[dovecot-cvs] dovecot/src/master auth-process.c,1.49,1.50 login-process.c,1.47,1.48 master-settings.c,1.26,1.27 master-settings.h,1.17,1.18

cras at procontrol.fi cras at procontrol.fi
Sun Aug 24 11:37:43 EEST 2003 

Update of /home/cvs/dovecot/src/master
In directory danu:/tmp/cvs-serv29266

Modified Files:
	auth-process.c login-process.c master-settings.c 
	master-settings.h 
Log Message:
Make sure auth process and login process don't share uids.



Index: auth-process.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/auth-process.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -d -r1.49 -r1.50
--- auth-process.c	22 Aug 2003 02:42:36 -0000	1.49
+++ auth-process.c	24 Aug 2003 07:37:41 -0000	1.50
@@ -253,13 +253,9 @@
 static pid_t create_auth_process(struct auth_process_group *group)
 {
 	static char *argv[] = { NULL, NULL };
-	struct passwd *pwd;
 	pid_t pid;
 	int fd[2], i;
 
-	if ((pwd = getpwnam(group->set->user)) == NULL)
-		i_fatal("Auth user doesn't exist: %s", group->set->user);
-
 	/* create communication to process with a socket pair */
 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, fd) == -1) {
 		i_error("socketpair() failed: %m");
@@ -308,8 +304,8 @@
 		fd_close_on_exec(i, FALSE);
 
 	/* setup access environment */
-	restrict_access_set_env(group->set->user, pwd->pw_uid, pwd->pw_gid,
-				group->set->chroot, 0, 0);
+	restrict_access_set_env(group->set->user, group->set->uid,
+				group->set->gid, group->set->chroot, 0, 0);
 
 	/* set other environment */
 	env_put(t_strconcat("AUTH_PROCESS=", dec2str(getpid()), NULL));
@@ -383,11 +379,10 @@
 	fd_close_on_exec(group->listen_fd, TRUE);
 
 	/* set correct permissions */
-	if (chown(path, master_uid,
-		  auth_set->parent->defaults->login_gid) < 0) {
+	if (chown(path, master_uid, auth_set->parent->login_gid) < 0) {
 		i_fatal("login: chown(%s, %s, %s) failed: %m",
 			path, dec2str(master_uid),
-			dec2str(auth_set->parent->defaults->login_gid));
+			dec2str(auth_set->parent->login_gid));
 	}
 
 	group->next = process_groups;

Index: login-process.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/login-process.c,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -d -r1.47 -r1.48
--- login-process.c	10 Jul 2003 03:04:07 -0000	1.47
+++ login-process.c	24 Aug 2003 07:37:41 -0000	1.48
@@ -374,7 +374,8 @@
 
 	/* setup access environment - needs to be done after
 	   clean_child_process() since it clears environment */
-	restrict_access_set_env(set->login_user, set->login_uid, set->login_gid,
+	restrict_access_set_env(set->login_user, set->login_uid,
+				set->server->login_gid,
 				set->login_chroot ? set->login_dir : NULL,
 				0, 0);
 

Index: master-settings.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/master-settings.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27
--- master-settings.c	24 Aug 2003 07:21:30 -0000	1.26
+++ master-settings.c	24 Aug 2003 07:37:41 -0000	1.27
@@ -225,7 +225,6 @@
 
 	/* .. */
 	MEMBER(login_uid) 0,
-	MEMBER(login_gid) 0,
 	MEMBER(listen_fd) -1,
 	MEMBER(ssl_listen_fd) -1
 };
@@ -273,11 +272,11 @@
 		return FALSE;
 	}
 
-	if (set->login_gid == 0)
-		set->login_gid = pw->pw_gid;
-	else if (set->login_gid != pw->pw_gid) {
+	if (set->server->login_gid == 0)
+		set->server->login_gid = pw->pw_gid;
+	else if (set->server->login_gid != pw->pw_gid) {
 		i_error("All login process users must belong to same group "
-			"(%s vs %s)", dec2str(set->login_gid),
+			"(%s vs %s)", dec2str(set->server->login_gid),
 			dec2str(pw->pw_gid));
 		return FALSE;
 	}
@@ -288,6 +287,22 @@
 
 static int auth_settings_verify(struct auth_settings *auth)
 {
+	struct passwd *pw;
+
+	if ((pw = getpwnam(auth->user)) == NULL) {
+		i_error("Auth user doesn't exist: %s", auth->user);
+		return FALSE;
+	}
+
+	if (auth->parent->defaults->login_uid == pw->pw_uid &&
+	    master_uid != pw->pw_uid) {
+		i_error("login_user %s (uid %s) must not be same as auth_user",
+			auth->user, dec2str(pw->pw_uid));
+		return FALSE;
+	}
+	auth->uid = pw->pw_uid;
+	auth->gid = pw->pw_gid;
+
 	if (access(auth->executable, X_OK) < 0) {
 		i_error("Can't use auth executable %s: %m", auth->executable);
 		return FALSE;
@@ -430,7 +445,8 @@
 		return FALSE;
 	}
 
-	if (safe_mkdir(set->login_dir, 0750, master_uid, set->login_gid) == 0) {
+	if (safe_mkdir(set->login_dir, 0750,
+		       master_uid, set->server->login_gid) == 0) {
 		i_warning("Corrected permissions for login directory %s",
 			  set->login_dir);
 	}

Index: master-settings.h
===================================================================
RCS file: /home/cvs/dovecot/src/master/master-settings.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- master-settings.h	24 Aug 2003 07:21:30 -0000	1.17
+++ master-settings.h	24 Aug 2003 07:37:41 -0000	1.18
@@ -81,7 +81,6 @@
 
 	/* .. */
 	uid_t login_uid;
-	gid_t login_gid;
 
 	int listen_fd, ssl_listen_fd;
 };
@@ -106,6 +105,10 @@
 
 	unsigned int count;
 	unsigned int process_size;
+
+	/* .. */
+	uid_t uid;
+	gid_t gid;
 };
 
 struct namespace_settings {
@@ -128,6 +131,8 @@
 	struct auth_settings *auths;
 	struct auth_settings auth_defaults;
         struct namespace_settings *namespaces;
+
+	gid_t login_gid;
 };
 
 extern struct server_settings *settings_root;

More information about the dovecot-cvs mailing list