Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/plugins/expire/auth-client.c @ 9658:8ba4253adc9b HEAD tip
*-login: SSL connections didn't get closed when the client got destroyed.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 08 May 2014 16:41:29 +0300 |
parents | 00cd9aacd03c |
children |
rev | line source |
---|---|
9532
00cd9aacd03c
Updated copyright notices to include year 2010.
Timo Sirainen <tss@iki.fi>
parents:
9149
diff
changeset
|
1 /* Copyright (c) 2005-2010 Dovecot authors, see the included COPYING file */ |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
2 |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
3 #include "lib.h" |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
4 #include "array.h" |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
5 #include "env-util.h" |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
6 #include "restrict-access.h" |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
7 #include "auth-client.h" |
9048
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
8 #include "expire-plugin.h" |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
9 #include "auth-master.h" |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
10 |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
11 #include <unistd.h> |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
12 |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
13 static uid_t current_uid = 0; |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
14 |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
15 static void auth_set_env(const char *user, struct auth_user_reply *reply) |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
16 { |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
17 const char *const *fields, *key, *value; |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
18 unsigned int i, count; |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
19 |
9149
283f52768314
expire-tool: Set USER environment while processing a user.
Timo Sirainen <tss@iki.fi>
parents:
9049
diff
changeset
|
20 env_put(t_strconcat("USER=", reply->user, NULL)); |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
21 if (reply->chroot != NULL) |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
22 env_put(t_strconcat("RESTRICT_CHROOT=", reply->chroot, NULL)); |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
23 |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
24 if (reply->home == NULL) { |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
25 /* we must have a home directory */ |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
26 i_error("userdb(%s) didn't return a home directory", user); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
27 return; |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
28 } |
9048
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
29 if (reply->uid == (uid_t)-1) |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
30 reply->uid = global_mail_uid; |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
31 if (reply->uid == (uid_t)-1) { |
9048
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
32 i_error("userdb(%s) didn't return uid and mail_uid not set", |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
33 user); |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
34 return; |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
35 } |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
36 if (reply->gid == (gid_t)-1) |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
37 reply->gid = global_mail_gid; |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
38 if (reply->gid == (gid_t)-1) { |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
39 i_error("userdb(%s) didn't return gid and mail_gid not set", |
cc484a16bbe4
expire-tool: Use mail_uid and mail_gid settings if userdb doesn't return uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
40 user); |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
41 return; |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
42 } |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
43 |
9049
6dec24ec8218
expire-tool: Fix to previous change to actually use the mail_gid.
Timo Sirainen <tss@iki.fi>
parents:
9048
diff
changeset
|
44 if (reply->gid != (gid_t)-1 && getegid() != reply->gid) { |
6dec24ec8218
expire-tool: Fix to previous change to actually use the mail_gid.
Timo Sirainen <tss@iki.fi>
parents:
9048
diff
changeset
|
45 env_put(t_strconcat("RESTRICT_SETGID=", |
6dec24ec8218
expire-tool: Fix to previous change to actually use the mail_gid.
Timo Sirainen <tss@iki.fi>
parents:
9048
diff
changeset
|
46 dec2str(reply->gid), NULL)); |
6dec24ec8218
expire-tool: Fix to previous change to actually use the mail_gid.
Timo Sirainen <tss@iki.fi>
parents:
9048
diff
changeset
|
47 } |
6dec24ec8218
expire-tool: Fix to previous change to actually use the mail_gid.
Timo Sirainen <tss@iki.fi>
parents:
9048
diff
changeset
|
48 |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
49 if (reply->uid != current_uid && current_uid != 0) { |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
50 /* we're changing the UID, switch back to root */ |
7551
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
51 if (seteuid(0) != 0) |
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
52 i_fatal("seteuid(0) failed: %m"); |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
53 current_uid = 0; |
7551
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
54 } |
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
55 |
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
56 /* change GID */ |
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
57 restrict_access_by_env(FALSE); |
5b27f5cbf016
expire-tool: Fixed changing uid/gid.
Timo Sirainen <tss@iki.fi>
parents:
7109
diff
changeset
|
58 |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
59 /* we'll change only effective UID. This is a bit unfortunate since |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
60 it allows reverting back to root, but we'll have to be able to |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
61 access different users' mailboxes.. */ |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
62 if (reply->uid != current_uid) { |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
63 if (seteuid(reply->uid) < 0) |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
64 i_fatal("seteuid(%s) failed: %m", dec2str(reply->uid)); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
65 current_uid = reply->uid; |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
66 } |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
67 |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
68 fields = array_get(&reply->extra_fields, &count); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
69 for (i = 0; i < count; i++) { |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
70 key = t_str_ucase(t_strcut(fields[i], '=')); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
71 value = strchr(fields[i], '='); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
72 if (value != NULL) |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
73 value++; |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
74 else |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
75 value = "1"; |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
76 env_put(t_strconcat(key, "=", value, NULL)); |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
77 } |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
78 env_put(t_strconcat("HOME=", reply->home, NULL)); |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
79 } |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
80 |
8373 | 81 int auth_client_put_user_env(struct auth_master_connection *conn, |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
82 const char *user) |
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
83 { |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
84 struct auth_user_reply reply; |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
85 pool_t pool; |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
86 int ret; |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
87 |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
88 pool = pool_alloconly_create("userdb lookup", 512); |
8373 | 89 ret = auth_master_user_lookup(conn, user, AUTH_SERVICE_INTERNAL, |
90 pool, &reply); | |
8370
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
91 if (ret > 0) |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
92 auth_set_env(user, &reply); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
93 pool_unref(&pool); |
ffe34451c01a
expire-tool: Use the new auth-master API instead of doing the lookup ourself.
Timo Sirainen <tss@iki.fi>
parents:
7551
diff
changeset
|
94 return ret; |
4523
99699cf9df43
Initial import of expire plugin code. Seems to work with at least one user. :)
Timo Sirainen <timo.sirainen@movial.fi>
parents:
diff
changeset
|
95 } |