dovecot-1.2: New generic userdb lookup api `auth-master' in lib-...

dovecot at dovecot.org dovecot at dovecot.org
Sat Nov 1 14:49:34 EET 2008 

details:   http://hg.dovecot.org/dovecot-1.2/rev/f97099eb4dee
changeset: 8365:f97099eb4dee
user:      Sascha Wilde <wilde at intevation.de>
date:      Fri Oct 24 16:06:07 2008 +0200
description:
New generic userdb lookup api `auth-master' in lib-auth.

diffstat:

7 files changed, 338 insertions(+), 229 deletions(-)
src/deliver/Makefile.am    |    3 
src/deliver/auth-client.c  |  288 ++++++++++----------------------------------
src/deliver/auth-client.h  |    6 
src/deliver/deliver.c      |   14 +-
src/lib-auth/Makefile.am   |    2 
src/lib-auth/auth-master.c |  233 +++++++++++++++++++++++++++++++++++
src/lib-auth/auth-master.h |   21 +++

diffs (truncated from 714 to 300 lines):

diff -r 58afb62be4e0 -r f97099eb4dee src/deliver/Makefile.am
--- a/src/deliver/Makefile.am	Fri Oct 31 18:35:43 2008 +0200
+++ b/src/deliver/Makefile.am	Fri Oct 24 16:06:07 2008 +0200
@@ -20,7 +20,7 @@ deliver_LDFLAGS = -export-dynamic
 # get some functions included which only plugins use. liblib should probably
 # be a shared library so this wouldn't be needed..
 unused_objects = \
- 	../lib/mountpoint.o
+	../lib/mountpoint.o
 
 libs = \
 	../lib-storage/register/libstorage-register.a \
@@ -30,6 +30,7 @@ libs = \
 	../lib-mail/libmail.a \
 	../lib-dict/libdict.a \
 	../lib-charset/libcharset.a \
+	../lib-auth/libauth.a \
 	../lib/liblib.a \
 	$(unused_objects)
 
diff -r 58afb62be4e0 -r f97099eb4dee src/deliver/auth-client.c
--- a/src/deliver/auth-client.c	Fri Oct 31 18:35:43 2008 +0200
+++ b/src/deliver/auth-client.c	Fri Oct 24 16:06:07 2008 +0200
@@ -9,6 +9,7 @@
 #include "env-util.h"
 #include "restrict-access.h"
 #include "auth-client.h"
+#include "../lib-auth/auth-master.h"
 
 #include <stdlib.h>
 #include <unistd.h>
@@ -16,41 +17,7 @@
 #include <grp.h>
 #include <sysexits.h>
 
-#define AUTH_REQUEST_TIMEOUT 60
-#define MAX_INBUF_SIZE 8192
-#define MAX_OUTBUF_SIZE 512
-
 static int return_value;
-
-struct auth_connection {
-	int fd;
-	struct timeout *to;
-	struct io *io;
-	struct istream *input;
-	struct ostream *output;
-
-	struct ioloop *ioloop;
-	uid_t euid;
-	const char *auth_socket;
-	const char *user;
-	ARRAY_TYPE(string) *extra_fields;
-
-	unsigned int handshaked:1;
-};
-
-static void auth_connection_destroy(struct auth_connection *conn)
-{
-	io_loop_stop(conn->ioloop);
-
-	if (conn->to != NULL)
-		timeout_remove(&conn->to);
-	io_remove(&conn->io);
-	i_stream_unref(&conn->input);
-	o_stream_unref(&conn->output);
-	if (close(conn->fd) < 0)
-		i_error("close() failed: %m");
-	i_free(conn);
-}
 
 static bool parse_uid(const char *str, uid_t *uid_r)
 {
@@ -90,90 +57,59 @@ static bool parse_gid(const char *str, g
 	return TRUE;
 }
 
-static void auth_parse_input(struct auth_connection *conn, const char *args)
+static void set_env(struct auth_user_reply *reply, const char *user, uid_t euid)
 {
-	const char *const *tmp, *extra_groups;
-	uid_t uid = 0;
-	gid_t gid = 0;
-	const char *chroot_dir = getenv("MAIL_CHROOT");
-	const char *home_dir = NULL;
-	bool debug = getenv("DEBUG") != NULL;
+	const char *extra_groups;
 	unsigned int len;
 
-	for (tmp = t_strsplit(args, "\t"); *tmp != NULL; tmp++) {
-		if (debug)
-			i_info("auth input: %s", *tmp);
-
-		if (strncmp(*tmp, "uid=", 4) == 0) {
-			uid = strtoul(*tmp + 4, NULL, 10);
-
-			if (uid == 0) {
-				i_error("userdb(%s) returned 0 as uid",
-					conn->user);
-				return_value = EX_TEMPFAIL;
+	if (reply->uid == 0) {
+		i_error("userdb(%s) returned 0 as uid", user);
+		return;
+	} else if (reply->uid == (uid_t)-1) {
+		if (getenv("MAIL_UID") != NULL) {
+			if (!parse_uid(getenv("MAIL_UID"), &reply->uid) || reply->uid == 0) {
+				i_error("mail_uid setting is invalid");
+				return;
 			}
-		} else if (strncmp(*tmp, "gid=", 4) == 0) {
-			gid = strtoul(*tmp + 4, NULL, 10);
-
-			if (gid == 0) {
-				i_error("userdb(%s) returned 0 as gid",
-					conn->user);
-				return_value = EX_TEMPFAIL;
+		} else {
+			i_error("User %s is missing UID (set mail_uid)", user);
+			return;
+		}
+	}
+	if (reply->gid == 0) {
+		i_error("userdb(%s) returned 0 as gid", user);
+		return;
+	} else if (reply->gid == (gid_t)-1) {
+		if (getenv("MAIL_GID") != NULL) {
+			if (!parse_gid(getenv("MAIL_GID"), &reply->gid) || reply->gid == 0) {
+				i_error("mail_gid setting is invalid");
+				return;
 			}
-		} else if (strncmp(*tmp, "chroot=", 7) == 0) {
-			chroot_dir = *tmp + 7;
 		} else {
-			char *field = i_strdup(*tmp);
-
-			if (strncmp(field, "home=", 5) == 0)
-				home_dir = field + 5;
-
-			array_append(conn->extra_fields, &field, 1);
+			i_error("User %s is missing GID (set mail_gid)", user);
+			return;
 		}
 	}
 
-	if (uid == 0 && getenv("MAIL_UID") != NULL) {
-		if (!parse_uid(getenv("MAIL_UID"), &uid) || uid == 0) {
-			i_error("mail_uid setting is invalid");
-			return_value = EX_TEMPFAIL;
-			return;
+	if (euid != reply->uid)
+		env_put(t_strconcat("RESTRICT_SETUID=", dec2str(reply->uid), NULL));
+	if (euid == 0 || getegid() != reply->gid)
+		env_put(t_strconcat("RESTRICT_SETGID=", dec2str(reply->gid), NULL));
+
+	if (reply->chroot == NULL)
+		reply->chroot = getenv("MAIL_CHROOT");
+	if (reply->chroot != NULL) {
+		len = strlen(reply->chroot);
+		if (len > 2 && strcmp(reply->chroot + len - 2, "/.") == 0 &&
+		    reply->home != NULL &&
+		    strncmp(reply->home, reply->chroot, len - 2) == 0) {
+			/* strip chroot dir from home dir */
+			reply->home += len - 2;
 		}
+		env_put(t_strconcat("RESTRICT_CHROOT=", reply->chroot, NULL));
 	}
-	if (uid == 0) {
-		i_error("User %s is missing UID (set mail_uid)", conn->user);
-		return_value = EX_TEMPFAIL;
-		return;
-	}
-	if (gid == 0 && getenv("MAIL_GID") != NULL) {
-		if (!parse_gid(getenv("MAIL_GID"), &gid) || gid == 0) {
-			i_error("mail_gid setting is invalid");
-			return_value = EX_TEMPFAIL;
-			return;
-		}
-	}
-	if (gid == 0) {
-		i_error("User %s is missing GID (set mail_gid)", conn->user);
-		return_value = EX_TEMPFAIL;
-		return;
-	}
-
-	if (conn->euid != uid)
-		env_put(t_strconcat("RESTRICT_SETUID=", dec2str(uid), NULL));
-	if (conn->euid == 0 || getegid() != gid)
-		env_put(t_strconcat("RESTRICT_SETGID=", dec2str(gid), NULL));
-
-	if (chroot_dir != NULL) {
-		len = strlen(chroot_dir);
-		if (len > 2 && strcmp(chroot_dir + len - 2, "/.") == 0 &&
-		    home_dir != NULL &&
-		    strncmp(home_dir, chroot_dir, len - 2) == 0) {
-			/* strip chroot dir from home dir */
-			home_dir += len - 2;
-		}
-		env_put(t_strconcat("RESTRICT_CHROOT=", chroot_dir, NULL));
-	}
-	if (home_dir != NULL)
-		env_put(t_strconcat("HOME=", home_dir, NULL));
+	if (reply->home != NULL)
+		env_put(t_strconcat("HOME=", reply->home, NULL));
 
 	extra_groups = getenv("MAIL_EXTRA_GROUPS");
 	if (extra_groups != NULL) {
@@ -181,127 +117,39 @@ static void auth_parse_input(struct auth
 				    extra_groups, NULL));
 	}
 
-	restrict_access_by_env(TRUE);
 	return_value = EX_OK;
 }
 
-static void auth_input(struct auth_connection *conn)
-{
-	const char *line;
-
-	switch (i_stream_read(conn->input)) {
-	case 0:
-		return;
-	case -1:
-		/* disconnected */
-		i_error("Auth lookup disconnected unexpectedly");
-		auth_connection_destroy(conn);
-		return;
-	case -2:
-		/* buffer full */
-		i_error("BUG: Auth master sent us more than %d bytes",
-			MAX_INBUF_SIZE);
-		auth_connection_destroy(conn);
-		return;
-	}
-
-	if (!conn->handshaked) {
-		while ((line = i_stream_next_line(conn->input)) != NULL) {
-			if (strncmp(line, "VERSION\t", 8) == 0) {
-				if (strncmp(line + 8, "1\t", 2) != 0) {
-					i_error("Auth master version mismatch");
-					auth_connection_destroy(conn);
-					return;
-				}
-			} else if (strncmp(line, "SPID\t", 5) == 0) {
-				conn->handshaked = TRUE;
-				break;
-			}
-		}
-	}
-
-	line = i_stream_next_line(conn->input);
-	if (line != NULL) {
-		if (strncmp(line, "USER\t1\t", 7) == 0) {
-			auth_parse_input(conn, line + 7);
-		} else if (strcmp(line, "NOTFOUND\t1") == 0)
-			return_value = EX_NOUSER;
-		else if (strncmp(line, "FAIL\t1", 6) == 0) {
-			i_error("Auth lookup returned failure");
-			return_value = EX_TEMPFAIL;
-		} else if (strncmp(line, "CUID\t", 5) == 0) {
-			i_error("%s is an auth client socket. "
-				"It should be a master socket.",
-				conn->auth_socket);
-		} else {
-			i_error("BUG: Unexpected input from auth master: %s",
-				line);
-		}
-		auth_connection_destroy(conn);
-	}
-}
-
-static struct auth_connection *auth_connection_new(const char *auth_socket)
-{
-	struct auth_connection *conn;
-	int fd, try;
-
-	/* max. 1 second wait here. */
-	for (try = 0; try < 10; try++) {
-		fd = net_connect_unix(auth_socket);
-		if (fd != -1 || (errno != EAGAIN && errno != ECONNREFUSED))
-			break;
-
-		/* busy. wait for a while. */
-		usleep(((rand() % 10) + 1) * 10000);
-	}
-	if (fd == -1) {
-		i_error("Can't connect to auth server at %s: %m", auth_socket);
-		return NULL;
-	}
-
-	conn = i_new(struct auth_connection, 1);
-	conn->fd = fd;
-	conn->input = i_stream_create_fd(fd, MAX_INBUF_SIZE, FALSE);
-	conn->output = o_stream_create_fd(fd, MAX_OUTBUF_SIZE, FALSE);
-	conn->io = io_add(fd, IO_READ, auth_input, conn);
-	return conn;
-}
-
-static void auth_client_timeout(struct auth_connection *conn)
-{
-	if (!conn->handshaked)

More information about the dovecot-cvs mailing list