Re: [Dovecot] RC7: BUG! and patch [Was: Re: rc7 bug? [Was: deliver LDA and INBOX location] (fwd)] (fwd)

On Fri, 2006-09-15 at 14:59 +0100, David Lee wrote:

Could someone confirm, please, that this bug report and its proposed fix are being checked?

1. Is my analysis (message below) about right?
2. Is my proposed patch (attached) about right?
3. Is this being addressed for "rc8" (or whatever) and its successors?

•   /* get user's details (in particular, the real uid) */

•   upw = getpwnam(user);

•   if (upw == NULL) {

•           i_fatal("Couldn't lookup user's details (user=%s)", user);

•   }

•   uid = upw->pw_uid;

This is wrong, because it doesn't work with virtual users. The uid is already looked up from userdb and either it's the same as the user who's runnning deliver, or if deliver is run as root the privileges are dropped. In either case you can get the uid with just geteuid() call.

I think this should work (not tested though):

http://dovecot.org/list/dovecot-cvs/2006-September/006408.html