[Dovecot] Index corruption

Gregory Bond gnb at itga.com.au
Mon Oct 18 08:32:45 EEST 2004


Curtis Maloney wrote:

> I ran into this problem with the later test versions on Solaris 9.  
> Joshua Goodall gave me a two line patch (which i don't have here, I'm 
> afraid) to revert this check which came in around test43 (from memory).
>
> A check of the list archives finds his recommendation was to use 
> src/lib/restrict-access.c revision 1.13 from CVS.

Ah good, it's not just me.

I've had a bit more of a play and I understand it a bit better.  Looks 
like restrict_access_by_env() is being called in 2 different contexts - 
once to establish the "dovecot" user , once as root (presumably in the 
auth daemon).  The call as root fails because the program tries setgid() 
to prove it can't, but as root this works.

The following patch (to test49 version of lib/restrict-access.c) works 
for me, but I'm not going to pretend I understand dovecot's auth 
framework well enough to know if this is harmless.

(Beware cut-n-paste whitespace munching).

--- src/lib/restrict-access.c.DIST      2004-09-24 23:04:31.000000000 +1000
+++ src/lib/restrict-access.c   2004-10-18 15:04:36.716002000 +1000
@@ -204,7 +204,7 @@
 
        env = getenv("RESTRICT_GID_FIRST");
        if (gid != 0 || (env != NULL && atoi(env) != 0)) {
-               if (getgid() == 0 || getegid() == 0 || setgid(0) == 0) {
+               if (getgid() == 0 || getegid() == 0 || (uid != 0 && 
setgid(0) == 0)) {
                        if (gid == 0)
                                i_fatal("GID 0 isn't permitted");
                        i_fatal("We couldn't drop root group privileges "



More information about the dovecot mailing list