Attachment 11791 Details for Bug 11690 – patch for 4.2

[patch] patch for 4.2

v4-2-test.patch (text/plain), 9.09 KB, created by Andreas Schneider on 2016-01-27 07:38:25 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andreas Schneider

Created: 2016-01-27 07:38:25 UTC

Size: 9.09 KB

patch

obsolete

>From 96e888fc6dd350dec8054e64637c3c5eff8d9659 Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@cryptomilk.org>
>Date: Tue, 12 Jan 2016 15:17:22 +0100
>Subject: [PATCH 1/2] s3-client: Add a KRB5 wrapper for smbspool
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=11690
>
>We need a wrapper for smbspool to be able to authenticate with Kerberos.
>This needs to replace the cups smb backend. The permission need to be
>0700 and the owner root.
>
>Note that Kerberos support is broken in CUPS 2.1.2 maybe earlier
>versions. It works with 1.6.3.
>
>Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>Reviewed-by: Guenther Deschner <gd@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>
>Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
>Autobuild-Date(master): Mon Jan 25 19:58:46 CET 2016 on sn-devel-144
>
>(cherry picked from commit 62c68bd8c8f7a7e057e38a461707f1c195e62df0)
>---
> source3/client/README.smbspool         |  17 +++
> source3/client/smbspool_krb5_wrapper.c | 210 +++++++++++++++++++++++++++++++++
> source3/wscript_build                  |   7 ++
> 3 files changed, 234 insertions(+)
> create mode 100644 source3/client/README.smbspool
> create mode 100644 source3/client/smbspool_krb5_wrapper.c
>
>diff --git a/source3/client/README.smbspool b/source3/client/README.smbspool
>new file mode 100644
>index 0000000..f73167a6
>--- /dev/null
>+++ b/source3/client/README.smbspool
>@@ -0,0 +1,17 @@
>+smbspool
>+=========
>+
>+smbspool is a very small print spooling program that sends a print file to an
>+SMB printer. The command-line arguments are position-dependent for
>+compatibility with the CUPS.
>+
>+For printing support with Kerberos, CUPS 1.5+ needs a wrapper for the backend
>+which sets the correct location of the Kerberos credential cache.
>+
>+smbspool_krb5_wrapper
>+======================
>+
>+This tool can be used to print using Kerberos credentials. To get this working
>+smbspool_krb5_wrapper needs to be the smb backend of CUPS. It needs to be owned
>+by root and the permissions for the binary need to be 0700. Once
>+smbspool_krb5_wrapper switched to the user trying to print it executes smbspool.
>diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
>new file mode 100644
>index 0000000..e19fd92
>--- /dev/null
>+++ b/source3/client/smbspool_krb5_wrapper.c
>@@ -0,0 +1,210 @@
>+/*
>+ * Unix SMB/CIFS implementation.
>+ *
>+ * CUPS printing backend helper to execute smbspool
>+ *
>+ * Copyright (C) 2010-2011 Andreas Schneider <asn@samba.org>
>+ *
>+ * This program is free software; you can redistribute it and/or modify
>+ * it under the terms of the GNU General Public License as published by
>+ * the Free Software Foundation; either version 3 of the License, or
>+ * (at your option) any later version.
>+ *
>+ * This program is distributed in the hope that it will be useful,
>+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
>+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>+ * GNU General Public License for more details.
>+ *
>+ * You should have received a copy of the GNU General Public License
>+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>+ */
>+
>+#include "includes.h"
>+#include "system/filesys.h"
>+#include "system/passwd.h"
>+
>+#include <errno.h>
>+#include <string.h>
>+
>+#include <cups/backend.h>
>+
>+#include "dynconfig/dynconfig.h"
>+
>+enum cups_smb_dbglvl_e {
>+	CUPS_SMB_LOG_DEBUG = 0,
>+	CUPS_SMB_LOG_ERROR,
>+};
>+static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...);
>+
>+#define CUPS_SMB_DEBUG(...) cups_smb_debug(CUPS_SMB_LOG_DEBUG, __VA_ARGS__)
>+#define CUPS_SMB_ERROR(...) cups_smb_debug(CUPS_SMB_LOG_DEBUG, __VA_ARGS__)
>+
>+static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
>+{
>+	const char *prefix = "DEBUG";
>+	char buffer[1024];
>+	va_list va;
>+
>+	va_start(va, format);
>+	vsnprintf(buffer, sizeof(buffer), format, va);
>+	va_end(va);
>+
>+	switch (lvl) {
>+	case CUPS_SMB_LOG_DEBUG:
>+		prefix = "DEBUG";
>+		break;
>+	case CUPS_SMB_LOG_ERROR:
>+		prefix = "ERROR";
>+		break;
>+	}
>+
>+	fprintf(stderr,
>+		"%s: SMBSPOOL_KRB5 - %s\n",
>+		prefix,
>+		buffer);
>+}
>+
>+/*
>+ * This is a helper binary to execute smbspool.
>+ *
>+ * It needs to be installed or symlinked as:
>+ *      /usr/lib/cups/backend/smb
>+ *
>+ * The permissions of the binary need to be set to 0700 so that it is executed
>+ * as root. The binary switches to the user which is passed via the environment
>+ * variable AUTH_UID, so we can access the kerberos ticket.
>+ */
>+int main(int argc, char *argv[])
>+{
>+	char smbspool_cmd[PATH_MAX] = {0};
>+	struct passwd *pwd;
>+	char gen_cc[PATH_MAX] = {0};
>+	struct stat sb;
>+	char *env;
>+	uid_t uid = (uid_t)-1;
>+	gid_t gid = (gid_t)-1;
>+	unsigned long tmp;
>+	int cmp;
>+	int rc;
>+
>+	uid = getuid();
>+
>+	CUPS_SMB_DEBUG("Started with uid=%d\n", uid);
>+	if (uid != 0) {
>+		goto smbspool;
>+	}
>+
>+	/* Check if AuthInfoRequired is set to negotiate */
>+	env = getenv("AUTH_INFO_REQUIRED");
>+	if (env == NULL) {
>+		CUPS_SMB_ERROR("AUTH_INFO_REQUIRED is not set");
>+		fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
>+		return CUPS_BACKEND_AUTH_REQUIRED;
>+	}
>+
>+	CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
>+	cmp = strcmp(env, "negotiate");
>+	if (cmp != 0) {
>+		CUPS_SMB_ERROR("AUTH_INFO_REQUIRED is not set to negotiate");
>+		fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
>+		return CUPS_BACKEND_AUTH_REQUIRED;
>+	}
>+
>+	/*
>+	 * AUTH_UID gets only set if we have an incoming connection over the
>+	 * CUPS unix domain socket.
>+	 */
>+	env = getenv("AUTH_UID");
>+	if (env == NULL) {
>+		CUPS_SMB_ERROR("AUTH_UID is not set");
>+		fprintf(stderr, "ATTR: auth-info-required=negotiate\n");
>+		return CUPS_BACKEND_AUTH_REQUIRED;
>+	}
>+
>+	if (strlen(env) > 10) {
>+		CUPS_SMB_ERROR("Invalid AUTH_UID");
>+		return CUPS_BACKEND_FAILED;
>+	}
>+
>+	errno = 0;
>+	tmp = strtoul(env, NULL, 10);
>+	if (errno != 0 || tmp >= UINT32_MAX) {
>+		CUPS_SMB_ERROR("Failed to convert AUTH_UID=%s", env);
>+		return CUPS_BACKEND_FAILED;
>+	}
>+	uid = (uid_t)tmp;
>+
>+	pwd = getpwuid(uid);
>+	if (pwd == NULL) {
>+		CUPS_SMB_ERROR("Failed to find system user: %u - %s",
>+			       uid, strerror(errno));
>+		return CUPS_BACKEND_FAILED;
>+	}
>+	gid = pwd->pw_gid;
>+
>+	rc = setgroups(0, NULL);
>+	if (rc != 0) {
>+		CUPS_SMB_ERROR("Failed to clear groups - %s",
>+			       strerror(errno));
>+		return CUPS_BACKEND_FAILED;
>+	}
>+
>+	CUPS_SMB_DEBUG("Switching to gid=%d", gid);
>+	rc = setgid(gid);
>+	if (rc != 0) {
>+		CUPS_SMB_ERROR("Failed to switch to gid=%u",
>+			       gid,
>+			       strerror(errno));
>+		return CUPS_BACKEND_FAILED;
>+	}
>+
>+	CUPS_SMB_DEBUG("Switching to uid=%u", uid);
>+	rc = setuid(uid);
>+	if (rc != 0) {
>+		CUPS_SMB_ERROR("Failed to switch to uid=%u",
>+			       uid,
>+			       strerror(errno));
>+		return CUPS_BACKEND_FAILED;
>+	}
>+
>+	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
>+
>+	rc = lstat(gen_cc, &sb);
>+	if (rc == 0) {
>+		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
>+	} else {
>+		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
>+
>+		rc = lstat(gen_cc, &sb);
>+		if (rc == 0 && S_ISDIR(sb.st_mode)) {
>+			snprintf(gen_cc,
>+				 sizeof(gen_cc),
>+				 "DIR:/run/user/%d/krb5cc",
>+				 uid);
>+		} else {
>+#if defined(__linux__)
>+			snprintf(gen_cc,
>+				 sizeof(gen_cc),
>+				 "KEYRING:persistent:%d",
>+				 uid);
>+#endif
>+		}
>+	}
>+
>+	/*
>+	 * Make sure we do not have LD_PRELOAD or other security relevant
>+	 * environment variables set.
>+	 */
>+	clearenv();
>+
>+	CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
>+	setenv("KRB5CCNAME", gen_cc, 1);
>+
>+smbspool:
>+	snprintf(smbspool_cmd,
>+		 sizeof(smbspool_cmd),
>+		 "%s/smbspool",
>+		 get_dyn_BINDIR());
>+
>+	return execv(smbspool_cmd, argv);
>+}
>diff --git a/source3/wscript_build b/source3/wscript_build
>index 27f3783..f82b05b 100755
>--- a/source3/wscript_build
>+++ b/source3/wscript_build
>@@ -1152,6 +1152,13 @@ bld.SAMBA3_BINARY('smbspool',
>                  libsmb
>                  samba3core''')
> 
>+bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
>+                 source='client/smbspool_krb5_wrapper.c',
>+                 deps='''
>+                 DYNCONFIG
>+                 cups
>+                 ''')
>+
> bld.SAMBA3_BINARY('testparm',
>                  source='utils/testparm.c',
>                  deps='''
>-- 
>2.7.0
>
>
>From 63f8f53cdb16108bbaf2591c6773826dc64019f3 Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@samba.org>
>Date: Tue, 26 Jan 2016 11:28:50 +0100
>Subject: [PATCH 2/2] waf: Only build smb_krb5_wrapper if we have CUPS
>
>Signed-off-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Michael Adam <obnox@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>(cherry picked from commit 192f1516c378ae942d14921bfcc1e11173da36e6)
>---
> source3/wscript_build | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/source3/wscript_build b/source3/wscript_build
>index f82b05b..58e1b99 100755
>--- a/source3/wscript_build
>+++ b/source3/wscript_build
>@@ -1157,7 +1157,8 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
>                  deps='''
>                  DYNCONFIG
>                  cups
>-                 ''')
>+                 ''',
>+                 enabled=bld.CONFIG_SET('HAVE_CUPS'))
> 
> bld.SAMBA3_BINARY('testparm',
>                  source='utils/testparm.c',
>-- 
>2.7.0
>

Flags:

slow: review+

Actions: View

Attachments on bug 11690: 11791 | 11792 | 11811 | 11812