[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Mailutils branch, master, updated. release-2.2-664-gb5b49d2
|
From: |
Sergey Poznyakoff |
|
Subject: |
[SCM] GNU Mailutils branch, master, updated. release-2.2-664-gb5b49d2 |
|
Date: |
Tue, 24 Dec 2013 12:08:17 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Mailutils".
http://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=b5b49d266063e4b6f1f5809b3b9f9a30eb335e47
The branch, master has been updated
via b5b49d266063e4b6f1f5809b3b9f9a30eb335e47 (commit)
from 9312d1f8ffa0f2a9eb507ec132c4e00d333245b9 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b5b49d266063e4b6f1f5809b3b9f9a30eb335e47
Author: Sergey Poznyakoff <address@hidden>
Date: Tue Dec 24 13:55:30 2013 +0200
Fix bug in handling AUTHENTICATE command (imap4d). Add user/group ACLs.
The bug was introduced in commit 6e2a3758.
The ACLs allow administrators to limit access to IMAP services to
particular users or users belonging to particular groups.
* imap4d/authenticate.c (imap4d_auth_capability): Take session
pointer as argument. Don't report authentication capabilities
if tls is required.
(imap4d_authenticate): Fix conditional.
* imap4d/capability.c (imap4d_capability): Update call to
imap4d_auth_capability.
* imap4d/imap4d.c (cb_tls_required): Set tls_mode.
(auth_deny_user_list,auth_allow_user_list)
(auth_deny_group_list,auth_allow_group_list): New statics.
(check_user_groups,imap_check_group_list): New static functions.
(imap4d_cfg_param) <allow-users,deny-users>
<allow-groups,deny-groups>: New configuration statements.
(imap4d_session_setup0): Check allow/deny lists.
* imap4d/imap4d.h (imap4d_auth_capability): Change signature.
* pop3d/pop3d.c (cb_tls_required): Set tls_mode.
* bootstrap (gnulib_extra_files): Update.
-----------------------------------------------------------------------
Summary of changes:
bootstrap | 1 -
imap4d/authenticate.c | 7 ++--
imap4d/capability.c | 2 +-
imap4d/imap4d.c | 78 +++++++++++++++++++++++++++++++++++++++++++++++--
imap4d/imap4d.h | 2 +-
pop3d/pop3d.c | 5 +--
6 files changed, 83 insertions(+), 12 deletions(-)
diff --git a/bootstrap b/bootstrap
index c5d2918..124feca 100755
--- a/bootstrap
+++ b/bootstrap
@@ -104,7 +104,6 @@ tests_base=tests
# Extra files from gnulib, which override files from other sources.
gnulib_extra_files="
$build_aux/install-sh
- $build_aux/missing
$build_aux/mdate-sh
$build_aux/texinfo.tex
$build_aux/depcomp
diff --git a/imap4d/authenticate.c b/imap4d/authenticate.c
index 1dbe120..8606dfe 100644
--- a/imap4d/authenticate.c
+++ b/imap4d/authenticate.c
@@ -78,9 +78,10 @@ _auth_try (void *item, void *data)
}
void
-imap4d_auth_capability ()
+imap4d_auth_capability (struct imap4d_session *session)
{
- mu_list_foreach (imap_auth_list, _auth_capa, NULL);
+ if (session->tls_mode != tls_required)
+ mu_list_foreach (imap_auth_list, _auth_capa, NULL);
}
/*
@@ -102,7 +103,7 @@ imap4d_authenticate (struct imap4d_session *session,
auth_type = imap4d_tokbuf_getarg (tok, IMAP4_ARG_1);
- if (tls_required)
+ if (session->tls_mode == tls_required)
return io_completion_response (command, RESP_NO,
"Command disabled: Use STARTTLS first");
diff --git a/imap4d/capability.c b/imap4d/capability.c
index 0e62350..bf2fbc9 100644
--- a/imap4d/capability.c
+++ b/imap4d/capability.c
@@ -78,7 +78,7 @@ imap4d_capability (struct imap4d_session *session,
mu_list_foreach (capa_list, print_capa, NULL);
- imap4d_auth_capability ();
+ imap4d_auth_capability (session);
io_sendf ("\n");
return io_completion_response (command, RESP_OK, "Completed");
diff --git a/imap4d/imap4d.c b/imap4d/imap4d.c
index 532e114..143219f 100644
--- a/imap4d/imap4d.c
+++ b/imap4d/imap4d.c
@@ -287,18 +287,52 @@ cb_tls (void *data, mu_config_value_t *val)
static int
cb_tls_required (void *data, mu_config_value_t *val)
{
- int *res = data;
int bv;
if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
return 1;
if (mu_cfg_parse_boolean (val->v.string, &bv))
mu_error (_("Not a boolean value"));
- else
- *res = tls_required;
+ else if (bv)
+ tls_mode = tls_required;
+ return 0;
+}
+
+static mu_list_t auth_deny_user_list, auth_allow_user_list;
+static mu_list_t auth_deny_group_list, auth_allow_group_list;
+
+static int
+check_user_groups (void *item, void *data)
+{
+ char *gname = item;
+ struct group *gp;
+ char **p;
+
+ gp = getgrnam (gname);
+ if (!gp)
+ return 0;
+
+ if (gp->gr_gid == auth_data->gid)
+ return MU_ERR_EXISTS;
+
+ for (p = gp->gr_mem; *p; p++)
+ if (strcmp (*p, auth_data->name) == 0)
+ return MU_ERR_EXISTS;
+
return 0;
}
+static int
+imap_check_group_list (mu_list_t l)
+{
+ int rc = mu_list_foreach (l, check_user_groups, NULL);
+ if (rc == MU_ERR_EXISTS)
+ return 0;
+ else if (rc == 0)
+ return MU_ERR_NOENT;
+ return rc;
+}
+
static struct mu_cfg_param imap4d_srv_param[] = {
#ifdef WITH_TLS
{ "tls", mu_cfg_callback,
@@ -309,6 +343,19 @@ static struct mu_cfg_param imap4d_srv_param[] = {
};
static struct mu_cfg_param imap4d_cfg_param[] = {
+ { "allow-users", MU_CFG_LIST_OF(mu_cfg_string), &auth_allow_user_list,
+ 0, NULL,
+ N_("Allow access to users from this list.") },
+ { "deny-users", MU_CFG_LIST_OF(mu_cfg_string), &auth_deny_user_list,
+ 0, NULL,
+ N_("Deny access to users from this list.") },
+ { "allow-groups", MU_CFG_LIST_OF(mu_cfg_string), &auth_allow_group_list,
+ 0, NULL,
+ N_("Allow access if the user group is in this list.") },
+ { "deny-groups", MU_CFG_LIST_OF(mu_cfg_string), &auth_deny_group_list,
+ 0, NULL,
+ N_("Deny access if the user group is in this list.") },
+
{ "homedir", mu_cfg_string, &modify_homedir, 0, NULL,
N_("Modify home directory.") },
{ "personal-namespace", MU_CFG_LIST_OF(mu_cfg_string),
&namespace[NS_PRIVATE],
@@ -367,6 +414,31 @@ static struct mu_cfg_param imap4d_cfg_param[] = {
int
imap4d_session_setup0 ()
{
+ if (auth_deny_user_list &&
+ mu_list_locate (auth_deny_user_list, auth_data->name, NULL) == 0)
+ {
+ mu_error (_("%s is in deny-users, rejecting"), auth_data->name);
+ return 1;
+ }
+ if (auth_allow_user_list &&
+ mu_list_locate (auth_allow_user_list, auth_data->name, NULL))
+ {
+ mu_error (_("%s is not in allow-users, rejecting"), auth_data->name);
+ return 1;
+ }
+ if (auth_deny_group_list &&
+ imap_check_group_list (auth_deny_group_list) == 0)
+ {
+ mu_error (_("%s is in deny-groups, rejecting"), auth_data->name);
+ return 1;
+ }
+ if (auth_allow_group_list &&
+ imap_check_group_list (auth_allow_group_list))
+ {
+ mu_error (_("%s is not in allow-groups, rejecting"), auth_data->name);
+ return 1;
+ }
+
real_homedir = mu_normalize_path (mu_strdup (auth_data->dir));
if (imap4d_check_home_dir (real_homedir, auth_data->uid, auth_data->gid))
return 1;
diff --git a/imap4d/imap4d.h b/imap4d/imap4d.h
index 7345551..f83e037 100644
--- a/imap4d/imap4d.h
+++ b/imap4d/imap4d.h
@@ -293,7 +293,7 @@ extern int imap4d_append (struct imap4d_session *,
struct imap4d_command *, imap4d_tokbuf_t);
extern int imap4d_authenticate (struct imap4d_session *,
struct imap4d_command *, imap4d_tokbuf_t);
-extern void imap4d_auth_capability (void);
+extern void imap4d_auth_capability (struct imap4d_session *);
extern int imap4d_capability (struct imap4d_session *,
struct imap4d_command *, imap4d_tokbuf_t);
extern int imap4d_check (struct imap4d_session *,
diff --git a/pop3d/pop3d.c b/pop3d/pop3d.c
index c7a650e..c8026e6 100644
--- a/pop3d/pop3d.c
+++ b/pop3d/pop3d.c
@@ -176,15 +176,14 @@ cb_tls (void *data, mu_config_value_t *val)
static int
cb_tls_required (void *data, mu_config_value_t *val)
{
- int *res = data;
int bv;
if (mu_cfg_assert_value_type (val, MU_CFG_STRING))
return 1;
if (mu_cfg_parse_boolean (val->v.string, &bv))
mu_error (_("Not a boolean value"));
- else
- *res = tls_required;
+ else if (bv)
+ tls_mode = tls_required;
return 0;
}
hooks/post-receive
--
GNU Mailutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Mailutils branch, master, updated. release-2.2-664-gb5b49d2,
Sergey Poznyakoff <=