dovecot-1.2: New generic userdb lookup api `auth-master' in lib-...
dovecot at dovecot.org
dovecot at dovecot.org
Sat Nov 1 14:49:34 EET 2008
details: http://hg.dovecot.org/dovecot-1.2/rev/f97099eb4dee
changeset: 8365:f97099eb4dee
user: Sascha Wilde <wilde at intevation.de>
date: Fri Oct 24 16:06:07 2008 +0200
description:
New generic userdb lookup api `auth-master' in lib-auth.
diffstat:
7 files changed, 338 insertions(+), 229 deletions(-)
src/deliver/Makefile.am | 3
src/deliver/auth-client.c | 288 ++++++++++----------------------------------
src/deliver/auth-client.h | 6
src/deliver/deliver.c | 14 +-
src/lib-auth/Makefile.am | 2
src/lib-auth/auth-master.c | 233 +++++++++++++++++++++++++++++++++++
src/lib-auth/auth-master.h | 21 +++
diffs (truncated from 714 to 300 lines):
diff -r 58afb62be4e0 -r f97099eb4dee src/deliver/Makefile.am
--- a/src/deliver/Makefile.am Fri Oct 31 18:35:43 2008 +0200
+++ b/src/deliver/Makefile.am Fri Oct 24 16:06:07 2008 +0200
@@ -20,7 +20,7 @@ deliver_LDFLAGS = -export-dynamic
# get some functions included which only plugins use. liblib should probably
# be a shared library so this wouldn't be needed..
unused_objects = \
- ../lib/mountpoint.o
+ ../lib/mountpoint.o
libs = \
../lib-storage/register/libstorage-register.a \
@@ -30,6 +30,7 @@ libs = \
../lib-mail/libmail.a \
../lib-dict/libdict.a \
../lib-charset/libcharset.a \
+ ../lib-auth/libauth.a \
../lib/liblib.a \
$(unused_objects)
diff -r 58afb62be4e0 -r f97099eb4dee src/deliver/auth-client.c
--- a/src/deliver/auth-client.c Fri Oct 31 18:35:43 2008 +0200
+++ b/src/deliver/auth-client.c Fri Oct 24 16:06:07 2008 +0200
@@ -9,6 +9,7 @@
#include "env-util.h"
#include "restrict-access.h"
#include "auth-client.h"
+#include "../lib-auth/auth-master.h"
#include <stdlib.h>
#include <unistd.h>
@@ -16,41 +17,7 @@
#include <grp.h>
#include <sysexits.h>
-#define AUTH_REQUEST_TIMEOUT 60
-#define MAX_INBUF_SIZE 8192
-#define MAX_OUTBUF_SIZE 512
-
static int return_value;
-
-struct auth_connection {
- int fd;
- struct timeout *to;
- struct io *io;
- struct istream *input;
- struct ostream *output;
-
- struct ioloop *ioloop;
- uid_t euid;
- const char *auth_socket;
- const char *user;
- ARRAY_TYPE(string) *extra_fields;
-
- unsigned int handshaked:1;
-};
-
-static void auth_connection_destroy(struct auth_connection *conn)
-{
- io_loop_stop(conn->ioloop);
-
- if (conn->to != NULL)
- timeout_remove(&conn->to);
- io_remove(&conn->io);
- i_stream_unref(&conn->input);
- o_stream_unref(&conn->output);
- if (close(conn->fd) < 0)
- i_error("close() failed: %m");
- i_free(conn);
-}
static bool parse_uid(const char *str, uid_t *uid_r)
{
@@ -90,90 +57,59 @@ static bool parse_gid(const char *str, g
return TRUE;
}
-static void auth_parse_input(struct auth_connection *conn, const char *args)
+static void set_env(struct auth_user_reply *reply, const char *user, uid_t euid)
{
- const char *const *tmp, *extra_groups;
- uid_t uid = 0;
- gid_t gid = 0;
- const char *chroot_dir = getenv("MAIL_CHROOT");
- const char *home_dir = NULL;
- bool debug = getenv("DEBUG") != NULL;
+ const char *extra_groups;
unsigned int len;
- for (tmp = t_strsplit(args, "\t"); *tmp != NULL; tmp++) {
- if (debug)
- i_info("auth input: %s", *tmp);
-
- if (strncmp(*tmp, "uid=", 4) == 0) {
- uid = strtoul(*tmp + 4, NULL, 10);
-
- if (uid == 0) {
- i_error("userdb(%s) returned 0 as uid",
- conn->user);
- return_value = EX_TEMPFAIL;
+ if (reply->uid == 0) {
+ i_error("userdb(%s) returned 0 as uid", user);
+ return;
+ } else if (reply->uid == (uid_t)-1) {
+ if (getenv("MAIL_UID") != NULL) {
+ if (!parse_uid(getenv("MAIL_UID"), &reply->uid) || reply->uid == 0) {
+ i_error("mail_uid setting is invalid");
+ return;
}
- } else if (strncmp(*tmp, "gid=", 4) == 0) {
- gid = strtoul(*tmp + 4, NULL, 10);
-
- if (gid == 0) {
- i_error("userdb(%s) returned 0 as gid",
- conn->user);
- return_value = EX_TEMPFAIL;
+ } else {
+ i_error("User %s is missing UID (set mail_uid)", user);
+ return;
+ }
+ }
+ if (reply->gid == 0) {
+ i_error("userdb(%s) returned 0 as gid", user);
+ return;
+ } else if (reply->gid == (gid_t)-1) {
+ if (getenv("MAIL_GID") != NULL) {
+ if (!parse_gid(getenv("MAIL_GID"), &reply->gid) || reply->gid == 0) {
+ i_error("mail_gid setting is invalid");
+ return;
}
- } else if (strncmp(*tmp, "chroot=", 7) == 0) {
- chroot_dir = *tmp + 7;
} else {
- char *field = i_strdup(*tmp);
-
- if (strncmp(field, "home=", 5) == 0)
- home_dir = field + 5;
-
- array_append(conn->extra_fields, &field, 1);
+ i_error("User %s is missing GID (set mail_gid)", user);
+ return;
}
}
- if (uid == 0 && getenv("MAIL_UID") != NULL) {
- if (!parse_uid(getenv("MAIL_UID"), &uid) || uid == 0) {
- i_error("mail_uid setting is invalid");
- return_value = EX_TEMPFAIL;
- return;
+ if (euid != reply->uid)
+ env_put(t_strconcat("RESTRICT_SETUID=", dec2str(reply->uid), NULL));
+ if (euid == 0 || getegid() != reply->gid)
+ env_put(t_strconcat("RESTRICT_SETGID=", dec2str(reply->gid), NULL));
+
+ if (reply->chroot == NULL)
+ reply->chroot = getenv("MAIL_CHROOT");
+ if (reply->chroot != NULL) {
+ len = strlen(reply->chroot);
+ if (len > 2 && strcmp(reply->chroot + len - 2, "/.") == 0 &&
+ reply->home != NULL &&
+ strncmp(reply->home, reply->chroot, len - 2) == 0) {
+ /* strip chroot dir from home dir */
+ reply->home += len - 2;
}
+ env_put(t_strconcat("RESTRICT_CHROOT=", reply->chroot, NULL));
}
- if (uid == 0) {
- i_error("User %s is missing UID (set mail_uid)", conn->user);
- return_value = EX_TEMPFAIL;
- return;
- }
- if (gid == 0 && getenv("MAIL_GID") != NULL) {
- if (!parse_gid(getenv("MAIL_GID"), &gid) || gid == 0) {
- i_error("mail_gid setting is invalid");
- return_value = EX_TEMPFAIL;
- return;
- }
- }
- if (gid == 0) {
- i_error("User %s is missing GID (set mail_gid)", conn->user);
- return_value = EX_TEMPFAIL;
- return;
- }
-
- if (conn->euid != uid)
- env_put(t_strconcat("RESTRICT_SETUID=", dec2str(uid), NULL));
- if (conn->euid == 0 || getegid() != gid)
- env_put(t_strconcat("RESTRICT_SETGID=", dec2str(gid), NULL));
-
- if (chroot_dir != NULL) {
- len = strlen(chroot_dir);
- if (len > 2 && strcmp(chroot_dir + len - 2, "/.") == 0 &&
- home_dir != NULL &&
- strncmp(home_dir, chroot_dir, len - 2) == 0) {
- /* strip chroot dir from home dir */
- home_dir += len - 2;
- }
- env_put(t_strconcat("RESTRICT_CHROOT=", chroot_dir, NULL));
- }
- if (home_dir != NULL)
- env_put(t_strconcat("HOME=", home_dir, NULL));
+ if (reply->home != NULL)
+ env_put(t_strconcat("HOME=", reply->home, NULL));
extra_groups = getenv("MAIL_EXTRA_GROUPS");
if (extra_groups != NULL) {
@@ -181,127 +117,39 @@ static void auth_parse_input(struct auth
extra_groups, NULL));
}
- restrict_access_by_env(TRUE);
return_value = EX_OK;
}
-static void auth_input(struct auth_connection *conn)
-{
- const char *line;
-
- switch (i_stream_read(conn->input)) {
- case 0:
- return;
- case -1:
- /* disconnected */
- i_error("Auth lookup disconnected unexpectedly");
- auth_connection_destroy(conn);
- return;
- case -2:
- /* buffer full */
- i_error("BUG: Auth master sent us more than %d bytes",
- MAX_INBUF_SIZE);
- auth_connection_destroy(conn);
- return;
- }
-
- if (!conn->handshaked) {
- while ((line = i_stream_next_line(conn->input)) != NULL) {
- if (strncmp(line, "VERSION\t", 8) == 0) {
- if (strncmp(line + 8, "1\t", 2) != 0) {
- i_error("Auth master version mismatch");
- auth_connection_destroy(conn);
- return;
- }
- } else if (strncmp(line, "SPID\t", 5) == 0) {
- conn->handshaked = TRUE;
- break;
- }
- }
- }
-
- line = i_stream_next_line(conn->input);
- if (line != NULL) {
- if (strncmp(line, "USER\t1\t", 7) == 0) {
- auth_parse_input(conn, line + 7);
- } else if (strcmp(line, "NOTFOUND\t1") == 0)
- return_value = EX_NOUSER;
- else if (strncmp(line, "FAIL\t1", 6) == 0) {
- i_error("Auth lookup returned failure");
- return_value = EX_TEMPFAIL;
- } else if (strncmp(line, "CUID\t", 5) == 0) {
- i_error("%s is an auth client socket. "
- "It should be a master socket.",
- conn->auth_socket);
- } else {
- i_error("BUG: Unexpected input from auth master: %s",
- line);
- }
- auth_connection_destroy(conn);
- }
-}
-
-static struct auth_connection *auth_connection_new(const char *auth_socket)
-{
- struct auth_connection *conn;
- int fd, try;
-
- /* max. 1 second wait here. */
- for (try = 0; try < 10; try++) {
- fd = net_connect_unix(auth_socket);
- if (fd != -1 || (errno != EAGAIN && errno != ECONNREFUSED))
- break;
-
- /* busy. wait for a while. */
- usleep(((rand() % 10) + 1) * 10000);
- }
- if (fd == -1) {
- i_error("Can't connect to auth server at %s: %m", auth_socket);
- return NULL;
- }
-
- conn = i_new(struct auth_connection, 1);
- conn->fd = fd;
- conn->input = i_stream_create_fd(fd, MAX_INBUF_SIZE, FALSE);
- conn->output = o_stream_create_fd(fd, MAX_OUTBUF_SIZE, FALSE);
- conn->io = io_add(fd, IO_READ, auth_input, conn);
- return conn;
-}
-
-static void auth_client_timeout(struct auth_connection *conn)
-{
- if (!conn->handshaked)
More information about the dovecot-cvs
mailing list