_ERROR,
++		      "cupsdAuthorize: getsockopt failed for SO_PEERCRED");
++      return;
++    }
++
++    buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
++    buf = NULL;
++    do
++    {
++      newbuf = realloc (buf, buflen);
++      if (newbuf == NULL)
++      {
++	free (buf);
++	return;
++      }
++
++      buf = newbuf;
++
++      /* Look up which username the UID is for. */
++      r = getpwuid_r (u.uid, &pwbuf, buf, buflen, &pwbufptr);
++      if (r != 0)
++      {
++	if (r == ERANGE)
++	{
++	  buflen *= 2;
++	  continue;
++	}
++
++	cupsdLogMessage(CUPSD_LOG_ERROR,
++			"cupsdAuthorize: getpwuid_r failed after SO_PEERCRED");
++	free (buf);
++	return;
++      }
++    }
++    while (r != 0);
++
++    strlcpy(username, pwbuf.pw_name, sizeof(username));
++    free (buf);
++    cupsdLogMessage(CUPSD_LOG_DEBUG2,
++		    "cupsdAuthorize: using SO_PEERCRED (uid=%d)", u.uid);
++  }
++#endif /* SO_PEERCRED */
+   else if (!strncmp(authorization, "Local", 5) &&
+            !strcasecmp(con->http.hostname, "localhost"))
+   {
diff --git a/cups.spec b/cups.spec
index 5f7127c..5144097 100644
--- a/cups.spec
+++ b/cups.spec
@@ -43,7 +43,7 @@ Patch18: cups-directed-broadcast.patch
 Patch19: cups-eggcups.patch
 Patch20: cups-getpass.patch
 Patch21: cups-driverd-timeout.patch
-Patch22: cups-scm_credentials.patch
+Patch22: cups-af_unix-auth.patch
 Patch100: cups-lspp.patch
 Epoch: 1
 Url: http://www.cups.org/
@@ -149,7 +149,7 @@ lpd emulation.
 %patch19 -p1 -b .eggcups
 %patch20 -p1 -b .getpass
 %patch21 -p1 -b .driverd-timeout
-%patch22 -p1 -b .scm_credentials
+%patch22 -p1 -b .af_unix-auth
 
 %if %lspp
 %patch100 -p1 -b .lspp
@@ -436,6 +436,9 @@ rm -rf $RPM_BUILD_ROOT
 %{cups_serverbin}/daemon/cups-lpd
 
 %changelog
+* Thu Mar 29 2007 Tim Waugh <twaugh@redhat.com>
+- Small improvement for AF_UNIX auth patch.
+
 * Thu Mar 29 2007 Tim Waugh <twaugh@redhat.com> 1:1.2.10-2
 - LSPP: Updated patch for line-wrapped labels (bug #228107).