dovecot-2.2: auth: Require auth-token-secret.dat owner to be aut...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/2d0d0318b341
changeset: 15387:2d0d0318b341
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Nov 06 23:23:19 2012 +0200
description:
auth: Require auth-token-secret.dat owner to be auth process's uid, not necessarily root.

diffstat:

 src/auth/auth-token.c |  3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diffs (13 lines):

diff -r 5089affc8ae5 -r 2d0d0318b341 src/auth/auth-token.c
--- a/src/auth/auth-token.c	Tue Nov 06 22:15:51 2012 +0200
+++ b/src/auth/auth-token.c	Tue Nov 06 23:23:19 2012 +0200
@@ -70,7 +70,8 @@
 	}
 
 	/* check security parameters for compromise */
-	if ((st.st_mode & 07777) != 0600 || st.st_uid != 0 || st.st_nlink > 1 ||
+	if ((st.st_mode & 07777) != 0600 ||
+	    st.st_uid != geteuid() || st.st_nlink > 1 ||
 	    !S_ISREG(lst.st_mode) || st.st_ino != lst.st_ino ||
 	    !CMP_DEV_T(st.st_dev, lst.st_dev)) {
 		i_error("Compromised token secret file: %s", path);