[dovecot-cvs] dovecot/src/login auth-connection.c,1.14,1.15 auth-connection.h,1.3,1.4 client-authenticate.c,1.22,1.23 common.h,1.4,1.5 main.c,1.11,1.12 master.c,1.8,1.9 master.h,1.4,1.5
cras at procontrol.fi
cras at procontrol.fi
Fri Dec 20 01:56:26 EET 2002
- Previous message: [dovecot-cvs] dovecot/src/master auth-process.c,1.20,1.21 auth-process.h,1.4,1.5 common.h,1.7,1.8 login-process.c,1.22,1.23 main.c,1.20,1.21 master-interface.h,1.2,1.3 settings.c,1.31,1.32 settings.h,1.16,1.17
- Next message: [dovecot-cvs] dovecot dovecot-example.conf,1.25,1.26
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /home/cvs/dovecot/src/login
In directory danu:/tmp/cvs-serv14140/login
Modified Files:
auth-connection.c auth-connection.h client-authenticate.c
common.h main.c master.c master.h
Log Message:
Instead of just trusting randomness of authentication cookies between
auth<->master<->login process IPC, master now doesn't accept any cookies
from login process which weren't created by it (identified by PID). When
login process dies, all it's pending cookies are also removed, so I can't
see even a theoretical possiblity anymore for exploited login process to
authenticate as someone else.
Also fixed some int -> unsigned int.
Index: auth-connection.c
===================================================================
RCS file: /home/cvs/dovecot/src/login/auth-connection.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- auth-connection.c 18 Dec 2002 15:15:42 -0000 1.14
+++ auth-connection.c 19 Dec 2002 23:56:24 -0000 1.15
@@ -25,7 +25,7 @@
IStream *input;
OStream *output;
- int auth_process;
+ unsigned int auth_process;
AuthMethod available_auth_methods;
AuthReplyData in_reply;
@@ -38,10 +38,11 @@
AuthMethod available_auth_methods;
static int auth_reconnect;
-static int request_id_counter;
+static unsigned int request_id_counter;
static AuthConnection *auth_connections;
static Timeout to;
+static void auth_connection_destroy(AuthConnection *conn);
static void auth_input(void *context, int fd, IO io);
static void auth_connect_missing(void);
@@ -59,7 +60,8 @@
static AuthConnection *auth_connection_new(const char *path)
{
- AuthConnection *conn;
+ AuthConnection *conn;
+ ClientAuthInitData init_data;
int fd;
fd = net_connect_unix(path);
@@ -81,6 +83,14 @@
conn->next = auth_connections;
auth_connections = conn;
+
+ /* send our handshake */
+ memset(&init_data, 0, sizeof(init_data));
+ init_data.pid = login_process_uid;
+ if (o_stream_send(conn->output, &init_data, sizeof(init_data)) < 0) {
+ auth_connection_destroy(conn);
+ return NULL;
+ }
return conn;
}
Index: auth-connection.h
===================================================================
RCS file: /home/cvs/dovecot/src/login/auth-connection.h,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- auth-connection.h 8 Sep 2002 15:19:39 -0000 1.3
+++ auth-connection.h 19 Dec 2002 23:56:24 -0000 1.4
@@ -5,7 +5,7 @@
/* If result == AUTH_RESULT_INTERNAL_FAILURE, request may be NULL and
reply_data_size contains the error message. */
-typedef void (*AuthCallback)(AuthRequest *request, int auth_process,
+typedef void (*AuthCallback)(AuthRequest *request, unsigned int auth_process,
AuthResult result, const unsigned char *reply_data,
size_t reply_data_size, void *context);
@@ -13,7 +13,7 @@
AuthMethod method;
AuthConnection *conn;
- int id;
+ unsigned int id;
unsigned char cookie[AUTH_COOKIE_SIZE];
AuthCallback callback;
Index: client-authenticate.c
===================================================================
RCS file: /home/cvs/dovecot/src/login/client-authenticate.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -d -r1.22 -r1.23
--- client-authenticate.c 18 Dec 2002 15:15:42 -0000 1.22
+++ client-authenticate.c 19 Dec 2002 23:56:24 -0000 1.23
@@ -123,7 +123,7 @@
t_pop();
}
-static int auth_callback(AuthRequest *request, int auth_process,
+static int auth_callback(AuthRequest *request, unsigned int auth_process,
AuthResult result, const unsigned char *reply_data,
size_t reply_data_size, void *context)
{
@@ -167,7 +167,7 @@
}
}
-static void login_callback(AuthRequest *request, int auth_process,
+static void login_callback(AuthRequest *request, unsigned int auth_process,
AuthResult result, const unsigned char *reply_data,
size_t reply_data_size, void *context)
{
@@ -219,8 +219,8 @@
}
}
-static void authenticate_callback(AuthRequest *request, int auth_process,
- AuthResult result,
+static void authenticate_callback(AuthRequest *request,
+ unsigned int auth_process, AuthResult result,
const unsigned char *reply_data,
size_t reply_data_size, void *context)
{
Index: common.h
===================================================================
RCS file: /home/cvs/dovecot/src/login/common.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- common.h 3 Dec 2002 00:13:17 -0000 1.4
+++ common.h 19 Dec 2002 23:56:24 -0000 1.5
@@ -9,6 +9,7 @@
extern int disable_plaintext_auth, process_per_connection, verbose_proctitle;
extern unsigned int max_logging_users;
+extern unsigned int login_process_uid;
void main_ref(void);
void main_unref(void);
Index: main.c
===================================================================
RCS file: /home/cvs/dovecot/src/login/main.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- main.c 18 Dec 2002 04:00:01 -0000 1.11
+++ main.c 19 Dec 2002 23:56:24 -0000 1.12
@@ -17,6 +17,7 @@
int disable_plaintext_auth, process_per_connection, verbose_proctitle;
unsigned int max_logging_users;
+unsigned int login_process_uid;
static IOLoop ioloop;
static IO io_imap, io_imaps;
@@ -152,6 +153,13 @@
value = getenv("MAX_LOGGING_USERS");
max_logging_users = value == NULL ? 0 : strtoul(value, NULL, 10);
+
+ value = getenv("PROCESS_UID");
+ if (value == NULL)
+ i_fatal("BUG: PROCESS_UID environment not given");
+ login_process_uid = strtoul(value, NULL, 10);
+ if (login_process_uid == 0)
+ i_fatal("BUG: PROCESS_UID environment is 0");
closing_down = FALSE;
main_refcount = 0;
Index: master.c
===================================================================
RCS file: /home/cvs/dovecot/src/login/master.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- master.c 19 Dec 2002 01:02:36 -0000 1.8
+++ master.c 19 Dec 2002 23:56:24 -0000 1.9
@@ -14,7 +14,7 @@
struct _WaitingRequest {
WaitingRequest *next;
- int id;
+ unsigned int id;
MasterCallback callback;
void *context;
};
@@ -25,7 +25,8 @@
static unsigned int master_pos;
static char master_buf[sizeof(MasterReply)];
-static void push_request(int id, MasterCallback callback, void *context)
+static void push_request(unsigned int id, MasterCallback callback,
+ void *context)
{
WaitingRequest *req;
@@ -63,7 +64,8 @@
i_free(req);
}
-void master_request_imap(int fd, int auth_process, const char *login_tag,
+void master_request_imap(int fd, unsigned int auth_process,
+ const char *login_tag,
unsigned char cookie[AUTH_COOKIE_SIZE], IPADDR *ip,
MasterCallback callback, void *context)
{
Index: master.h
===================================================================
RCS file: /home/cvs/dovecot/src/login/master.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- master.h 16 Nov 2002 05:21:21 -0000 1.4
+++ master.h 19 Dec 2002 23:56:24 -0000 1.5
@@ -6,7 +6,8 @@
typedef void (*MasterCallback)(MasterReplyResult result, void *context);
/* Request IMAP process for given cookie. */
-void master_request_imap(int fd, int auth_process, const char *login_tag,
+void master_request_imap(int fd, unsigned int auth_process,
+ const char *login_tag,
unsigned char cookie[AUTH_COOKIE_SIZE], IPADDR *ip,
MasterCallback callback, void *context);
- Previous message: [dovecot-cvs] dovecot/src/master auth-process.c,1.20,1.21 auth-process.h,1.4,1.5 common.h,1.7,1.8 login-process.c,1.22,1.23 main.c,1.20,1.21 master-interface.h,1.2,1.3 settings.c,1.31,1.32 settings.h,1.16,1.17
- Next message: [dovecot-cvs] dovecot dovecot-example.conf,1.25,1.26
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the dovecot-cvs
mailing list