static OSStatus
acquireticket_ui(KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
KLPrincipal *outPrincipal,
char **outCredCacheName)
{
AuthorizationRef auth;
OSStatus ret;
char *princ = NULL;
CFDataRef d = NULL;
LOG_ENTRY();
if (outPrincipal)
*outPrincipal = NULL;
if (outCredCacheName)
*outCredCacheName = NULL;
if (inPrincipal) {
ret = heim_krb5_unparse_name(milcontext, inPrincipal, &princ);
if (ret)
return ret;
}
ret = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &auth);
if (ret) {
free(princ);
return ret;
}
AuthorizationItem rightItems[1] = { kCoreAuthPanelKerberosRight, 0, NULL, 0 };
AuthorizationRights rights = { sizeof(rightItems[0])/sizeof(rightItems) , rightItems };
AuthorizationItem envItems[3];
AuthorizationEnvironment env = { 0 , envItems };
AuthorizationFlags authFlags = kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
if (princ) {
envItems[env.count].name = kCoreAuthPanelKerberosPrincipal;
envItems[env.count].valueLength = strlen(princ);
envItems[env.count].value = princ;
envItems[env.count].flags = 0;
env.count++;
}
if (inLoginOptions && inLoginOptions->opt) {
CFMutableDictionaryRef dict;
dict = CFDictionaryCreateMutable(NULL, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (dict == NULL)
goto out;
if (inLoginOptions->opt->renew_life) {
CFStringRef t;
t = CFStringCreateWithFormat(NULL, 0, CFSTR("%ld"),(long)inLoginOptions->opt->renew_life);
CFDictionarySetValue(dict, CFSTR("renewTime"), t);
CFRelease(t);
}
d = CFPropertyListCreateData(NULL, dict, kCFPropertyListBinaryFormat_v1_0,
0, NULL);
CFRelease(dict);
envItems[env.count].name = kCoreAuthPanelKerberosOptions;
envItems[env.count].valueLength = CFDataGetLength(d);
envItems[env.count].value = (void *)CFDataGetBytePtr(d);
envItems[env.count].flags = 0;
env.count++;
}
ret = AuthorizationCopyRights(auth, &rights, &env, authFlags, NULL);
if (ret == 0 && outPrincipal) {
AuthorizationItemSet *info;
UInt32 i;
ret = AuthorizationCopyInfo(auth, NULL, &info);
if (ret)
goto out;
for(i = 0; i < info->count; i++) {
if (strcmp(info->items[i].name, "out-principal") == 0) {
char *str;
asprintf(&str, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value);
heim_krb5_parse_name(milcontext, str, outPrincipal);
} else if (strcmp(info->items[i].name, "out-cache-name") == 0) {
asprintf(outCredCacheName, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value);
}
}
AuthorizationFreeItemSet(info);
if (*outPrincipal == NULL)
ret = EINVAL;
}
out:
if (d)
CFRelease(d);
AuthorizationFree(auth, kAuthorizationFlagDestroyRights);
free(princ);
return ret;
}
bool launcherApplication::Elevate(const StringArray& commandLineArray)
{
#if defined(JUCE_LINUX) || defined(JUCE_BSD)
if (geteuid() == 0) {
return true;
}
String parameters("--user root /usr/bin/env ");
const char *var = getenv("DISPLAY");
if (var) {
String s("DISPLAY=" + String(var).quoted());
parameters += s + " ";
}
var = getenv("XAUTHORITY");
if (var) {
String s("XAUTHORITY=" + String(var).quoted());
parameters += s + " ";
}
String launcher(File::getSpecialLocation(
File::currentExecutableFile).getFullPathName());
if (launcher.contains(" ")) {
launcher = launcher.quoted();
}
parameters += String(" ") + launcher;
for (int i = 0; i < commandLineArray.size(); i++)
{
parameters += " ";
if (commandLineArray[i].contains(" "))
parameters += commandLineArray[i].quoted();
else
parameters += commandLineArray[i];
}
File pkexec("/usr/bin/pkexec");
if (pkexec.exists() && pkexec.startAsProcess(parameters)) {
quit();
}
pkexec = "/usr/local/bin/pkexec";
if (pkexec.exists() && pkexec.startAsProcess(parameters)) {
quit();
}
#elif defined(JUCE_WINDOWS)
BOOL fIsRunAsAdmin = FALSE;
DWORD dwError = ERROR_SUCCESS;
PSID pAdministratorsGroup = NULL;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) {
dwError = GetLastError();
goto cleanup;
}
if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) {
dwError = GetLastError();
goto cleanup;
}
cleanup:
if (pAdministratorsGroup) {
FreeSid(pAdministratorsGroup);
pAdministratorsGroup = NULL;
}
if (dwError != ERROR_SUCCESS) {
throw dwError;
}
if (fIsRunAsAdmin) {
return true;
}
TCHAR szPath[MAX_PATH];
if (!GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath))) {
dwError = GetLastError();
throw dwError;
}
String commandLine;
for (int i = 0; i < commandLineArray.size(); i++) {
if (commandLineArray[i].contains(" ")) {
commandLine += String("\"") + commandLineArray[i] + String("\"");
} else {
commandLine += commandLineArray[i];
}
if (i + 1 < commandLineArray.size()) {
commandLine += " ";
}
}
SHELLEXECUTEINFO sei = { 0 };
sei.cbSize = sizeof(SHELLEXECUTEINFO);
sei.lpVerb = _T("runas");
sei.lpFile = szPath;
sei.lpParameters = commandLine.toUTF8();
sei.nShow = SW_NORMAL;
if (ShellExecuteEx(&sei)) {
_exit(1);
}
#elif defined(JUCE_MAC)
if (geteuid() == 0) {
return true;
}
String launcher(File::getSpecialLocation(
File::currentExecutableFile).getFullPathName());
const char * execpath = launcher.toRawUTF8();
char * args[] = { NULL };
OSStatus err;
AuthorizationRef ref;
AuthorizationFlags flags;
flags = kAuthorizationFlagDefaults;
err = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, flags, &ref);
if ( err != errAuthorizationSuccess ) {
quit();
}
AuthorizationItem _temp = { kAuthorizationRightExecute, 0, NULL, 0 };
AuthorizationRights rights = { 1, &_temp };
flags = kAuthorizationFlagDefaults
| kAuthorizationFlagInteractionAllowed
| kAuthorizationFlagPreAuthorize
| kAuthorizationFlagExtendRights;
err = AuthorizationCopyRights(ref, &rights, NULL, flags, NULL);
if ( err != errAuthorizationSuccess ) {
AuthorizationFree(ref, kAuthorizationFlagDefaults);
quit();
}
flags = kAuthorizationFlagDefaults;
err = AuthorizationExecuteWithPrivileges(ref, execpath, flags, args, NULL);
AuthorizationFree(ref, kAuthorizationFlagDefaults);
// Probably overkill.
if ( err != errAuthorizationSuccess ) {
quit();
}
#endif // JUCE_MAC
return false;
}
int main (int argc, const char * argv[]) {
OSStatus myStatus;
AuthorizationFlags myFlags = kAuthorizationFlagDefaults; // 1
AuthorizationRef myAuthorizationRef; // 2
myStatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, // 3
myFlags, &myAuthorizationRef);
if (myStatus != errAuthorizationSuccess)
return myStatus;
do
{
{
AuthorizationItem myItems = {kAuthorizationRightExecute, 0, // 4
NULL, 0};
AuthorizationRights myRights = {1, &myItems}; // 5
myFlags = kAuthorizationFlagDefaults | // 6
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagPreAuthorize |
kAuthorizationFlagExtendRights;
myStatus = AuthorizationCopyRights (myAuthorizationRef, // 7
&myRights, NULL, myFlags, NULL );
}
if (myStatus != errAuthorizationSuccess) break;
{
// Grab the arguent length
int size = strlen(argv[1]);
// Grab the first argument
char myToolPath[size];
strcpy(myToolPath,argv[1]);
char **myArguments = (char **)&argv[2];
FILE *myCommunicationsPipe = NULL;
char myReadBuffer[128];
myFlags = kAuthorizationFlagDefaults; // 8
myStatus = AuthorizationExecuteWithPrivileges // 9
(myAuthorizationRef, myToolPath, myFlags, myArguments,
&myCommunicationsPipe);
// Any compile warnings here come from the sample apple code.
if (myStatus == errAuthorizationSuccess)
for(;;)
{
int bytesRead = read (fileno (myCommunicationsPipe),
myReadBuffer, sizeof (myReadBuffer));
if (bytesRead < 1) break;
write (fileno (stdout), myReadBuffer, bytesRead);
}
}
} while (0);
AuthorizationFree (myAuthorizationRef, kAuthorizationFlagDefaults); // 10
if (myStatus) printf("Status: %ld\n", myStatus);
return myStatus;
}
static int /* O - 0 if available */
/* 1 if not available */
/* -1 error */
cups_local_auth(http_t *http) /* I - HTTP connection to server */
{
#if defined(WIN32) || defined(__EMX__)
/*
* Currently WIN32 and OS-2 do not support the CUPS server...
*/
return (1);
#else
int pid; /* Current process ID */
FILE *fp; /* Certificate file */
char trc[16], /* Try Root Certificate parameter */
filename[1024]; /* Certificate filename */
_cups_globals_t *cg = _cupsGlobals(); /* Global data */
# if defined(HAVE_AUTHORIZATION_H)
OSStatus status; /* Status */
AuthorizationItem auth_right; /* Authorization right */
AuthorizationRights auth_rights; /* Authorization rights */
AuthorizationFlags auth_flags; /* Authorization flags */
AuthorizationExternalForm auth_extrn; /* Authorization ref external */
char auth_key[1024]; /* Buffer */
char buffer[1024]; /* Buffer */
# endif /* HAVE_AUTHORIZATION_H */
DEBUG_printf(("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"", (void *)http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));
/*
* See if we are accessing localhost...
*/
if (!httpAddrLocalhost(http->hostaddr) &&
_cups_strcasecmp(http->hostname, "localhost") != 0)
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
}
# if defined(HAVE_AUTHORIZATION_H)
/*
* Delete any previous authorization reference...
*/
if (http->auth_ref)
{
AuthorizationFree(http->auth_ref, kAuthorizationFlagDefaults);
http->auth_ref = NULL;
}
if (!getenv("GATEWAY_INTERFACE") &&
httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey",
auth_key, sizeof(auth_key)))
{
status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,
kAuthorizationFlagDefaults, &http->auth_ref);
if (status != errAuthorizationSuccess)
{
DEBUG_printf(("8cups_local_auth: AuthorizationCreate() returned %d (%s)",
(int)status, cssmErrorString(status)));
return (-1);
}
auth_right.name = auth_key;
auth_right.valueLength = 0;
auth_right.value = NULL;
auth_right.flags = 0;
auth_rights.count = 1;
auth_rights.items = &auth_right;
auth_flags = kAuthorizationFlagDefaults |
kAuthorizationFlagPreAuthorize |
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights;
status = AuthorizationCopyRights(http->auth_ref, &auth_rights,
kAuthorizationEmptyEnvironment,
auth_flags, NULL);
if (status == errAuthorizationSuccess)
status = AuthorizationMakeExternalForm(http->auth_ref, &auth_extrn);
if (status == errAuthorizationSuccess)
{
/*
* Set the authorization string and return...
*/
httpEncode64_2(buffer, sizeof(buffer), (void *)&auth_extrn,
sizeof(auth_extrn));
httpSetAuthString(http, "AuthRef", buffer);
DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"",
http->authstring));
return (0);
}
else if (status == errAuthorizationCanceled)
return (-1);
DEBUG_printf(("9cups_local_auth: AuthorizationCopyRights() returned %d (%s)",
(int)status, cssmErrorString(status)));
/*
* Fall through to try certificates...
*/
}
# endif /* HAVE_AUTHORIZATION_H */
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
/*
* See if we can authenticate using the peer credentials provided over a
* domain socket; if so, specify "PeerCred username" as the authentication
* information...
*/
if (
# ifdef HAVE_GSSAPI
_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) &&
# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
!httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey",
auth_key, sizeof(auth_key)) &&
# endif /* HAVE_AUTHORIZATION_H */
http->hostaddr->addr.sa_family == AF_LOCAL &&
!getenv("GATEWAY_INTERFACE")) /* Not via CGI programs... */
{
/*
* Verify that the current cupsUser() matches the current UID...
*/
struct passwd *pwd; /* Password information */
const char *username; /* Current username */
username = cupsUser();
if ((pwd = getpwnam(username)) != NULL && pwd->pw_uid == getuid())
{
httpSetAuthString(http, "PeerCred", username);
DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"",
http->authstring));
return (0);
}
}
# endif /* SO_PEERCRED && AF_LOCAL */
/*
* Try opening a certificate file for this PID. If that fails,
* try the root certificate...
*/
pid = getpid();
snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
if ((fp = fopen(filename, "r")) == NULL && pid > 0)
{
/*
* No certificate for this PID; see if we can get the root certificate...
*/
DEBUG_printf(("9cups_local_auth: Unable to open file %s: %s",
filename, strerror(errno)));
# ifdef HAVE_GSSAPI
if (!_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9))
{
/*
* Kerberos required, don't try the root certificate...
*/
return (1);
}
# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
if (httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey",
auth_key, sizeof(auth_key)))
{
/*
* Don't use the root certificate as a replacement for an authkey...
*/
return (1);
}
# endif /* HAVE_AUTHORIZATION_H */
if (!httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "trc", trc,
sizeof(trc)))
{
/*
* Scheduler doesn't want us to use the root certificate...
*/
return (1);
}
snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
fp = fopen(filename, "r");
}
if (fp)
{
/*
* Read the certificate from the file...
*/
char certificate[33], /* Certificate string */
*certptr; /* Pointer to certificate string */
certptr = fgets(certificate, sizeof(certificate), fp);
fclose(fp);
if (certptr)
{
/*
* Set the authorization string and return...
*/
httpSetAuthString(http, "Local", certificate);
DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"",
http->authstring));
return (0);
}
}
return (1);
#endif /* WIN32 || __EMX__ */
}
