# HG changeset patch # User Timo Sirainen # Date 1137361964 -7200 # Node ID 0ae5f5b468b78eb681176e6667a2fcb9d80941fd # Parent 7ee2fc733bf69bf03e8d984b81a8e3b246e781b7 Put ssl-parameters file into login directory so it still can be accessed even if login process is chrooted. diff -r 7ee2fc733bf6 -r 0ae5f5b468b7 src/master/login-process.c --- a/src/master/login-process.c Sun Jan 15 23:24:08 2006 +0200 +++ b/src/master/login-process.c Sun Jan 15 23:52:44 2006 +0200 @@ -14,6 +14,7 @@ #include "mail-process.h" #include "master-login-interface.h" #include "log.h" +#include "ssl-init.h" #include #include @@ -419,8 +420,7 @@ set->ssl_key_file, NULL)); env_put(t_strconcat("SSL_KEY_PASSWORD=", ssl_key_password, NULL)); - env_put(t_strconcat("SSL_PARAM_FILE=", - set->ssl_parameters_file, NULL)); + env_put("SSL_PARAM_FILE="SSL_PARAMETERS_FILENAME); if (set->ssl_cipher_list != NULL) { env_put(t_strconcat("SSL_CIPHER_LIST=", set->ssl_cipher_list, NULL)); diff -r 7ee2fc733bf6 -r 0ae5f5b468b7 src/master/main.c --- a/src/master/main.c Sun Jan 15 23:24:08 2006 +0200 +++ b/src/master/main.c Sun Jan 15 23:52:44 2006 +0200 @@ -751,9 +751,11 @@ } /* read and verify settings before forking */ + t_push(); master_settings_init(); if (!master_settings_read(configfile, exec_protocol != NULL)) exit(FATAL_DEFAULT); + t_pop(); if (ask_key_pass) { const char *prompt; diff -r 7ee2fc733bf6 -r 0ae5f5b468b7 src/master/master-settings.c --- a/src/master/master-settings.c Sun Jan 15 23:24:08 2006 +0200 +++ b/src/master/master-settings.c Sun Jan 15 23:52:44 2006 +0200 @@ -1,6 +1,7 @@ /* Copyright (C) 2002 Timo Sirainen */ #include "common.h" +#include "str.h" #include "istream.h" #include "safe-mkdir.h" #include "mkdir-parents.h" @@ -10,6 +11,7 @@ #include #include +#include #include #include #include @@ -62,7 +64,6 @@ DEF(SET_STR, ssl_cert_file), DEF(SET_STR, ssl_key_file), DEF(SET_STR, ssl_key_password), - DEF(SET_STR, ssl_parameters_file), DEF(SET_STR, ssl_parameters_regenerate), DEF(SET_STR, ssl_cipher_list), DEF(SET_BOOL, ssl_verify_client_cert), @@ -259,7 +260,6 @@ MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem", MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem", MEMBER(ssl_key_password) NULL, - MEMBER(ssl_parameters_file) "ssl-parameters.dat", MEMBER(ssl_parameters_regenerate) 168, MEMBER(ssl_cipher_list) NULL, MEMBER(ssl_verify_client_cert) FALSE, @@ -521,6 +521,37 @@ return FALSE; } +static void unlink_auth_sockets(const char *path) +{ + DIR *dirp; + struct dirent *dp; + struct stat st; + string_t *str; + + dirp = opendir(path); + if (dirp == NULL) { + i_error("opendir(%s) failed: %m", path); + return; + } + + str = t_str_new(256); + while ((dp = readdir(dirp)) != NULL) { + if (dp->d_name[0] == '.') + continue; + + str_truncate(str, 0); + str_printfa(str, "%s/%s", path, dp->d_name); + if (lstat(str_c(str), &st) < 0) { + if (errno != ENOENT) + i_error("lstat(%s) failed: %m", str_c(str)); + } else if (S_ISSOCK(st.st_mode)) { + if (unlink(str_c(str)) < 0 && errno != ENOENT) + i_error("unlink(%s) failed: %m", str_c(str)); + } + } + (void)closedir(dirp); +} + static bool settings_verify(struct settings *set) { const char *dir; @@ -601,7 +632,6 @@ #endif /* fix relative paths */ - fix_base_path(set, &set->ssl_parameters_file); fix_base_path(set, &set->login_dir); /* since base dir is under /var/run by default, it may have been @@ -631,17 +661,13 @@ empty. with external auth we wouldn't want to delete existing sockets or break the permissions required by the auth server. */ - if (unlink_directory(set->login_dir, FALSE) < 0) { - i_error("unlink_directory() failed for %s: %m", - set->login_dir); - return FALSE; - } - if (safe_mkdir(set->login_dir, 0750, master_uid, set->server->login_gid) == 0) { i_warning("Corrected permissions for login directory " "%s", set->login_dir); } + + unlink_auth_sockets(set->login_dir); } if (set->max_mail_processes < 1) { diff -r 7ee2fc733bf6 -r 0ae5f5b468b7 src/master/master-settings.h --- a/src/master/master-settings.h Sun Jan 15 23:24:08 2006 +0200 +++ b/src/master/master-settings.h Sun Jan 15 23:52:44 2006 +0200 @@ -31,7 +31,6 @@ const char *ssl_cert_file; const char *ssl_key_file; const char *ssl_key_password; - const char *ssl_parameters_file; unsigned int ssl_parameters_regenerate; const char *ssl_cipher_list; bool ssl_verify_client_cert; diff -r 7ee2fc733bf6 -r 0ae5f5b468b7 src/master/ssl-init.c --- a/src/master/ssl-init.c Sun Jan 15 23:24:08 2006 +0200 +++ b/src/master/ssl-init.c Sun Jan 15 23:52:44 2006 +0200 @@ -42,7 +42,7 @@ i_fatal("rename(%s, %s) failed: %m", temp_fname, fname); } -static void start_generate_process(struct settings *set) +static void start_generate_process(const char *fname) { pid_t pid; @@ -54,7 +54,7 @@ if (pid == 0) { /* child */ - generate_parameters_file(set->ssl_parameters_file); + generate_parameters_file(fname); exit(0); } else { /* parent */ @@ -70,16 +70,18 @@ static bool check_parameters_file_set(struct settings *set) { + const char *path; struct stat st; time_t regen_time; - if (set->ssl_parameters_file == NULL || set->ssl_disable) + if (set->ssl_disable) return TRUE; - if (lstat(set->ssl_parameters_file, &st) < 0) { + path = t_strconcat(set->login_dir, "/"SSL_PARAMETERS_FILENAME, NULL); + if (lstat(path, &st) < 0) { if (errno != ENOENT) { i_error("lstat() failed for SSL parameters file %s: %m", - set->ssl_parameters_file); + path); return TRUE; } @@ -87,7 +89,7 @@ } else if (st.st_size == 0) { /* broken, delete it (mostly for backwards compatibility) */ st.st_mtime = 0; - (void)unlink(set->ssl_parameters_file); + (void)unlink(path); } /* make sure it's new enough, it's not 0 sized, and the permissions @@ -100,7 +102,7 @@ i_info("Generating Diffie-Hellman parameters " "for the first time. This may take a while.."); } - start_generate_process(set); + start_generate_process(path); return FALSE; } diff -r 7ee2fc733bf6 -r 0ae5f5b468b7 src/master/ssl-init.h --- a/src/master/ssl-init.h Sun Jan 15 23:24:08 2006 +0200 +++ b/src/master/ssl-init.h Sun Jan 15 23:52:44 2006 +0200 @@ -1,6 +1,8 @@ #ifndef __SSL_INIT_H #define __SSL_INIT_H +#define SSL_PARAMETERS_FILENAME "ssl-parameters.dat" + void ssl_parameter_process_destroyed(pid_t pid); void _ssl_generate_parameters(int fd, const char *fname);