static OSStatus acquireticket_ui(KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, KLPrincipal *outPrincipal, char **outCredCacheName) { AuthorizationRef auth; OSStatus ret; char *princ = NULL; CFDataRef d = NULL; LOG_ENTRY(); if (outPrincipal) *outPrincipal = NULL; if (outCredCacheName) *outCredCacheName = NULL; if (inPrincipal) { ret = heim_krb5_unparse_name(milcontext, inPrincipal, &princ); if (ret) return ret; } ret = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &auth); if (ret) { free(princ); return ret; } AuthorizationItem rightItems[1] = { kCoreAuthPanelKerberosRight, 0, NULL, 0 }; AuthorizationRights rights = { sizeof(rightItems[0])/sizeof(rightItems) , rightItems }; AuthorizationItem envItems[3]; AuthorizationEnvironment env = { 0 , envItems }; AuthorizationFlags authFlags = kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; if (princ) { envItems[env.count].name = kCoreAuthPanelKerberosPrincipal; envItems[env.count].valueLength = strlen(princ); envItems[env.count].value = princ; envItems[env.count].flags = 0; env.count++; } if (inLoginOptions && inLoginOptions->opt) { CFMutableDictionaryRef dict; dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (dict == NULL) goto out; if (inLoginOptions->opt->renew_life) { CFStringRef t; t = CFStringCreateWithFormat(NULL, 0, CFSTR("%ld"),(long)inLoginOptions->opt->renew_life); CFDictionarySetValue(dict, CFSTR("renewTime"), t); CFRelease(t); } d = CFPropertyListCreateData(NULL, dict, kCFPropertyListBinaryFormat_v1_0, 0, NULL); CFRelease(dict); envItems[env.count].name = kCoreAuthPanelKerberosOptions; envItems[env.count].valueLength = CFDataGetLength(d); envItems[env.count].value = (void *)CFDataGetBytePtr(d); envItems[env.count].flags = 0; env.count++; } ret = AuthorizationCopyRights(auth, &rights, &env, authFlags, NULL); if (ret == 0 && outPrincipal) { AuthorizationItemSet *info; UInt32 i; ret = AuthorizationCopyInfo(auth, NULL, &info); if (ret) goto out; for(i = 0; i < info->count; i++) { if (strcmp(info->items[i].name, "out-principal") == 0) { char *str; asprintf(&str, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value); heim_krb5_parse_name(milcontext, str, outPrincipal); } else if (strcmp(info->items[i].name, "out-cache-name") == 0) { asprintf(outCredCacheName, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value); } } AuthorizationFreeItemSet(info); if (*outPrincipal == NULL) ret = EINVAL; } out: if (d) CFRelease(d); AuthorizationFree(auth, kAuthorizationFlagDestroyRights); free(princ); return ret; }
bool launcherApplication::Elevate(const StringArray& commandLineArray) { #if defined(JUCE_LINUX) || defined(JUCE_BSD) if (geteuid() == 0) { return true; } String parameters("--user root /usr/bin/env "); const char *var = getenv("DISPLAY"); if (var) { String s("DISPLAY=" + String(var).quoted()); parameters += s + " "; } var = getenv("XAUTHORITY"); if (var) { String s("XAUTHORITY=" + String(var).quoted()); parameters += s + " "; } String launcher(File::getSpecialLocation( File::currentExecutableFile).getFullPathName()); if (launcher.contains(" ")) { launcher = launcher.quoted(); } parameters += String(" ") + launcher; for (int i = 0; i < commandLineArray.size(); i++) { parameters += " "; if (commandLineArray[i].contains(" ")) parameters += commandLineArray[i].quoted(); else parameters += commandLineArray[i]; } File pkexec("/usr/bin/pkexec"); if (pkexec.exists() && pkexec.startAsProcess(parameters)) { quit(); } pkexec = "/usr/local/bin/pkexec"; if (pkexec.exists() && pkexec.startAsProcess(parameters)) { quit(); } #elif defined(JUCE_WINDOWS) BOOL fIsRunAsAdmin = FALSE; DWORD dwError = ERROR_SUCCESS; PSID pAdministratorsGroup = NULL; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; if (!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) { dwError = GetLastError(); goto cleanup; } if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) { dwError = GetLastError(); goto cleanup; } cleanup: if (pAdministratorsGroup) { FreeSid(pAdministratorsGroup); pAdministratorsGroup = NULL; } if (dwError != ERROR_SUCCESS) { throw dwError; } if (fIsRunAsAdmin) { return true; } TCHAR szPath[MAX_PATH]; if (!GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath))) { dwError = GetLastError(); throw dwError; } String commandLine; for (int i = 0; i < commandLineArray.size(); i++) { if (commandLineArray[i].contains(" ")) { commandLine += String("\"") + commandLineArray[i] + String("\""); } else { commandLine += commandLineArray[i]; } if (i + 1 < commandLineArray.size()) { commandLine += " "; } } SHELLEXECUTEINFO sei = { 0 }; sei.cbSize = sizeof(SHELLEXECUTEINFO); sei.lpVerb = _T("runas"); sei.lpFile = szPath; sei.lpParameters = commandLine.toUTF8(); sei.nShow = SW_NORMAL; if (ShellExecuteEx(&sei)) { _exit(1); } #elif defined(JUCE_MAC) if (geteuid() == 0) { return true; } String launcher(File::getSpecialLocation( File::currentExecutableFile).getFullPathName()); const char * execpath = launcher.toRawUTF8(); char * args[] = { NULL }; OSStatus err; AuthorizationRef ref; AuthorizationFlags flags; flags = kAuthorizationFlagDefaults; err = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, flags, &ref); if ( err != errAuthorizationSuccess ) { quit(); } AuthorizationItem _temp = { kAuthorizationRightExecute, 0, NULL, 0 }; AuthorizationRights rights = { 1, &_temp }; flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; err = AuthorizationCopyRights(ref, &rights, NULL, flags, NULL); if ( err != errAuthorizationSuccess ) { AuthorizationFree(ref, kAuthorizationFlagDefaults); quit(); } flags = kAuthorizationFlagDefaults; err = AuthorizationExecuteWithPrivileges(ref, execpath, flags, args, NULL); AuthorizationFree(ref, kAuthorizationFlagDefaults); // Probably overkill. if ( err != errAuthorizationSuccess ) { quit(); } #endif // JUCE_MAC return false; }
int main (int argc, const char * argv[]) { OSStatus myStatus; AuthorizationFlags myFlags = kAuthorizationFlagDefaults; // 1 AuthorizationRef myAuthorizationRef; // 2 myStatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, // 3 myFlags, &myAuthorizationRef); if (myStatus != errAuthorizationSuccess) return myStatus; do { { AuthorizationItem myItems = {kAuthorizationRightExecute, 0, // 4 NULL, 0}; AuthorizationRights myRights = {1, &myItems}; // 5 myFlags = kAuthorizationFlagDefaults | // 6 kAuthorizationFlagInteractionAllowed | kAuthorizationFlagPreAuthorize | kAuthorizationFlagExtendRights; myStatus = AuthorizationCopyRights (myAuthorizationRef, // 7 &myRights, NULL, myFlags, NULL ); } if (myStatus != errAuthorizationSuccess) break; { // Grab the arguent length int size = strlen(argv[1]); // Grab the first argument char myToolPath[size]; strcpy(myToolPath,argv[1]); char **myArguments = (char **)&argv[2]; FILE *myCommunicationsPipe = NULL; char myReadBuffer[128]; myFlags = kAuthorizationFlagDefaults; // 8 myStatus = AuthorizationExecuteWithPrivileges // 9 (myAuthorizationRef, myToolPath, myFlags, myArguments, &myCommunicationsPipe); // Any compile warnings here come from the sample apple code. if (myStatus == errAuthorizationSuccess) for(;;) { int bytesRead = read (fileno (myCommunicationsPipe), myReadBuffer, sizeof (myReadBuffer)); if (bytesRead < 1) break; write (fileno (stdout), myReadBuffer, bytesRead); } } } while (0); AuthorizationFree (myAuthorizationRef, kAuthorizationFlagDefaults); // 10 if (myStatus) printf("Status: %ld\n", myStatus); return myStatus; }
static int /* O - 0 if available */ /* 1 if not available */ /* -1 error */ cups_local_auth(http_t *http) /* I - HTTP connection to server */ { #if defined(WIN32) || defined(__EMX__) /* * Currently WIN32 and OS-2 do not support the CUPS server... */ return (1); #else int pid; /* Current process ID */ FILE *fp; /* Certificate file */ char trc[16], /* Try Root Certificate parameter */ filename[1024]; /* Certificate filename */ _cups_globals_t *cg = _cupsGlobals(); /* Global data */ # if defined(HAVE_AUTHORIZATION_H) OSStatus status; /* Status */ AuthorizationItem auth_right; /* Authorization right */ AuthorizationRights auth_rights; /* Authorization rights */ AuthorizationFlags auth_flags; /* Authorization flags */ AuthorizationExternalForm auth_extrn; /* Authorization ref external */ char auth_key[1024]; /* Buffer */ char buffer[1024]; /* Buffer */ # endif /* HAVE_AUTHORIZATION_H */ DEBUG_printf(("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"", (void *)http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname)); /* * See if we are accessing localhost... */ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) { DEBUG_puts("8cups_local_auth: Not a local connection!"); return (1); } # if defined(HAVE_AUTHORIZATION_H) /* * Delete any previous authorization reference... */ if (http->auth_ref) { AuthorizationFree(http->auth_ref, kAuthorizationFlagDefaults); http->auth_ref = NULL; } if (!getenv("GATEWAY_INTERFACE") && httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", auth_key, sizeof(auth_key))) { status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &http->auth_ref); if (status != errAuthorizationSuccess) { DEBUG_printf(("8cups_local_auth: AuthorizationCreate() returned %d (%s)", (int)status, cssmErrorString(status))); return (-1); } auth_right.name = auth_key; auth_right.valueLength = 0; auth_right.value = NULL; auth_right.flags = 0; auth_rights.count = 1; auth_rights.items = &auth_right; auth_flags = kAuthorizationFlagDefaults | kAuthorizationFlagPreAuthorize | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; status = AuthorizationCopyRights(http->auth_ref, &auth_rights, kAuthorizationEmptyEnvironment, auth_flags, NULL); if (status == errAuthorizationSuccess) status = AuthorizationMakeExternalForm(http->auth_ref, &auth_extrn); if (status == errAuthorizationSuccess) { /* * Set the authorization string and return... */ httpEncode64_2(buffer, sizeof(buffer), (void *)&auth_extrn, sizeof(auth_extrn)); httpSetAuthString(http, "AuthRef", buffer); DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", http->authstring)); return (0); } else if (status == errAuthorizationCanceled) return (-1); DEBUG_printf(("9cups_local_auth: AuthorizationCopyRights() returned %d (%s)", (int)status, cssmErrorString(status))); /* * Fall through to try certificates... */ } # endif /* HAVE_AUTHORIZATION_H */ # if defined(SO_PEERCRED) && defined(AF_LOCAL) /* * See if we can authenticate using the peer credentials provided over a * domain socket; if so, specify "PeerCred username" as the authentication * information... */ if ( # ifdef HAVE_GSSAPI _cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) && # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H !httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", auth_key, sizeof(auth_key)) && # endif /* HAVE_AUTHORIZATION_H */ http->hostaddr->addr.sa_family == AF_LOCAL && !getenv("GATEWAY_INTERFACE")) /* Not via CGI programs... */ { /* * Verify that the current cupsUser() matches the current UID... */ struct passwd *pwd; /* Password information */ const char *username; /* Current username */ username = cupsUser(); if ((pwd = getpwnam(username)) != NULL && pwd->pw_uid == getuid()) { httpSetAuthString(http, "PeerCred", username); DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", http->authstring)); return (0); } } # endif /* SO_PEERCRED && AF_LOCAL */ /* * Try opening a certificate file for this PID. If that fails, * try the root certificate... */ pid = getpid(); snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid); if ((fp = fopen(filename, "r")) == NULL && pid > 0) { /* * No certificate for this PID; see if we can get the root certificate... */ DEBUG_printf(("9cups_local_auth: Unable to open file %s: %s", filename, strerror(errno))); # ifdef HAVE_GSSAPI if (!_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) { /* * Kerberos required, don't try the root certificate... */ return (1); } # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H if (httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", auth_key, sizeof(auth_key))) { /* * Don't use the root certificate as a replacement for an authkey... */ return (1); } # endif /* HAVE_AUTHORIZATION_H */ if (!httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "trc", trc, sizeof(trc))) { /* * Scheduler doesn't want us to use the root certificate... */ return (1); } snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir); fp = fopen(filename, "r"); } if (fp) { /* * Read the certificate from the file... */ char certificate[33], /* Certificate string */ *certptr; /* Pointer to certificate string */ certptr = fgets(certificate, sizeof(certificate), fp); fclose(fp); if (certptr) { /* * Set the authorization string and return... */ httpSetAuthString(http, "Local", certificate); DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", http->authstring)); return (0); } } return (1); #endif /* WIN32 || __EMX__ */ }