Mercurial > dovecot > core-2.2
changeset 12722:888999441619
lib-storage: Give restrict_access() uid/gid source (userdb or mail_u/gid setting).
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Mon, 07 Feb 2011 22:37:45 +0200 |
parents | cb2c008ae3e8 |
children | b399f91ae660 |
files | src/lib-storage/mail-storage-service.c |
diffstat | 1 files changed, 17 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-storage/mail-storage-service.c Mon Feb 07 22:37:19 2011 +0200 +++ b/src/lib-storage/mail-storage-service.c Mon Feb 07 22:37:45 2011 +0200 @@ -58,7 +58,7 @@ pool_t pool; struct mail_storage_service_input input; - const char *system_groups_user; + const char *system_groups_user, *uid_source, *gid_source; const struct mail_user_settings *user_set; const struct setting_parser_info *user_info; struct setting_parser_context *set_parser; @@ -178,10 +178,13 @@ *error_r = "userdb returned 0 as uid"; return -1; } + user->uid_source = "userdb lookup"; set_keyval(ctx, user, "mail_uid", dec2str(reply->uid)); } - if (reply->gid != (uid_t)-1) + if (reply->gid != (uid_t)-1) { + user->gid_source = "userdb lookup"; set_keyval(ctx, user, "mail_gid", dec2str(reply->gid)); + } if (home != NULL && chroot == NULL && *user->user_set->valid_chroot_dirs != '\0' && @@ -299,8 +302,8 @@ } static int -service_drop_privileges(const struct mail_user_settings *set, - const char *system_groups_user, +service_drop_privileges(struct mail_storage_service_user *user, + const struct mail_user_settings *set, const char *home, const char *chroot, bool disallow_root, bool keep_setuid_root, bool setenv_only, const char **error_r) @@ -327,6 +330,7 @@ dec2str(rset.uid)); return -1; } + rset.uid_source = user->uid_source; } else if (rset.uid == (uid_t)-1 && disallow_root && current_euid == 0) { *error_r = "User is missing UID (see mail_uid setting)"; @@ -347,6 +351,7 @@ dec2str(rset.gid)); return -1; } + rset.gid_source = user->gid_source; } else if (rset.gid == (gid_t)-1 && disallow_root && set->first_valid_gid > 0 && getegid() == 0) { *error_r = "User is missing GID (see mail_gid setting)"; @@ -370,7 +375,7 @@ /* we can't chroot if we want to switch between users. there's not much point either (from security point of view) */ rset.chroot_dir = *chroot == '\0' || keep_setuid_root ? NULL : chroot; - rset.system_groups_user = system_groups_user; + rset.system_groups_user = user->system_groups_user; cur_chroot = restrict_access_get_current_chroot(); if (cur_chroot != NULL) { @@ -820,6 +825,8 @@ i_panic("settings_parser_check() failed: %s", error); user->user_set = settings_parser_get_list(user->set_parser)[1]; + user->gid_source = "mail_gid setting"; + user->uid_source = "mail_uid setting"; if (!userdb_lookup) { const char *home = getenv("HOME"); @@ -903,9 +910,9 @@ mail_storage_service_init_log(ctx, user); if ((ctx->flags & MAIL_STORAGE_SERVICE_FLAG_NO_RESTRICT_ACCESS) == 0) { - if (service_drop_privileges(user_set, user->system_groups_user, - home, chroot, disallow_root, - temp_priv_drop, FALSE, &error) < 0) { + if (service_drop_privileges(user, user_set, home, chroot, + disallow_root, temp_priv_drop, + FALSE, &error) < 0) { i_error("user %s: Couldn't drop privileges: %s", user->input.username, error); return -1; @@ -939,8 +946,8 @@ chroot = user_expand_varstr(ctx->service, &user->input, user_set->mail_chroot); - if (service_drop_privileges(user_set, user->system_groups_user, - home, chroot, FALSE, FALSE, TRUE, + if (service_drop_privileges(user, user_set, home, chroot, + FALSE, FALSE, TRUE, &error) < 0) i_fatal("%s", error); }