src/auth/userdb-passwd.c

	userdb-passwd.c revision 2454dfa32c93c20a8522c6ed42fe057baaac9f9a
148N/A/* Copyright (c) 2002-2017 Dovecot authors, see the included COPYING file */
148N/A
148N/A#include "auth-common.h"
148N/A#include "userdb.h"
148N/A
148N/A#ifdef USERDB_PASSWD
148N/A
148N/A#include "ioloop.h"
148N/A#include "ipwd.h"
148N/A#include "time-util.h"
148N/A#include "userdb-template.h"
148N/A
148N/A#define USER_CACHE_KEY "%u"
148N/A#define PASSWD_SLOW_WARN_MSECS (10*1000)
148N/A#define PASSWD_SLOW_MASTER_WARN_MSECS 50
148N/A#define PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL 100
148N/A#define PASSDB_SLOW_MASTER_WARN_MIN_PERCENTAGE 5
148N/A
148N/Astruct passwd_userdb_module {
148N/A    struct userdb_module module;
148N/A    struct userdb_template *tmpl;
148N/A
148N/A    unsigned int fast_count, slow_count;
148N/A    bool slow_warned:1;
148N/A};
148N/A
148N/Astruct passwd_userdb_iterate_context {
148N/A    struct userdb_iterate_context ctx;
148N/A    struct passwd_userdb_iterate_context *next_waiting;
148N/A};
148N/A
148N/Astatic struct passwd_userdb_iterate_context *cur_userdb_iter = NULL;
148N/Astatic struct timeout *cur_userdb_iter_to = NULL;
148N/A
148N/Astatic void
148N/Apasswd_check_warnings(struct auth_request *auth_request,
148N/A              struct passwd_userdb_module *module,
148N/A              const struct timeval *start_tv)
148N/A{
148N/A    struct timeval end_tv;
148N/A    unsigned int msecs, percentage;
148N/A
148N/A    if (gettimeofday(&end_tv, NULL) < 0)
148N/A        return;
148N/A
148N/A    msecs = timeval_diff_msecs(&end_tv, start_tv);
148N/A    if (msecs >= PASSWD_SLOW_WARN_MSECS) {
148N/A        i_warning("passwd: Lookup for %s took %u secs",
148N/A              auth_request->user, msecs/1000);
148N/A        return;
148N/A    }
148N/A    if (worker || module->slow_warned)
148N/A        return;
148N/A
148N/A    if (msecs < PASSWD_SLOW_MASTER_WARN_MSECS) {
148N/A        module->fast_count++;
148N/A        return;
148N/A    }
148N/A    module->slow_count++;
148N/A    if (module->fast_count + module->slow_count <
148N/A        PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL)
148N/A        return;
148N/A
148N/A    percentage = module->slow_count * 100 /
148N/A        (module->slow_count + module->fast_count);
148N/A    if (percentage < PASSDB_SLOW_MASTER_WARN_MIN_PERCENTAGE) {
148N/A        /* start from beginning */
148N/A        module->slow_count = module->fast_count = 0;
148N/A    } else {
148N/A        i_warning("passwd: %u%% of last %u lookups took over "
148N/A              "%u milliseconds, "
148N/A              "you may want to set blocking=yes for userdb",
148N/A              percentage, PASSDB_SLOW_MASTER_WARN_COUNT_INTERVAL,
148N/A              PASSWD_SLOW_MASTER_WARN_MSECS);
148N/A        module->slow_warned = TRUE;
148N/A    }
148N/A}
148N/A
148N/Astatic void passwd_lookup(struct auth_request *auth_request,
148N/A              userdb_callback_t *callback)
148N/A{
148N/A    struct userdb_module *_module = auth_request->userdb->userdb;
148N/A    struct passwd_userdb_module *module =
148N/A        (struct passwd_userdb_module *)_module;
    struct passwd pw;
    struct timeval start_tv;
    const char *error;
    int ret;

    auth_request_log_debug(auth_request, AUTH_SUBSYS_DB, "lookup");

    if (gettimeofday(&start_tv, NULL) < 0)
        start_tv.tv_sec = 0;
    ret = i_getpwnam(auth_request->user, &pw);
    if (start_tv.tv_sec != 0)
        passwd_check_warnings(auth_request, module, &start_tv);

    switch (ret) {
    case -1:
        auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
                       "getpwnam() failed: %m");
        callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
        return;
    case 0:
        auth_request_log_unknown_user(auth_request, AUTH_SUBSYS_DB);
        callback(USERDB_RESULT_USER_UNKNOWN, auth_request);
        return;
    }

    auth_request_set_field(auth_request, "user", pw.pw_name, NULL);

    auth_request_set_userdb_field(auth_request, "system_groups_user",
                      pw.pw_name);
    auth_request_set_userdb_field(auth_request, "uid", dec2str(pw.pw_uid));
    auth_request_set_userdb_field(auth_request, "gid", dec2str(pw.pw_gid));
    auth_request_set_userdb_field(auth_request, "home", pw.pw_dir);

    if (userdb_template_export(module->tmpl, auth_request, &error) < 0) {
        auth_request_log_error(auth_request, AUTH_SUBSYS_DB,
                       "Failed to expand template: %s", error);
        callback(USERDB_RESULT_INTERNAL_FAILURE, auth_request);
    }

    callback(USERDB_RESULT_OK, auth_request);
}

static struct userdb_iterate_context *
passwd_iterate_init(struct auth_request *auth_request,
            userdb_iter_callback_t *callback, void *context)
{
    struct passwd_userdb_iterate_context *ctx;

    ctx = i_new(struct passwd_userdb_iterate_context, 1);
    ctx->ctx.auth_request = auth_request;
    ctx->ctx.callback = callback;
    ctx->ctx.context = context;
    setpwent();

    if (cur_userdb_iter == NULL)
        cur_userdb_iter = ctx;
    return &ctx->ctx;
}

static bool
passwd_iterate_want_pw(struct passwd *pw, const struct auth_settings *set)
{
    /* skip entries not in valid UID range.
       they're users for daemons and such. */
    if (pw->pw_uid < (uid_t)set->first_valid_uid)
        return FALSE;
    if (pw->pw_uid > (uid_t)set->last_valid_uid && set->last_valid_uid != 0)
        return FALSE;
    if (pw->pw_gid < (gid_t)set->first_valid_gid)
        return FALSE;
    if (pw->pw_gid > (gid_t)set->last_valid_gid && set->last_valid_gid != 0)
        return FALSE;
    return TRUE;
}

static void passwd_iterate_next(struct userdb_iterate_context *_ctx)
{
    struct passwd_userdb_iterate_context *ctx =
        (struct passwd_userdb_iterate_context *)_ctx;
    const struct auth_settings *set = _ctx->auth_request->set;
    struct passwd *pw;

    if (cur_userdb_iter != NULL && cur_userdb_iter != ctx) {
        /* we can't support concurrent userdb iteration.
           wait until the previous one is done */
        ctx->next_waiting = cur_userdb_iter->next_waiting;
        cur_userdb_iter->next_waiting = ctx;
        return;
    }

    errno = 0;
    while ((pw = getpwent()) != NULL) {
        if (passwd_iterate_want_pw(pw, set)) {
            _ctx->callback(pw->pw_name, _ctx->context);
            return;
        }
    }
    if (errno != 0) {
        i_error("getpwent() failed: %m");
        _ctx->failed = TRUE;
    }
    _ctx->callback(NULL, _ctx->context);
}

static void ATTR_NULL(1)
passwd_iterate_next_timeout(void *context ATTR_UNUSED)
{
    timeout_remove(&cur_userdb_iter_to);
    passwd_iterate_next(&cur_userdb_iter->ctx);
}

static int passwd_iterate_deinit(struct userdb_iterate_context *_ctx)
{
    struct passwd_userdb_iterate_context *ctx =
        (struct passwd_userdb_iterate_context *)_ctx;
    int ret = _ctx->failed ? -1 : 0;

    cur_userdb_iter = ctx->next_waiting;
    i_free(ctx);

    if (cur_userdb_iter != NULL) {
        cur_userdb_iter_to = timeout_add(0, passwd_iterate_next_timeout,
                         (void *)NULL);
    }
    return ret;
}

static struct userdb_module *
passwd_passwd_preinit(pool_t pool, const char *args)
{
    struct passwd_userdb_module *module;
    const char *value;

    module = p_new(pool, struct passwd_userdb_module, 1);
    module->module.default_cache_key = USER_CACHE_KEY;
    module->tmpl = userdb_template_build(pool, "passwd", args);
    module->module.blocking = TRUE;

    if (userdb_template_remove(module->tmpl, "blocking", &value))
        module->module.blocking = strcasecmp(value, "yes") == 0;
    /* FIXME: backwards compatibility */
    if (!userdb_template_is_empty(module->tmpl))
        i_warning("userdb passwd: Move templates args to override_fields setting");
    return &module->module;
}

struct userdb_module_interface userdb_passwd = {
    "passwd",

    passwd_passwd_preinit,
    NULL,
    NULL,

    passwd_lookup,

    passwd_iterate_init,
    passwd_iterate_next,
    passwd_iterate_deinit
};
#else
struct userdb_module_interface userdb_passwd = {
    .name = "passwd"
};
#endif