src/login-common/login-settings.c

	login-settings.c revision 1358e2c58ce29231485a5cfa454756d429ad3d2c
2454dfa32c93c20a8522c6ed42fe057baaac9f9aStephan Bosch/* Copyright (c) 2005-2009 Dovecot authors, see the included COPYING file */
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger#include "common.h"
16f816d3f3c32ae3351834253f52ddd0212bcbf3Timo Sirainen#include "settings-parser.h"
6789ed17e7ca4021713507baf0dcf6979bb42e0cTimo Sirainen#include "master-service-settings.h"
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen#include "login-settings.h"
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen#include <stddef.h>
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen#include <unistd.h>
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen
636f017be100bce67d66fd3ae1544a47681efd33Timo Sirainenstatic bool login_settings_check(void *_set, pool_t pool, const char **error_r);
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger#undef DEF
06ff2a72c39cb34cc6425f17fc82c5e93fef2018Timo Sirainen#define DEF(type, name) \
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen    { type, #name, offsetof(struct login_settings, name), NULL }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainenstatic struct setting_define login_setting_defines[] = {
de76b960297406115cf6bae473f004c08174b16aTimo Sirainen    DEF(SET_BOOL, login_chroot),
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen    DEF(SET_STR, login_trusted_networks),
3ddbbe03fe74b3ee7b1dff4e08ec706d7880d052Timo Sirainen    DEF(SET_STR, login_greeting),
c519de264df14a9d525e2604671c332590ce54e3Timo Sirainen    DEF(SET_STR, login_log_format_elements),
61530b48694398df42744204e35535dbe3f745c4Timo Sirainen    DEF(SET_STR, login_log_format),
61530b48694398df42744204e35535dbe3f745c4Timo Sirainen
3ddbbe03fe74b3ee7b1dff4e08ec706d7880d052Timo Sirainen    DEF(SET_BOOL, login_process_per_connection),
4ee00532a265bdfb38539d811fcd12d51210ac35Timo Sirainen    DEF(SET_STR, capability_string),
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen
c9dea5c23355dea35c6fa423de69f6507852efe4Timo Sirainen    DEF(SET_ENUM, ssl),
c9dea5c23355dea35c6fa423de69f6507852efe4Timo Sirainen    DEF(SET_STR, ssl_ca_file),
6789ed17e7ca4021713507baf0dcf6979bb42e0cTimo Sirainen    DEF(SET_STR, ssl_cert_file),
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    DEF(SET_STR, ssl_key_file),
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    DEF(SET_STR, ssl_key_password),
6789ed17e7ca4021713507baf0dcf6979bb42e0cTimo Sirainen    DEF(SET_STR, ssl_parameters_file),
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    DEF(SET_STR, ssl_cipher_list),
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    DEF(SET_STR, ssl_cert_username_field),
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    DEF(SET_BOOL, ssl_verify_client_cert),
2b3b0df76184799317584b596af8df5afec3ebddTimo Sirainen    DEF(SET_BOOL, ssl_require_client_cert),
c9dea5c23355dea35c6fa423de69f6507852efe4Timo Sirainen    DEF(SET_BOOL, ssl_username_from_cert),
6789ed17e7ca4021713507baf0dcf6979bb42e0cTimo Sirainen    DEF(SET_BOOL, verbose_ssl),
6789ed17e7ca4021713507baf0dcf6979bb42e0cTimo Sirainen
fde0b1793a2842da00eaa105d5e13fec465f0443Timo Sirainen    DEF(SET_BOOL, disable_plaintext_auth),
fde0b1793a2842da00eaa105d5e13fec465f0443Timo Sirainen    DEF(SET_BOOL, verbose_auth),
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen    DEF(SET_BOOL, auth_debug),
d244c6cadd5f077f5d0f1e00c3652d0108a2d908Timo Sirainen    DEF(SET_BOOL, verbose_proctitle),
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen    DEF(SET_UINT, login_max_connections),
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    DEF(SET_UINT, mail_max_userip_connections),
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen
fde0b1793a2842da00eaa105d5e13fec465f0443Timo Sirainen    SETTING_DEFINE_LIST_END
d244c6cadd5f077f5d0f1e00c3652d0108a2d908Timo Sirainen};
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainenstatic struct login_settings login_default_settings = {
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(login_chroot) TRUE,
d244c6cadd5f077f5d0f1e00c3652d0108a2d908Timo Sirainen    MEMBER(login_trusted_networks) "",
fde0b1793a2842da00eaa105d5e13fec465f0443Timo Sirainen    MEMBER(login_greeting) PACKAGE" ready.",
fde0b1793a2842da00eaa105d5e13fec465f0443Timo Sirainen    MEMBER(login_log_format_elements) "user=<%u> method=%m rip=%r lip=%l %c",
baf1148108b7d9739626b47cc57298c36929586aTimo Sirainen    MEMBER(login_log_format) "%$: %s",
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(login_process_per_connection) TRUE,
baf1148108b7d9739626b47cc57298c36929586aTimo Sirainen    MEMBER(capability_string) NULL,
baf1148108b7d9739626b47cc57298c36929586aTimo Sirainen
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(ssl) "yes:no:required",
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(ssl_ca_file) "",
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(ssl_key_password) "",
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(ssl_parameters_file) "ssl-parameters.dat",
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(ssl_cipher_list) "ALL:!LOW:!SSLv2",
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(ssl_cert_username_field) "commonName",
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(ssl_verify_client_cert) FALSE,
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(ssl_require_client_cert) FALSE,
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(ssl_username_from_cert) FALSE,
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    MEMBER(verbose_ssl) FALSE,
efe78d3ba24fc866af1c79b9223dc0809ba26cadStephan Bosch
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(disable_plaintext_auth) TRUE,
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(verbose_auth) FALSE,
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    MEMBER(auth_debug) FALSE,
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(verbose_proctitle) FALSE,
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(login_max_connections) 256,
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    MEMBER(mail_max_userip_connections) 10
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen};
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainenstruct setting_parser_info login_setting_parser_info = {
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(defines) login_setting_defines,
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(defaults) &login_default_settings,
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(parent) NULL,
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(dynamic_parsers) NULL,
efe78d3ba24fc866af1c79b9223dc0809ba26cadStephan Bosch
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(parent_offset) (size_t)-1,
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(type_offset) (size_t)-1,
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(struct_size) sizeof(struct login_settings),
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    MEMBER(check_func) login_settings_check
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen};
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen/* <settings checks> */
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainenstatic int ssl_settings_check(void *_set ATTR_UNUSED, const char **error_r)
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen{
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    struct login_settings *set = _set;
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen#ifndef HAVE_SSL
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    *error_r = t_strdup_printf("SSL support not compiled in but ssl=%s",
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen                   set->ssl);
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    return FALSE;
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen#else
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    if (*set->ssl_cert_file == '\0') {
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen        *error_r = "ssl_cert_file not set";
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen        return FALSE;
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    }
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen    if (*set->ssl_key_file == '\0') {
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen        *error_r = "ssl_key_file not set";
51cbc45fc1ac5dde29bc2adbb175945df1b4f7d4Timo Sirainen        return FALSE;
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen    }
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    if (set->ssl_verify_client_cert && *set->ssl_ca_file == '\0') {
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        *error_r = "ssl_verify_client_cert set, but ssl_ca_file not";
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        return FALSE;
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    }
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen#ifndef CONFIG_BINARY
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    if (access(set->ssl_cert_file, R_OK) < 0) {
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen        *error_r = t_strdup_printf("ssl_cert_file: access(%s) failed: %m",
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen                       set->ssl_cert_file);
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen        return FALSE;
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    }
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    if (access(set->ssl_key_file, R_OK) < 0) {
8039af9679af6fb56116b353fe44f7dd4c08f031Timo Sirainen        *error_r = t_strdup_printf("ssl_key_file: access(%s) failed: %m",
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen                       set->ssl_key_file);
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        return FALSE;
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    }
2cfe9983ce7a6280636ee12beccc2e865111967bTimo Sirainen    if (*set->ssl_ca_file != '\0' && access(set->ssl_ca_file, R_OK) < 0) {
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen        *error_r = t_strdup_printf("ssl_ca_file: access(%s) failed: %m",
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen                       set->ssl_ca_file);
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen        return FALSE;
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    }
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen#endif
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen    return TRUE;
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen#endif
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen}
d10a370b2614712d9cb6a1dd8625f62a071b6377Timo Sirainen
d10a370b2614712d9cb6a1dd8625f62a071b6377Timo Sirainenstatic bool login_settings_check(void *_set, pool_t pool ATTR_UNUSED,
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen                 const char **error_r)
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen{
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen    struct login_settings *set = _set;
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen    set->log_format_elements_split =
e20e638805c4bd54e039891a3e92760b1dfa189aTimo Sirainen        t_strsplit(set->login_log_format_elements, " ");
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    if (set->ssl_require_client_cert || set->ssl_username_from_cert) {
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        /* if we require valid cert, make sure we also ask for it */
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        set->ssl_verify_client_cert = TRUE;
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    }
e20e638805c4bd54e039891a3e92760b1dfa189aTimo Sirainen    if (set->login_max_connections < 1) {
e20e638805c4bd54e039891a3e92760b1dfa189aTimo Sirainen        *error_r = "login_max_connections must be at least 1";
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        return FALSE;
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (strcmp(set->ssl, "no") == 0) {
efe78d3ba24fc866af1c79b9223dc0809ba26cadStephan Bosch        /* disabled */
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen    } else if (strcmp(set->ssl, "yes") == 0) {
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        if (!ssl_settings_check(set, error_r))
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen            return FALSE;
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    } else if (strcmp(set->ssl, "required") == 0) {
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen        if (!ssl_settings_check(set, error_r))
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen            return FALSE;
2767104d81e97a109f0aa9758792bfa1da325a97Timo Sirainen        set->disable_plaintext_auth = TRUE;
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    } else {
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen        *error_r = t_strdup_printf("Unknown ssl setting value: %s",
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen                       set->ssl);
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen        return FALSE;
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    }
d6c5ceea8521b92d10e51a59da00c792f6140b1dTimo Sirainen    return TRUE;
88ea893b45d3ed8d68000921db9156c03cbe1b00Timo Sirainen}
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen/* </settings checks> */
5ce2084ada06ade9f44fc2914c34658e9a842dc1Timo Sirainen
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainenstruct login_settings *login_settings_read(struct master_service *service)
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen{
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    static const struct setting_parser_info *set_roots[] = {
eef4ba0cc3e78f8c26804c1c9251a76580a41f0cTimo Sirainen        &login_setting_parser_info,
4145aa5025b57ec64418e503c2a5a6bf5a02aec5Timo Sirainen        NULL
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen    };
905951e448e0d0f0778f43ce7673d0cac60b9b61Timo Sirainen    struct master_service_settings_input input;
eef4ba0cc3e78f8c26804c1c9251a76580a41f0cTimo Sirainen    const char *error;
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen    void **sets;
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen    memset(&input, 0, sizeof(input));
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    input.roots = set_roots;
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    input.module = "login";
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen    input.service = login_protocol;
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen    if (master_service_settings_read(service, &input, &error) < 0)
e82e363e7a6917f470412d629db6c5b1f5891a35Timo Sirainen        i_fatal("Error reading configuration: %s", error);
eef4ba0cc3e78f8c26804c1c9251a76580a41f0cTimo Sirainen
905951e448e0d0f0778f43ce7673d0cac60b9b61Timo Sirainen    sets = master_service_settings_get_others(service);
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen    return sets[0];
905951e448e0d0f0778f43ce7673d0cac60b9b61Timo Sirainen}
923eb3dde28e4d8841c14fd6b4a69635b7070c3eTimo Sirainen