bcb4e51a409d94ae670de96afb8483a4f7855294Stephan Bosch/* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainenstatic void master_input(struct auth_master_connection *conn);
29d4c6eac14a0b3d79656eb6b206a102fd09d24aTimo Sirainenstatic struct auth_master_connection *auth_master_connections;
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainenstatic const char *
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainenauth_master_reply_hide_passwords(struct auth_master_connection *conn,
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainen const char *str)
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainen unsigned int i;
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainen /* hide all parameters that have "pass" in their key */
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainen args = p_strsplit(pool_datastack_create(), str, "\t");
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainen args[i] = p_strconcat(pool_datastack_create(),
6aafdd81aa1e12c127941c1ebd87e8ee4697ec3eTimo Sirainenvoid auth_master_request_callback(const char *reply, struct auth_master_connection *conn)
eb7b8855cc45292334056f425645215e348ec493Timo Sirainen auth_master_reply_hide_passwords(conn, reply));
73bfdbe28c2ce6d143eadf0bab8ccfbe4cab0faeTimo Sirainenmaster_input_request(struct auth_master_connection *conn, const char *args)
ab90f702ceedb7ba445a9a592be0b213b27cbafaStephan Bosch /* <id> <client-pid> <client-id> <cookie> [<parameters>] */
3281669db44d09a087a203201248abbc81b3cc1aTimo Sirainen buffer_create_from_data(&buf, cookie, sizeof(cookie));
419baa2c17c63ae516b2df6cc5695f15aaccbff8Timo Sirainen i_error("BUG: Master sent broken REQUEST cookie");
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen client_conn = auth_client_connection_lookup(client_pid);
7fc0f80480063a9d4cb9e8c07b50db2a5627799eTimo Sirainen i_error("Master requested auth for nonexistent client %u",
ace06232cfa0e99ecca1040e8553b3216d025768Timo Sirainen } else if (!mem_equals_timing_safe(client_conn->cookie, cookie, sizeof(cookie))) {
419baa2c17c63ae516b2df6cc5695f15aaccbff8Timo Sirainen i_error("Master requested auth for client %u with invalid cookie",
daa7e7459749ae8f82cd3eed9c44522d81c609a3Timo Sirainen } else if (!auth_request_handler_master_request(
ab90f702ceedb7ba445a9a592be0b213b27cbafaStephan Bosch client_conn->request_handler, conn, id, client_id, params)) {
daa7e7459749ae8f82cd3eed9c44522d81c609a3Timo Sirainen i_error("Master requested auth for non-login client %u",
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainenmaster_input_cache_flush(struct auth_master_connection *conn, const char *args)
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainen /* <id> [<user> [<user> [..]] */
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainen i_error("BUG: doveadm sent broken CACHE-FLUSH");
f205e138634bd4269fa095463938cccf3970954dTimo Sirainen /* cache disabled */
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainen /* flush the whole cache */
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainen count = auth_cache_clear_users(passdb_cache, list+1);
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainen t_strdup_printf("OK\t%s\t%u\n", list[0], count));
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainenmaster_input_auth_request(struct auth_master_connection *conn, const char *args,
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen const char *cmd, struct auth_request **request_r,
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen const char **error_r)
b8a6abfd2bc86118f54f59ee71005f634f45cdfcTimo Sirainen const char *const *list, *name, *arg, *username;
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen /* <id> <userid> [<parameters>] */
ab122a3bbae3b5fd2aad66e2f2840149d98cee52Timo Sirainen (void)auth_request_import_info(auth_request, name, arg);
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen i_error("BUG: Master sent %s request without service", cmd);
b8a6abfd2bc86118f54f59ee71005f634f45cdfcTimo Sirainen if (!auth_request_set_username(auth_request, username, error_r)) {
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainenuser_verify_restricted_uid(struct auth_request *auth_request)
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen struct auth_master_connection *conn = auth_request->master;
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen struct auth_fields *reply = auth_request->userdb_reply;
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen else if (uid != conn->userdb_restricted_uid) {
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen "userdb uid (%s) doesn't match peer uid (%s)",
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen dec2str(uid), dec2str(conn->userdb_restricted_uid));
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen auth_request_log_error(auth_request, "userdb",
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen "client doesn't have lookup permissions for this user: %s "
4240acc84d065472e5b21becd6481553fc38fe38Timo Sirainen "(to bypass this check, set: service auth { unix_listener %s { mode=0777 } })",
0602c7dee8ceda2d7c7e5723f18c56698ac5a76dTimo Sirainen struct auth_master_connection *conn = auth_request->master;
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen if (user_verify_restricted_uid(auth_request) < 0)
0f39a57760d93cddbce3ca43096d78e0fe2f42fdTimo Sirainen str_printfa(str, "FAIL\t%u", auth_request->id);
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen value = auth_fields_find(auth_request->userdb_reply,
3ee2da6133bd7773961d1f3f3ac531448a5158b9Timo Sirainen str_printfa(str, "NOTFOUND\t%u", auth_request->id);
9398c0935613ba038cf2275ff66c43b25092cfd0Timo Sirainen str_printfa(str, "USER\t%u\t", auth_request->id);
548193b7d6c19a14eff810202cd334f364b75e36Timo Sirainen str_append_tabescaped(str, auth_request->user);
559f278a4c54d9fa7e0f2e96ebceda30562f9009Timo Sirainen auth_fields_append(auth_request->userdb_reply, str,
c96a1bff0db10e7f7e1d50bc434c95bf1f071805Timo Sirainen auth_master_reply_hide_passwords(conn, str_c(str)));
e2a88d59c0d47d63ce1ad5b1fd95e487124a3fd4Timo Sirainen o_stream_nsend(conn->output, str_data(str), str_len(str));
9398c0935613ba038cf2275ff66c43b25092cfd0Timo Sirainenmaster_input_user(struct auth_master_connection *conn, const char *args)
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen ret = master_input_auth_request(conn, args, "USER",
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen auth_request_log_info(auth_request, "userdb", "%s", error);
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen user_callback(USERDB_RESULT_USER_UNKNOWN, auth_request);
401b0787fff2dc986a5321ddb32acb1947ff66b0Timo Sirainen auth_request_set_state(auth_request, AUTH_REQUEST_STATE_USERDB);
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen auth_request_lookup_user(auth_request, user_callback);
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainenstatic void pass_callback_finish(struct auth_request *auth_request,
0602c7dee8ceda2d7c7e5723f18c56698ac5a76dTimo Sirainen struct auth_master_connection *conn = auth_request->master;
bbdd683dd23641dca779bffdf22c089b57fe5066Timo Sirainen if (auth_request->failed || !auth_request->passdb_success) {
bbdd683dd23641dca779bffdf22c089b57fe5066Timo Sirainen str_printfa(str, "FAIL\t%u", auth_request->id);
76830cda2eddcb36736bbb349dcbc2e9ca032483Timo Sirainen str_printfa(str, "PASS\t%u\tuser=", auth_request->id);
d03a871a77f8ec36f48f5fea98d810e51b186fdbTimo Sirainen str_append_tabescaped(str, auth_request->user);
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen if (!auth_fields_is_empty(auth_request->extra_fields)) {
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen auth_fields_append(auth_request->extra_fields,
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen str_printfa(str, "NOTFOUND\t%u", auth_request->id);
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen str_printfa(str, "FAIL\t%u", auth_request->id);
3cad7d3634afa649561921c54e7769528e7813f9Timo Sirainen str_printfa(str, "FAIL\t%u\treason=Configured passdbs don't support credentials lookups",
e2a88d59c0d47d63ce1ad5b1fd95e487124a3fd4Timo Sirainen o_stream_nsend(conn->output, str_data(str), str_len(str));
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainenauth_master_pass_proxy_finish(bool success, struct auth_request *auth_request)
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen pass_callback_finish(auth_request, success ? PASSDB_RESULT_OK :
91233a89f0060f95542ed661683e5d99a50f1778Timo Sirainen auth_request_proxy_finish_failure(auth_request);
86a58337862c546aa489f07e8e6d242f0180e4a0Timo Sirainenstatic const char *auth_restricted_reason(struct auth_master_connection *conn)
8eefc42b2559db19d06d7ad7b8ad9d1cd2a09178Timo Sirainen if (i_getpwuid(conn->userdb_restricted_uid, &pw) <= 0)
8eefc42b2559db19d06d7ad7b8ad9d1cd2a09178Timo Sirainen namestr = t_strdup_printf("(%s)", pw.pw_name);
8eefc42b2559db19d06d7ad7b8ad9d1cd2a09178Timo Sirainen return t_strdup_printf("%s mode=0666, but not owned by UID %lu%s",
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainenmaster_input_pass(struct auth_master_connection *conn, const char *args)
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen ret = master_input_auth_request(conn, args, "PASS",
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen auth_request_log_info(auth_request, "passdb", "%s", error);
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen } else if (conn->userdb_restricted_uid != 0) {
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen /* no permissions to do this lookup */
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen auth_request_log_error(auth_request, "passdb",
86a58337862c546aa489f07e8e6d242f0180e4a0Timo Sirainen "Auth client doesn't have permissions to do "
86a58337862c546aa489f07e8e6d242f0180e4a0Timo Sirainen "a PASS lookup: %s", auth_restricted_reason(conn));
1862352e2ef8ed1ef824368d9c0c2c0fce89962eTimo Sirainen auth_request_lookup_credentials(auth_request, "",
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainenstatic void master_input_list_finish(struct master_list_iter_ctx *ctx)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen ctx->conn->io = io_add(ctx->conn->fd, IO_READ, master_input, ctx->conn);
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen (void)userdb_blocking_iter_deinit(&ctx->iter);
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen o_stream_unset_flush_callback(ctx->conn->output);
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainenstatic int master_output_list(struct master_list_iter_ctx *ctx)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen if ((ret = o_stream_flush(ctx->conn->output)) < 0) {
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainenstatic void master_input_list_callback(const char *user, void *context)
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen struct auth_userdb *userdb = ctx->auth_request->userdb;
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen if (userdb_blocking_iter_deinit(&ctx->iter) < 0)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen /* iteration is finished */
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen /* continue iterating next userdb */
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen ctx->iter = userdb_blocking_iter_init(ctx->auth_request,
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen str = t_strdup_printf("LIST\t%u\t%s\n", ctx->auth_request->id,
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen ret = o_stream_send_str(ctx->conn->output, str);
1ce47e48d7231da6f18f02eab6bab6451b4ef12aTimo Sirainen if (o_stream_get_buffer_used_size(ctx->conn->output) >= MAX_OUTBUF_SIZE)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen /* disconnected, don't bother finishing */
1ce47e48d7231da6f18f02eab6bab6451b4ef12aTimo Sirainen if (o_stream_get_buffer_used_size(ctx->conn->output) < MAX_OUTBUF_SIZE)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainenmaster_input_list(struct auth_master_connection *conn, const char *args)
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen struct auth_userdb *userdb = conn->auth->userdbs;
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen /* <id> [<parameters>] */
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen if (list[0] == NULL || str_to_uint(list[0], &id) < 0) {
47b5ef748f34ca194419befab4f7450002f4e85dTimo Sirainen i_error("Auth client is already iterating users");
47b5ef748f34ca194419befab4f7450002f4e85dTimo Sirainen str = t_strdup_printf("DONE\t%u\tfail\n", id);
86a58337862c546aa489f07e8e6d242f0180e4a0Timo Sirainen i_error("Auth client doesn't have permissions to list users: %s",
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen str = t_strdup_printf("DONE\t%u\tfail\n", id);
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen while (userdb != NULL && userdb->userdb->iface->iterate_init == NULL)
3278289d240da169166de8aa785273c5df904e64Timo Sirainen i_error("Trying to iterate users, but userdbs don't support it");
5f618705ebdfa8220a98a5cbb4a561e5e335cfffTimo Sirainen str = t_strdup_printf("DONE\t%u\tfail\n", id);
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen if (!auth_request_import_info(auth_request, name, arg) &&
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen /* username mask */
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen auth_request->user = p_strdup(auth_request->pool, arg);
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen /* rest of the code doesn't like NULL user or service */
43d3ea2780b5f8557ede7b4c039e8f56cb8d357dTimo Sirainen o_stream_set_flush_callback(conn->output, master_output_list, ctx);
e9371f899a3d4207a0ffd3923ea5ec7250cf5e75Timo Sirainen ctx->iter = userdb_blocking_iter_init(auth_request,
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainenauth_master_input_line(struct auth_master_connection *conn, const char *line)
39dcbe101c4538ee25d8b196eab30e5f0faa22eeTimo Sirainen return master_input_cache_flush(conn, line + 12);
3278289d240da169166de8aa785273c5df904e64Timo Sirainen i_error("Authentication client trying to connect to "
3278289d240da169166de8aa785273c5df904e64Timo Sirainen "master socket");
0bb8c135a1c065655fc4d2d89b74b4f958fe4f02Timo Sirainen i_error("BUG: Unknown command in %s socket: %s",
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainenstatic void master_input(struct auth_master_connection *conn)
73bfdbe28c2ce6d143eadf0bab8ccfbe4cab0faeTimo Sirainen /* disconnected */
73bfdbe28c2ce6d143eadf0bab8ccfbe4cab0faeTimo Sirainen /* buffer full */
73bfdbe28c2ce6d143eadf0bab8ccfbe4cab0faeTimo Sirainen i_error("BUG: Master sent us more than %d bytes",
b0df0e9a8ed8889ad4bf032043ab245ce8851fdeTimo Sirainen /* make sure the major version matches */
b0df0e9a8ed8889ad4bf032043ab245ce8851fdeTimo Sirainen i_error("Master not compatible with this server "
b0df0e9a8ed8889ad4bf032043ab245ce8851fdeTimo Sirainen "(mixed old and new binaries?)");
73bfdbe28c2ce6d143eadf0bab8ccfbe4cab0faeTimo Sirainen while ((line = i_stream_next_line(conn->input)) != NULL) {
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainenstatic int master_output(struct auth_master_connection *conn)
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen /* transmit error, probably master died */
e5a776932f62d971766d55b6bcc42d2824fa05a3Timo Sirainen o_stream_get_buffer_used_size(conn->output) <= MAX_OUTBUF_SIZE/2) {
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen /* allow input again */
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen conn->io = io_add(conn->fd, IO_READ, master_input, conn);
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainenauth_master_connection_set_permissions(struct auth_master_connection *conn,
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen /* figure out what permissions we want to give to this client */
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen /* permissions were already restricted by the socket
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen permissions. also +x bit indicates that we shouldn't do
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen any permission checks. */
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen i_error("userdb connection: Failed to get peer's credentials");
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen if (cred.uid == st->st_uid || cred.gid == st->st_gid) {
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen /* full permissions */
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen /* restrict permissions: return only lookups whose returned
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen uid matches the peer's uid */
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainenauth_master_connection_create(struct auth *auth, int fd,
86a58337862c546aa489f07e8e6d242f0180e4a0Timo Sirainen const char *path, const struct stat *socket_st,
ad49932dae8ba31e07544b66bbc4f4de707a751cTimo Sirainen conn = i_new(struct auth_master_connection, 1);
e93184a9055c2530366dfe617e07199603c399ddMartti Rannanjärvi conn->input = i_stream_create_fd(fd, MAX_INBUF_SIZE);
e93184a9055c2530366dfe617e07199603c399ddMartti Rannanjärvi conn->output = o_stream_create_fd(fd, (size_t)-1);
e2a88d59c0d47d63ce1ad5b1fd95e487124a3fd4Timo Sirainen o_stream_set_no_error_handling(conn->output, TRUE);
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen o_stream_set_flush_callback(conn->output, master_output, conn);
6b46a500174ace25494b8f0547283eb60dc13756Timo Sirainen conn->io = io_add(fd, IO_READ, master_input, conn);
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen line = t_strdup_printf("VERSION\t%u\t%u\nSPID\t%s\n",
29d4c6eac14a0b3d79656eb6b206a102fd09d24aTimo Sirainen DLLIST_PREPEND(&auth_master_connections, conn);
c95b7ce6c3ebf84a9ef20320b9f11ef2129e1f1aTimo Sirainen if (auth_master_connection_set_permissions(conn, socket_st) < 0) {
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainenvoid auth_master_connection_destroy(struct auth_master_connection **_conn)
29d4c6eac14a0b3d79656eb6b206a102fd09d24aTimo Sirainen DLLIST_REMOVE(&auth_master_connections, conn);
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen master_service_client_connection_destroyed(master_service);
ecb1b2d6236942bf82f822e8d0167f0e160b206dTimo Sirainenvoid auth_master_connection_ref(struct auth_master_connection *conn)