mail-storage-service.c revision 1959accd3886d99efccd9f98247f21e8fd54da66
/* Copyright (c) 2009-2015 Dovecot authors, see the included COPYING file */
#include "lib.h"
#include "ioloop.h"
#include "array.h"
#include "base64.h"
#include "hostpid.h"
#include "module-dir.h"
#include "restrict-access.h"
#include "eacces-error.h"
#include "ipwd.h"
#include "str.h"
#include "var-expand.h"
#include "dict.h"
#include "settings-parser.h"
#include "auth-master.h"
#include "master-service-private.h"
#include "master-service-settings.h"
#include "master-service-settings-cache.h"
#include "mail-user.h"
#include "mail-namespace.h"
#include "mail-storage.h"
#include "mail-storage-service.h"
#ifdef HAVE_SYS_TIME_H
#endif
#ifdef HAVE_SYS_RESOURCE_H
# include <sys/resource.h>
#endif
/* If time moves backwards more than this, kill ourself instead of sleeping. */
#define MAX_TIME_BACKWARDS_SLEEP 5
#define MAX_NOWARN_FORWARD_SECS 10
#define ERRSTR_INVALID_USER_SETTINGS \
"Invalid user settings. Refer to server log for more information."
struct mail_storage_service_privileges {
const char *uid_source, *gid_source;
const char *home;
const char *chroot;
};
struct mail_storage_service_ctx {
struct master_service *service;
const char *default_log_prefix;
struct auth_master_user_list_ctx *auth_list;
const struct setting_parser_info **set_roots;
const char *set_cache_module, *set_cache_service;
struct master_service_settings_cache *set_cache;
const char *const **userdb_next_fieldsp;
unsigned int debug:1;
unsigned int log_initialized:1;
unsigned int config_permission_denied:1;
};
struct mail_storage_service_user {
struct mail_storage_service_ctx *service_ctx;
struct mail_storage_service_input input;
struct ioloop_context *ioloop_ctx;
const struct mail_user_settings *user_set;
const struct setting_parser_info *user_info;
struct setting_parser_context *set_parser;
unsigned int anonymous:1;
unsigned int admin:1;
};
static void
struct mail_storage_service_user *user,
const struct mail_storage_service_input *input,
const struct mail_storage_service_privileges *priv);
static bool
const struct mail_user_settings *user_set)
{
const struct mail_storage_settings *mail_set;
return mail_set->mail_debug;
}
struct mail_storage_service_user *user,
{
const char *str;
/* this setting was already overridden with -o parameter */
i_debug("Ignoring overridden (-o) userdb setting: %s",
key);
}
return;
}
}
}
struct mail_storage_service_user *user,
const char *line)
{
bool mail_debug;
unsigned int len;
int ret;
/* key+=value */
}
/* assume it's a plugin setting */
}
/* this setting was already overridden with -o parameter */
if (mail_debug) {
i_debug("Ignoring overridden (-o) userdb setting: %s",
key);
}
return 1;
}
if (append_value != NULL) {
const void *value;
enum setting_type type;
} else {
i_error("Ignoring %s userdb setting. "
"'+' can only be used for strings.", orig_key);
}
}
if (mail_debug && ret >= 0) {
/* possibly a password field (e.g. imapc_password).
hide the value. */
}
"Unknown userdb setting: %s" :
"Added userdb setting: %s", line);
}
return ret;
}
const char *dir)
{
const char *const *chroot_dirs;
if (*dir == '\0')
return FALSE;
return FALSE;
while (*chroot_dirs != NULL) {
if (**chroot_dirs != '\0' &&
return TRUE;
chroot_dirs++;
}
return FALSE;
}
static int
struct mail_storage_service_user *user,
const struct auth_user_reply *reply,
const char **error_r)
{
unsigned int i, count;
int ret = 0;
*error_r = "userdb returned 0 as uid";
return -1;
}
}
}
/* wu-ftpd like <chroot>/./<home> - check only if there's even
a possibility of using them (non-empty valid_chroot_dirs) */
home = p + 2;
}
"userdb returned invalid chroot directory: %s "
"(see valid_chroot_dirs setting)", chroot);
return -1;
}
}
for (i = 0; i < count; i++) {
#ifdef HAVE_SETPRIORITY
int n;
i_error("userdb returned invalid nice value %s",
line + 5);
} else if (n != 0) {
if (setpriority(PRIO_PROCESS, 0, n) < 0)
i_error("setpriority(%d) failed: %m", n);
}
#endif
} else T_BEGIN {
} T_END;
if (ret < 0)
break;
}
if (ret < 0) {
}
return ret;
}
static int
const struct mail_storage_service_input *input,
const char *const **fields_r,
const char **error_r)
{
struct auth_user_info info;
const char *new_username;
int ret;
&new_username, fields_r);
if (ret > 0) {
}
*user = new_username;
} else if (ret == 0)
*error_r = "Unknown user";
ret = -2;
} else {
}
return ret;
}
{
return TRUE;
case -1:
return FALSE;
case 0:
return FALSE;
default:
return TRUE;
}
}
{
return TRUE;
case -1:
return FALSE;
case 0:
return FALSE;
default:
return TRUE;
}
}
static const struct var_expand_table *
struct mail_storage_service_user *user,
const struct mail_storage_service_input *input,
const struct mail_storage_service_privileges *priv)
{
static struct var_expand_table static_tab[] = {
};
struct var_expand_table *tab;
} else {
}
return tab;
}
const struct var_expand_table *
struct mail_storage_service_input *input)
{
struct mail_storage_service_privileges priv;
}
static const char *
struct mail_storage_service_user *user,
struct mail_storage_service_privileges *priv,
const char *str)
{
if (*str == SETTING_STRVAR_EXPANDED[0])
return str + 1;
}
static int
struct mail_storage_service_user *user,
struct mail_storage_service_privileges *priv_r,
const char **error_r)
{
user->uid_source);
return -1;
}
(set->last_valid_uid != 0 &&
"Mail access for users with UID %s not permitted "
"(see first_valid_uid in config file, uid from %s).",
return -1;
}
}
user->gid_source);
return -1;
}
(set->last_valid_gid != 0 &&
"Mail access for users with GID %s not permitted "
"(see first_valid_gid in config file, gid from %s).",
return -1;
}
}
/* variable strings are expanded in mail_user_init(),
but we need the home and chroot sooner so do them separately here. */
return 0;
}
static void mail_storage_service_seteuid_root(void)
{
if (seteuid(0) < 0) {
i_fatal("mail-storage-service: "
"Failed to restore temporarily dropped root privileges: "
"seteuid(0) failed: %m");
}
}
static int
struct mail_storage_service_privileges *priv,
bool disallow_root, bool keep_setuid_root,
bool setenv_only, const char **error_r)
{
struct restrict_access_settings rset;
const char *cur_chroot, *error;
current_euid = geteuid();
disallow_root && current_euid == 0) {
*error_r = "User is missing UID (see mail_uid setting)";
return -1;
}
*error_r = "User is missing GID (see mail_gid setting)";
return -1;
}
&error)) {
"%s (in mail_privileged_group setting)", error);
return -1;
}
}
}
if (cur_chroot != NULL) {
/* we're already chrooted. make sure the chroots are equal. */
*error_r = "Process is already chrooted, "
"can't un-chroot for this user";
return -1;
}
"Process is already chrooted to %s, "
return -1;
}
/* chrooting to same directory where we're already chrooted */
}
if (disallow_root &&
*error_r = "Mail access not allowed for root";
return -1;
}
if (keep_setuid_root) {
if (current_euid != 0) {
/* we're changing the UID,
switch back to root first */
}
}
}
if (!setenv_only) {
} else {
}
if (setuid_uid != 0 && !setenv_only) {
if (seteuid(setuid_uid) < 0)
i_fatal("mail-storage-service: seteuid(%s) failed: %m",
}
return 0;
}
static int
struct mail_storage_service_user *user,
struct mail_storage_service_privileges *priv,
struct mail_user **mail_user_r,
const char **error_r)
{
const struct mail_storage_settings *mail_set;
/* NOTE: if more user initialization is added, add it also to
mail_user_dup() */
if (mail_set->mail_debug) {
}
/* we don't want to write core files to any users' home
directories since they could contain information about other
users' mails as well. so do no chdiring to home. */
} else if (*home != '\0' &&
/* If possible chdir to home directory, so that core file
could be written in case we crash. */
else if (mail_set->mail_debug)
}
}
return -1;
}
return -1;
}
}
*mail_user_r = mail_user;
return 0;
}
{
}
{
}
{
}
static const char *
{
const char *field_name = data;
unsigned int i, field_name_len;
return NULL;
field_name_len) == 0 &&
}
return NULL;
}
static void
struct mail_storage_service_user *user,
const struct mail_storage_service_input *input,
const struct mail_storage_service_privileges *priv)
{
static const struct var_expand_func_table func_table[] = {
{ "userdb", mail_storage_service_input_var_userdb },
};
func_table, user);
}
static void
struct mail_storage_service_user *user,
struct mail_storage_service_privileges *priv)
{
T_BEGIN {
} T_END;
user);
}
{
if (diff > 0) {
if (diff > MAX_NOWARN_FORWARD_SECS)
return;
}
if (diff > MAX_TIME_BACKWARDS_SLEEP) {
i_fatal("Time just moved backwards by %ld seconds. "
"This might cause a lot of problems, "
"so I'll just kill myself now. "
} else {
i_error("Time just moved backwards by %ld seconds. "
"I'll sleep now until we're back in present. "
/* Sleep extra second to make sure usecs also grows. */
diff++;
/* don't use sleep()'s return value, because
it could get us to a long loop in case
interrupts just keep coming */
}
}
}
struct mail_storage_service_ctx *
const struct setting_parser_info *set_roots[],
{
struct mail_storage_service_ctx *ctx;
const char *version;
unsigned int count;
i_fatal("Version mismatch: libdovecot-storage.so is '%s', "
"while the running Dovecot binary is '%s'",
}
if ((flags & MAIL_STORAGE_SERVICE_FLAG_TEMP_PRIV_DROP) != 0 &&
geteuid() != 0) {
/* service { user } isn't root. the permission drop can't be
temporary. */
}
(void)umask(0077);
/* @UNSAFE */
count = 0;
else
}
/* do all the global initialization. delay initializing plugins until
we drop privileges the first time. */
if ((flags & MAIL_STORAGE_SERVICE_FLAG_NO_LOG_INIT) == 0) {
/* note: we may not have read any settings yet, so this logging
may still be going to wrong location */
}
return ctx;
}
struct auth_master_connection *
{
}
static enum mail_storage_service_flags
const struct mail_storage_service_input *input)
{
if (input->no_userdb_lookup) {
/* FIXME: for API backwards compatibility only */
}
return flags;
}
const struct mail_storage_service_input *input,
const struct setting_parser_info **user_info_r,
const struct setting_parser_context **parser_r,
const char **error_r)
{
const struct setting_parser_info *const *roots;
const struct dynamic_settings_parser *dyn_parsers;
unsigned int i;
/* settings reader may exec doveconf, which is going to clear
environment, and if we're not doing a userdb lookup we want to
use $HOME */
(flags & MAIL_STORAGE_SERVICE_FLAG_USERDB_LOOKUP) == 0;
(flags & MAIL_STORAGE_SERVICE_FLAG_USE_SYSEXITS) != 0;
}
/* global settings read - don't create a cache for thi */
} else {
/* already looked up settings at least once.
we really shouldn't be execing anymore. */
}
"Error reading configuration: %s", *error_r);
return -1;
}
} else {
&set_output, error_r) < 0) {
"Error reading configuration: %s", *error_r);
return -1;
}
}
mail_user_setting_parser_info.module_name) == 0) {
*user_info_r = roots[i];
return 0;
}
}
i_unreached();
return -1;
}
struct auth_master_connection *conn)
{
}
static void
const struct setting_parser_info *user_info,
const struct mail_user_settings *user_set)
{
enum auth_master_flags flags = 0;
}
static int
const struct setting_parser_info *user_info,
const struct mail_user_settings *user_set,
const char **error_r)
{
struct module_dir_load_settings mod_set;
return 0;
return 0;
}
{
if (*p1 == '\0')
return 0;
}
if (*p1 == '=')
return -1;
if (*p2 == '=')
return 1;
}
static void
const struct mail_user_settings *user_set,
struct mail_storage_service_user *user,
const struct mail_storage_service_input *input,
const struct mail_storage_service_privileges *priv)
{
}
static const char *
{
/* remove the trailing "==" */
}
static int
const struct mail_storage_service_input *input,
bool update_log_prefix,
struct mail_storage_service_user **user_r,
const char **error_r)
{
struct mail_storage_service_user *user;
const struct setting_parser_info *user_info;
const struct mail_user_settings *user_set;
const char *const *userdb_fields, *error;
struct auth_user_reply reply;
const struct setting_parser_context *set_parser;
void **sets;
int ret = 1;
if ((flags & MAIL_STORAGE_SERVICE_FLAG_TEMP_PRIV_DROP) != 0 &&
geteuid() != 0) {
/* we dropped privileges only temporarily. switch back to root
before reading settings, so we'll definitely have enough
permissions to connect to the config socket. */
}
&user_info, &set_parser,
&error) < 0) {
if (ctx->config_permission_denied) {
/* just restart and maybe next time we will open the
config socket before dropping privileges */
}
return -1;
}
if ((flags & MAIL_STORAGE_SERVICE_FLAG_NO_LOG_INIT) == 0 &&
!ctx->log_initialized) {
/* initialize logging again, in case we only read the
settings for the first above */
}
if (update_log_prefix)
/* load global plugins */
return -1;
}
else {
}
if ((flags & MAIL_STORAGE_SERVICE_FLAG_USERDB_LOOKUP) != 0) {
error_r);
if (ret <= 0) {
return ret;
}
} else {
}
}
user->set_parser);
if ((flags & MAIL_STORAGE_SERVICE_FLAG_DEBUG) != 0)
if ((flags & MAIL_STORAGE_SERVICE_FLAG_USERDB_LOOKUP) == 0) {
}
if (userdb_fields != NULL) {
ret = -2;
}
}
/* load per-user plugins */
if (ret > 0) {
&error) < 0) {
ret = -2;
}
}
return ret;
}
const struct mail_storage_service_input *input,
struct mail_storage_service_user **user_r,
const char **error_r)
{
bool update_log_prefix;
int ret;
/* no user yet. log prefix should be just "imap:" or something
equally unhelpful. we don't know the proper log format yet,
but initialize it to something better until we know it. */
const char *session_id =
i_set_failure_prefix("%s(%s%s,%s)",
} else {
/* we might be here because we're doing a user lookup for a
shared user. the log prefix is likely already usable, so
just append our own without replacing the whole thing. */
i_set_failure_prefix("%suser-lookup(%s)",
}
return ret;
}
{
*userdb_fields_r = NULL;
}
static int
struct mail_storage_service_user *user,
struct mail_user **mail_user_r)
{
struct mail_storage_service_privileges priv;
const char *error;
unsigned int len;
bool disallow_root =
bool temp_priv_drop =
bool use_chroot;
return -2;
}
i_error("Relative home directory paths not supported: %s",
return -2;
}
/* we can't chroot if we want to switch between users. there's
not much point either (from security point of view). but if we're
already chrooted, we'll just have to continue and hope that the
current chroot is the same as the wanted chroot */
use_chroot = !temp_priv_drop ||
/* mail_chroot = /chroot/. means that the home dir already
contains the chroot dir. remove it from home. */
if (use_chroot) {
}
} else if (len > 0 && !use_chroot) {
/* we're not going to chroot. fix home directory so we can
access it. */
else
}
/* create ioloop context regardless of logging. it's also used by
stats plugin. */
return -1;
}
if (!temp_priv_drop ||
}
/* privileges are dropped. initialize plugins that haven't been
initialized yet. */
mail_user_r, &error) < 0) {
return -2;
}
return 0;
}
struct mail_storage_service_user *user,
struct mail_user **mail_user_r)
{
int ret;
return ret;
}
struct mail_storage_service_user *user)
{
struct mail_storage_service_privileges priv;
const char *error;
}
const struct mail_storage_service_input *input,
struct mail_storage_service_user **user_r,
struct mail_user **mail_user_r,
const char **error_r)
{
struct mail_storage_service_user *user;
int ret;
if (ret <= 0)
return ret;
if (ret < 0) {
return ret;
}
return 1;
}
{
}
}
}
const struct mail_storage_service_input *input)
{
const struct setting_parser_info *user_info;
const struct mail_user_settings *user_set;
const struct setting_parser_context *set_parser;
const char *error;
void **sets;
return;
&user_info, &set_parser,
&error) < 0)
}
static int
{
int ret = 0;
}
return ret;
}
{
enum auth_master_flags flags = 0;
/* create a new connection, because the iteration might take a while
and we might want to do USER lookups during it, which don't mix
well in the same connection. */
flags);
}
const char **username_r)
{
if (*username_r != NULL)
return 1;
return mail_storage_service_all_iter_deinit(ctx);
}
{
}
}
{
user->set_parser);
}
const struct mail_storage_settings *
{
}
const struct mail_storage_service_input *
{
}
struct setting_parser_context *
{
return user->set_parser;
}
struct mail_storage_service_ctx *
{
return user->service_ctx;
}
{
T_BEGIN {
} T_END;
return set;
}