[tpop3d-discuss]auth_flatfile woes

Jim Hague jim.hague at acm.org
Mon, 23 Feb 2004 17:06:11 -0000 (GMT)


This message is in MIME format
--_=XFMail.1.5.4.Linux:20040223170611:7944=_
Content-Type: text/plain; charset=iso-8859-15

I came across tpop3 last night while looking for a POP3 daemon to serve a tiny
virtual mail hosting (potentially two virtual domains with tens of users each).

I'm using 1.5.3 with flatfile authorisation on Debian stable. I found what I
think are a couple of problems which appear to still be extant in CVS:

1. The username in the file is only ever compared against the local part of the
   POP3 username, even if the POP3 username includes a domain. I presume the
   file and POP3 usernames should be compared in full; I'm assuming that the
   higher level code will add the domain onto the POP3 username if retry with
   domain on fail is specified.
2. read_user_password returns the last hash in the file if none of the usernames
   match. It should return NULL.

A quick patch is attached. HIH.

-- 
Jim Hague - jim.hague@acm.org          Never trust a computer you can't lift.

--_=XFMail.1.5.4.Linux:20040223170611:7944=_
Content-Disposition: attachment; filename="authfile.patch"
Content-Transfer-Encoding: 7bit
Content-Description: authfile.patch
Content-Type: text/plain;
 charset=iso-8859-15; name=authfile.patch; SizeOnDisk=1914

Index: auth_flatfile.c
===================================================================
RCS file: /home/chris/vcvs/repos/tpop3d/auth_flatfile.c,v
retrieving revision 1.2
diff -u -r1.2 auth_flatfile.c
--- auth_flatfile.c	17 Feb 2003 23:18:32 -0000	1.2
+++ auth_flatfile.c	23 Feb 2004 16:56:50 -0000
@@ -79,14 +79,15 @@
     return ret;
 }
 
-/* read_user_passwd LOCALPART DOMAIN
- * Read the password hash from the proper flat file for the given LOCALPART and
+/* read_user_passwd USER DOMAIN
+ * Read the password hash from the proper flat file for the given USER and
  * DOMAIN. Returns the password or NULL if not found. The files are structured
  * with colon-separated fields, where the first field is the local-part and the
  * second field to the password hash. Any subsequent fields are ignored. */
-static char *read_user_passwd(const char *local_part, const char *domain) {
+static char *read_user_passwd(const char *username, const char *domain) {
     FILE *fp = NULL;
     char *filename = NULL;
+    char *result = NULL;
     struct sverr err;
     static char *buf, *pwhash;
     static size_t buflen;
@@ -143,12 +144,14 @@
         *pwhash++ = 0;
 
         /* Check username. */
-        if (strcmp(user, local_part) != 0)
+        if (strcmp(user, username) != 0)
             continue;
 
         if ((end = strchr(pwhash, ':')))
             *end = 0;
 
+        result = pwhash;
+
         break;
     }
     
@@ -159,7 +162,7 @@
     if (filename)
         xfree(filename);
 
-    return pwhash;
+    return result;
 }
 
 /* auth_flatfile_new_user_pass:
@@ -173,7 +176,7 @@
     
     who = username_string(user, local_part, domain);
 
-    pwhash = read_user_passwd(local_part, domain);
+    pwhash = read_user_passwd(user, domain);
     if (pwhash) {
         if (check_password(who, pwhash, pass, "{crypt}"))
             a = authcontext_new(virtual_uid, virtual_gid, NULL, NULL, NULL);

--_=XFMail.1.5.4.Linux:20040223170611:7944=_--
End of MIME message