dovecot-2.1: auth: Improved "auth client doesn't have permission...

Fri Oct 7 18:10:02 EEST 2011

details:   http://hg.dovecot.org/dovecot-2.1/rev/99ff7bf3c490
changeset: 13611:99ff7bf3c490
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Oct 07 18:18:20 2011 +0300
description:
auth: Improved "auth client doesn't have permissions to do .." errors.

diffstat:

 src/auth/auth-master-connection.c |  23 ++++++++++++++++++-----
 src/auth/auth-master-connection.h |   4 +++-
 src/auth/main.c                   |  10 ++++++++--
 3 files changed, 29 insertions(+), 8 deletions(-)

diffs (147 lines):

diff -r a70f6f04f1fe -r 99ff7bf3c490 src/auth/auth-master-connection.c

--- a/src/auth/auth-master-connection.c	Wed Oct 05 18:47:56 2011 +0300
+++ b/src/auth/auth-master-connection.c	Fri Oct 07 18:18:20 2011 +0300
@@ -329,6 +329,13 @@
 	auth_master_connection_unref(&conn);
 }
 
+static const char *auth_restricted_reason(struct auth_master_connection *conn)
+{
+	return t_strdup_printf("%s mode=0666, but not owned by UID %lu",
+			       conn->path,
+			       (unsigned long)conn->userdb_restricted_uid);
+}
+
 static bool
 master_input_pass(struct auth_master_connection *conn, const char *args)
 {
@@ -347,8 +354,8 @@
 	} else if (conn->userdb_restricted_uid != 0) {
 		/* no permissions to do this lookup */
 		auth_request_log_error(auth_request, "passdb",
-			"Remote client doesn't have permissions to do "
-			"a PASS lookup");
+			"Auth client doesn't have permissions to do "
+			"a PASS lookup: %s", auth_restricted_reason(conn));
 		pass_callback(PASSDB_RESULT_INTERNAL_FAILURE,
 			      NULL, 0, auth_request);
 	} else {
@@ -445,7 +452,8 @@
 	}
 
 	if (conn->userdb_restricted_uid != 0) {
-		i_error("Remote client doesn't have permissions to list users");
+		i_error("Auth client doesn't have permissions to list users: %s",
+			auth_restricted_reason(conn));
 		str = t_strdup_printf("DONE\t%u\tfail\n", id);
 		(void)o_stream_send_str(conn->output, str);
 		return TRUE;
@@ -600,14 +608,18 @@
 
 struct auth_master_connection *
 auth_master_connection_create(struct auth *auth, int fd,
-			      const struct stat *socket_st, bool userdb_only)
+			      const char *path, const struct stat *socket_st,
+			      bool userdb_only)
 {
 	struct auth_master_connection *conn;
 	const char *line;
 
+	i_assert(path != NULL);
+
 	conn = i_new(struct auth_master_connection, 1);
 	conn->refcount = 1;
 	conn->fd = fd;
+	conn->path = i_strdup(path);
 	conn->auth = auth;
 	conn->input = i_stream_create_fd(fd, MAX_INBUF_SIZE, FALSE);
 	conn->output = o_stream_create_fd(fd, (size_t)-1, FALSE);
@@ -657,7 +669,7 @@
 		io_remove(&conn->io);
 	if (conn->fd != -1) {
 		if (close(conn->fd) < 0)
-			i_error("close(): %m");
+			i_error("close(%s): %m", conn->path);
 		conn->fd = -1;
 	}
 
@@ -687,6 +699,7 @@
 	if (conn->output != NULL)
 		o_stream_unref(&conn->output);
 
+	i_free(conn->path);
 	i_free(conn);
 }
 
diff -r a70f6f04f1fe -r 99ff7bf3c490 src/auth/auth-master-connection.h
--- a/src/auth/auth-master-connection.h	Wed Oct 05 18:47:56 2011 +0300
+++ b/src/auth/auth-master-connection.h	Fri Oct 07 18:18:20 2011 +0300
@@ -9,6 +9,7 @@
 	int refcount;
 
 	int fd;
+	char *path;
 	struct istream *input;
 	struct ostream *output;
 	struct io *io;
@@ -28,7 +29,8 @@
 
 struct auth_master_connection *
 auth_master_connection_create(struct auth *auth, int fd,
-			      const struct stat *socket_st, bool userdb_only);
+			      const char *path, const struct stat *socket_st,
+			      bool userdb_only);
 void auth_master_connection_destroy(struct auth_master_connection **conn);
 
 void auth_master_connection_ref(struct auth_master_connection *conn);
diff -r a70f6f04f1fe -r 99ff7bf3c490 src/auth/main.c
--- a/src/auth/main.c	Wed Oct 05 18:47:56 2011 +0300
+++ b/src/auth/main.c	Fri Oct 07 18:18:20 2011 +0300
@@ -43,6 +43,7 @@
 struct auth_socket_listener {
 	enum auth_socket_type type;
 	struct stat st;
+	char *path;
 };
 
 bool worker = FALSE, shutdown_request = FALSE;
@@ -141,6 +142,7 @@
 
 		l = array_idx_modifiable(&listeners, fd);
 		l->type = auth_socket_type_get(fd, &path);
+		l->path = i_strdup(path);
 		if (l->type == AUTH_SOCKET_USERDB) {
 			if (stat(path, &l->st) < 0)
 				i_error("stat(%s) failed: %m", path);
@@ -245,6 +247,8 @@
 
 static void main_deinit(void)
 {
+	struct auth_socket_listener *l;
+
 	if (auth_penalty != NULL) {
 		/* cancel all pending anvil penalty lookups */
 		auth_penalty_deinit(&auth_penalty);
@@ -278,6 +282,8 @@
 	sql_drivers_deinit();
 	random_deinit();
 
+	array_foreach_modifiable(&listeners, l)
+		i_free(l->path);
 	array_free(&listeners);
 	pool_unref(&auth_set_pool);
 }
@@ -303,11 +309,11 @@
 	switch (l->type) {
 	case AUTH_SOCKET_MASTER:
 		(void)auth_master_connection_create(auth, conn->fd,
-						    NULL, FALSE);
+						    l->path, NULL, FALSE);
 		break;
 	case AUTH_SOCKET_USERDB:
 		(void)auth_master_connection_create(auth, conn->fd,
-						    &l->st, TRUE);
+						    l->path, &l->st, TRUE);
 		break;
 	case AUTH_SOCKET_LOGIN_CLIENT:
 		(void)auth_client_connection_create(auth, conn->fd, TRUE);
