[dovecot-cvs] dovecot/src/master auth-process.c,1.49,1.50
login-process.c,1.47,1.48 master-settings.c,1.26,1.27
master-settings.h,1.17,1.18
cras at procontrol.fi
cras at procontrol.fi
Sun Aug 24 11:37:43 EEST 2003
Update of /home/cvs/dovecot/src/master
In directory danu:/tmp/cvs-serv29266
Modified Files:
auth-process.c login-process.c master-settings.c
master-settings.h
Log Message:
Make sure auth process and login process don't share uids.
Index: auth-process.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/auth-process.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -d -r1.49 -r1.50
--- auth-process.c 22 Aug 2003 02:42:36 -0000 1.49
+++ auth-process.c 24 Aug 2003 07:37:41 -0000 1.50
@@ -253,13 +253,9 @@
static pid_t create_auth_process(struct auth_process_group *group)
{
static char *argv[] = { NULL, NULL };
- struct passwd *pwd;
pid_t pid;
int fd[2], i;
- if ((pwd = getpwnam(group->set->user)) == NULL)
- i_fatal("Auth user doesn't exist: %s", group->set->user);
-
/* create communication to process with a socket pair */
if (socketpair(AF_UNIX, SOCK_STREAM, 0, fd) == -1) {
i_error("socketpair() failed: %m");
@@ -308,8 +304,8 @@
fd_close_on_exec(i, FALSE);
/* setup access environment */
- restrict_access_set_env(group->set->user, pwd->pw_uid, pwd->pw_gid,
- group->set->chroot, 0, 0);
+ restrict_access_set_env(group->set->user, group->set->uid,
+ group->set->gid, group->set->chroot, 0, 0);
/* set other environment */
env_put(t_strconcat("AUTH_PROCESS=", dec2str(getpid()), NULL));
@@ -383,11 +379,10 @@
fd_close_on_exec(group->listen_fd, TRUE);
/* set correct permissions */
- if (chown(path, master_uid,
- auth_set->parent->defaults->login_gid) < 0) {
+ if (chown(path, master_uid, auth_set->parent->login_gid) < 0) {
i_fatal("login: chown(%s, %s, %s) failed: %m",
path, dec2str(master_uid),
- dec2str(auth_set->parent->defaults->login_gid));
+ dec2str(auth_set->parent->login_gid));
}
group->next = process_groups;
Index: login-process.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/login-process.c,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -d -r1.47 -r1.48
--- login-process.c 10 Jul 2003 03:04:07 -0000 1.47
+++ login-process.c 24 Aug 2003 07:37:41 -0000 1.48
@@ -374,7 +374,8 @@
/* setup access environment - needs to be done after
clean_child_process() since it clears environment */
- restrict_access_set_env(set->login_user, set->login_uid, set->login_gid,
+ restrict_access_set_env(set->login_user, set->login_uid,
+ set->server->login_gid,
set->login_chroot ? set->login_dir : NULL,
0, 0);
Index: master-settings.c
===================================================================
RCS file: /home/cvs/dovecot/src/master/master-settings.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27
--- master-settings.c 24 Aug 2003 07:21:30 -0000 1.26
+++ master-settings.c 24 Aug 2003 07:37:41 -0000 1.27
@@ -225,7 +225,6 @@
/* .. */
MEMBER(login_uid) 0,
- MEMBER(login_gid) 0,
MEMBER(listen_fd) -1,
MEMBER(ssl_listen_fd) -1
};
@@ -273,11 +272,11 @@
return FALSE;
}
- if (set->login_gid == 0)
- set->login_gid = pw->pw_gid;
- else if (set->login_gid != pw->pw_gid) {
+ if (set->server->login_gid == 0)
+ set->server->login_gid = pw->pw_gid;
+ else if (set->server->login_gid != pw->pw_gid) {
i_error("All login process users must belong to same group "
- "(%s vs %s)", dec2str(set->login_gid),
+ "(%s vs %s)", dec2str(set->server->login_gid),
dec2str(pw->pw_gid));
return FALSE;
}
@@ -288,6 +287,22 @@
static int auth_settings_verify(struct auth_settings *auth)
{
+ struct passwd *pw;
+
+ if ((pw = getpwnam(auth->user)) == NULL) {
+ i_error("Auth user doesn't exist: %s", auth->user);
+ return FALSE;
+ }
+
+ if (auth->parent->defaults->login_uid == pw->pw_uid &&
+ master_uid != pw->pw_uid) {
+ i_error("login_user %s (uid %s) must not be same as auth_user",
+ auth->user, dec2str(pw->pw_uid));
+ return FALSE;
+ }
+ auth->uid = pw->pw_uid;
+ auth->gid = pw->pw_gid;
+
if (access(auth->executable, X_OK) < 0) {
i_error("Can't use auth executable %s: %m", auth->executable);
return FALSE;
@@ -430,7 +445,8 @@
return FALSE;
}
- if (safe_mkdir(set->login_dir, 0750, master_uid, set->login_gid) == 0) {
+ if (safe_mkdir(set->login_dir, 0750,
+ master_uid, set->server->login_gid) == 0) {
i_warning("Corrected permissions for login directory %s",
set->login_dir);
}
Index: master-settings.h
===================================================================
RCS file: /home/cvs/dovecot/src/master/master-settings.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- master-settings.h 24 Aug 2003 07:21:30 -0000 1.17
+++ master-settings.h 24 Aug 2003 07:37:41 -0000 1.18
@@ -81,7 +81,6 @@
/* .. */
uid_t login_uid;
- gid_t login_gid;
int listen_fd, ssl_listen_fd;
};
@@ -106,6 +105,10 @@
unsigned int count;
unsigned int process_size;
+
+ /* .. */
+ uid_t uid;
+ gid_t gid;
};
struct namespace_settings {
@@ -128,6 +131,8 @@
struct auth_settings *auths;
struct auth_settings auth_defaults;
struct namespace_settings *namespaces;
+
+ gid_t login_gid;
};
extern struct server_settings *settings_root;
More information about the dovecot-cvs
mailing list