[tpop3d-discuss]auth_flatfile woes
Jim Hague
jim.hague at acm.org
Mon, 23 Feb 2004 17:06:11 -0000 (GMT)
This message is in MIME format
--_=XFMail.1.5.4.Linux:20040223170611:7944=_
Content-Type: text/plain; charset=iso-8859-15
I came across tpop3 last night while looking for a POP3 daemon to serve a tiny
virtual mail hosting (potentially two virtual domains with tens of users each).
I'm using 1.5.3 with flatfile authorisation on Debian stable. I found what I
think are a couple of problems which appear to still be extant in CVS:
1. The username in the file is only ever compared against the local part of the
POP3 username, even if the POP3 username includes a domain. I presume the
file and POP3 usernames should be compared in full; I'm assuming that the
higher level code will add the domain onto the POP3 username if retry with
domain on fail is specified.
2. read_user_password returns the last hash in the file if none of the usernames
match. It should return NULL.
A quick patch is attached. HIH.
--
Jim Hague - jim.hague@acm.org Never trust a computer you can't lift.
--_=XFMail.1.5.4.Linux:20040223170611:7944=_
Content-Disposition: attachment; filename="authfile.patch"
Content-Transfer-Encoding: 7bit
Content-Description: authfile.patch
Content-Type: text/plain;
charset=iso-8859-15; name=authfile.patch; SizeOnDisk=1914
Index: auth_flatfile.c
===================================================================
RCS file: /home/chris/vcvs/repos/tpop3d/auth_flatfile.c,v
retrieving revision 1.2
diff -u -r1.2 auth_flatfile.c
--- auth_flatfile.c 17 Feb 2003 23:18:32 -0000 1.2
+++ auth_flatfile.c 23 Feb 2004 16:56:50 -0000
@@ -79,14 +79,15 @@
return ret;
}
-/* read_user_passwd LOCALPART DOMAIN
- * Read the password hash from the proper flat file for the given LOCALPART and
+/* read_user_passwd USER DOMAIN
+ * Read the password hash from the proper flat file for the given USER and
* DOMAIN. Returns the password or NULL if not found. The files are structured
* with colon-separated fields, where the first field is the local-part and the
* second field to the password hash. Any subsequent fields are ignored. */
-static char *read_user_passwd(const char *local_part, const char *domain) {
+static char *read_user_passwd(const char *username, const char *domain) {
FILE *fp = NULL;
char *filename = NULL;
+ char *result = NULL;
struct sverr err;
static char *buf, *pwhash;
static size_t buflen;
@@ -143,12 +144,14 @@
*pwhash++ = 0;
/* Check username. */
- if (strcmp(user, local_part) != 0)
+ if (strcmp(user, username) != 0)
continue;
if ((end = strchr(pwhash, ':')))
*end = 0;
+ result = pwhash;
+
break;
}
@@ -159,7 +162,7 @@
if (filename)
xfree(filename);
- return pwhash;
+ return result;
}
/* auth_flatfile_new_user_pass:
@@ -173,7 +176,7 @@
who = username_string(user, local_part, domain);
- pwhash = read_user_passwd(local_part, domain);
+ pwhash = read_user_passwd(user, domain);
if (pwhash) {
if (check_password(who, pwhash, pass, "{crypt}"))
a = authcontext_new(virtual_uid, virtual_gid, NULL, NULL, NULL);
--_=XFMail.1.5.4.Linux:20040223170611:7944=_--
End of MIME message