thomas: server/imapd imapd.patch.group, NONE, 1.1 Makefile, 1.32, 1.33 kolab.patch, 1.33, 1.34
cvs at kolab.org
cvs at kolab.org
Tue Mar 11 16:58:37 CET 2008
Author: thomas
Update of /kolabrepository/server/imapd
In directory doto:/tmp/cvs-serv8014
Modified Files:
Makefile kolab.patch
Added Files:
imapd.patch.group
Log Message:
Fix kolab/issue2535 (group:distributionlist at example.com doesn't work for Cyrus IMAP ACLs)
Updated imapd.patch.group for imapd-2.3.11-20080101_kolab2
This should replace
patches/cyrus-imapd/cyrus-imapd-2.3.11/KOLAB_cyrus-imapd-2.3.11-_Groups.patch
--- NEW FILE: imapd.patch.group ---
diff -urN cyrus-imapd-2.3.11.orig/lib/auth_unix.c cyrus-imapd-2.3.11/lib/auth_unix.c
--- cyrus-imapd-2.3.11.orig/lib/auth_unix.c 2007-10-31 11:42:18.000000000 +0100
+++ cyrus-imapd-2.3.11/lib/auth_unix.c 2008-03-11 16:07:10.064783000 +0100
@@ -48,6 +48,7 @@
#include <stdlib.h>
#include <pwd.h>
#include <grp.h>
+#include <stdio.h>
#include <ctype.h>
#include <string.h>
@@ -55,6 +56,126 @@
#include "libcyr_cfg.h"
#include "xmalloc.h"
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
+/*
+ * __getgrent.c - This file is part of the libc-8086/grp package for ELKS,
+ * Copyright (C) 1995, 1996 Nat Friedman <ndf at linux.mit.edu>.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this library; if not, write to the Free
+ * Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ */
+
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+
+static struct group *__getgrent(int grp_fd, char *line_buff, char **members)
+{
+ short line_index;
+ short buff_size;
+ static struct group group;
+ register char *ptr;
+ char *field_begin;
+ short member_num;
+ char *endptr;
+ int line_len;
+
+ /* We use the restart label to handle malformatted lines */
+ restart:
+ line_index = 0;
+ buff_size = 256;
+
+ line_buff = realloc(line_buff, buff_size);
+ while (1) {
+ if ((line_len = read(grp_fd, line_buff + line_index,
+ buff_size - line_index)) <= 0) {
+ return NULL;
+ }
+ field_begin = strchr(line_buff, '\n');
+ if (field_begin != NULL) {
+ lseek(grp_fd,
+ (long) (1 + field_begin -
+ (line_len + line_index + line_buff)), SEEK_CUR);
+ *field_begin = '\0';
+ if (*line_buff == '#' || *line_buff == ' '
+ || *line_buff == '\n' || *line_buff == '\t')
+ goto restart;
+ break;
+ } else {
+ /* Allocate some more space */
+ line_index = buff_size;
+ buff_size += 256;
+ line_buff = realloc(line_buff, buff_size);
+ }
+ }
+
+ /* Now parse the line */
+ group.gr_name = line_buff;
+ ptr = strchr(line_buff, ':');
+ if (ptr == NULL)
+ goto restart;
+ *ptr++ = '\0';
+
+ group.gr_passwd = ptr;
+ ptr = strchr(ptr, ':');
+ if (ptr == NULL)
+ goto restart;
+ *ptr++ = '\0';
+
+ field_begin = ptr;
+ ptr = strchr(ptr, ':');
+ if (ptr == NULL)
+ goto restart;
+ *ptr++ = '\0';
+
+ group.gr_gid = (gid_t) strtoul(field_begin, &endptr, 10);
+ if (*endptr != '\0')
+ goto restart;
+
+ member_num = 0;
+ field_begin = ptr;
+
+ if (members != NULL)
+ free(members);
+ members = (char **) malloc((member_num + 1) * sizeof(char *));
+ for ( ; field_begin && *field_begin != '\0'; field_begin = ptr) {
+ if ((ptr = strchr(field_begin, ',')) != NULL)
+ *ptr++ = '\0';
+ members[member_num++] = field_begin;
+ members = (char **) realloc(members,
+ (member_num + 1) * sizeof(char *));
+ }
+ members[member_num] = NULL;
+
+ group.gr_mem = members;
+ return &group;
+}
+
+static char *line_buff = NULL;
+static char **members = NULL;
+
+struct group *fgetgrent(FILE *file)
+{
+ if (file == NULL) {
+ errno = EINTR;
+ return NULL;
+ }
+ return __getgrent(fileno(file), line_buff, members);
+}
+#endif /* __FreeBSD__ */
+
struct auth_state {
char userid[81];
char **group;
@@ -142,6 +263,25 @@
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
+static struct group* fgetgrnam(const char* name)
+{
+ struct group *grp;
+ FILE *groupfile;
+
+ groupfile = fopen("/etc/imapd.group", "r");
+ if (!groupfile) groupfile = fopen("/etc/group", "r");
+ if (groupfile) {
+ while ((grp = fgetgrent(groupfile))) {
+ if (strcmp(grp->gr_name, name) == 0) {
+ fclose(groupfile);
+ return grp;
+ }
+ }
+ }
+ if (groupfile) fclose(groupfile);
+ return NULL;
+}
+
/*
* Convert 'identifier' into canonical form.
* Returns a pointer to a static buffer containing the canonical form
@@ -177,7 +317,7 @@
*/
if (!strncmp(retbuf, "group:", 6)) {
- grp = getgrnam(retbuf+6);
+ grp = fgetgrnam(retbuf+6);
if (!grp) return 0;
strcpy(retbuf+6, grp->gr_name);
return retbuf;
@@ -223,11 +363,12 @@
struct auth_state *newstate;
struct passwd *pwd;
struct group *grp;
-#if defined(HAVE_GETGROUPLIST) && defined(__GLIBC__)
+#if 0 && defined(HAVE_GETGROUPLIST) && defined(__GLIBC__)
gid_t gid, *groupids = NULL;
int ret, ngroups = 10;
#else
char **mem;
+ FILE *groupfile;
#endif
identifier = mycanonifyid(identifier, 0);
@@ -245,7 +386,7 @@
pwd = getpwnam(identifier);
-#if defined(HAVE_GETGROUPLIST) && defined(__GLIBC__)
+#if 0 && defined(HAVE_GETGROUPLIST) && defined(__GLIBC__)
gid = pwd ? pwd->pw_gid : (gid_t) -1;
/* get the group ids */
@@ -283,20 +424,23 @@
if (groupids) free(groupids);
#else /* !HAVE_GETGROUPLIST */
- setgrent();
- while ((grp = getgrent())) {
- for (mem = grp->gr_mem; *mem; mem++) {
- if (!strcmp(*mem, identifier)) break;
- }
-
- if (*mem || (pwd && pwd->pw_gid == grp->gr_gid)) {
- newstate->ngroups++;
- newstate->group = (char **)xrealloc((char *)newstate->group,
- newstate->ngroups * sizeof(char *));
- newstate->group[newstate->ngroups-1] = xstrdup(grp->gr_name);
- }
- }
- endgrent();
+ groupfile = fopen("/etc/imapd.group", "r");
+ if (!groupfile) groupfile = fopen("/etc/group", "r");
+ if (groupfile) {
+ while ((grp = fgetgrent(groupfile))) {
+ for (mem = grp->gr_mem; *mem; mem++) {
+ if (!strcmp(*mem, identifier)) break;
+ }
+
+ if (*mem || (pwd && pwd->pw_gid == grp->gr_gid)) {
+ newstate->ngroups++;
+ newstate->group = (char **)xrealloc((char *)newstate->group,
+ newstate->ngroups * sizeof(char *));
+ newstate->group[newstate->ngroups-1] = xstrdup(grp->gr_name);
+ }
+ }
+ fclose(groupfile);
+ }
#endif /* HAVE_GETGROUPLIST */
return newstate;
diff -urN cyrus-imapd-2.3.11.orig/lib/auth_unix.c.orig cyrus-imapd-2.3.11/lib/auth_unix.c.orig
--- cyrus-imapd-2.3.11.orig/lib/auth_unix.c.orig 1970-01-01 01:00:00.000000000 +0100
+++ cyrus-imapd-2.3.11/lib/auth_unix.c.orig 2007-10-31 11:42:18.000000000 +0100
@@ -0,0 +1,326 @@
+/* auth_unix.c -- Unix passwd file authorization
+ *
+ * Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. The name "Carnegie Mellon University" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For permission or any other legal
+ * details, please contact
+ * Office of Technology Transfer
+ * Carnegie Mellon University
+ * 5000 Forbes Avenue
+ * Pittsburgh, PA 15213-3890
+ * (412) 268-4387, fax: (412) 268-7395
+ * tech-transfer at andrew.cmu.edu
+ *
+ * 4. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by Computing Services
+ * at Carnegie Mellon University (http://www.cmu.edu/computing/)."
+ *
+ * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
+ * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ */
+
+/*
+ * $Id: imapd.patch.group,v 1.1 2008/03/11 15:58:35 thomas Exp $
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <string.h>
+
+#include "auth.h"
+#include "libcyr_cfg.h"
+#include "xmalloc.h"
+
+struct auth_state {
+ char userid[81];
+ char **group;
+ int ngroups;
+};
+
+static struct auth_state auth_anonymous = {
+ "anonymous", 0, 0
+};
+
+/*
+ * Determine if the user is a member of 'identifier'
+ * Returns one of:
+ * 0 User does not match identifier
+ * 1 identifier matches everybody
+ * 2 User is in the group that is identifier
+ * 3 User is identifer
+ */
+static int mymemberof(auth_state, identifier)
+struct auth_state *auth_state;
+const char *identifier;
+{
+ int i;
+
+ if (!auth_state) auth_state = &auth_anonymous;
+
+ if (strcmp(identifier, "anyone") == 0) return 1;
+
+ if (strcmp(identifier, auth_state->userid) == 0) return 3;
+
+ if (strncmp(identifier, "group:", 6) != 0) return 0;
+
+ for (i=0; i<auth_state->ngroups; i++) {
+ if (strcmp(identifier+6, auth_state->group[i]) == 0) return 2;
+ }
+ return 0;
+}
+
+/* Map of which characters are allowed by auth_canonifyid.
+ * Key: 0 -> not allowed (special, ctrl, or would confuse Unix or imapd)
+ * 1 -> allowed, but requires an alpha somewhere else in the string
+ * 2 -> allowed, and is an alpha
+ *
+ * At least one character must be an alpha.
+ *
+ * This may not be restrictive enough.
+ * Here are the reasons for the restrictions:
+ *
+ * & forbidden because of MUTF-7. (This could be fixed.)
+ * : forbidden because it's special in /etc/passwd
+ * / forbidden because it can't be used in a mailbox name
+ * * % forbidden because they're IMAP magic in the LIST/LSUB commands
+ * ? it just scares me
+ * ctrl chars, DEL
+ * can't send them as IMAP characters in plain folder names, I think
+ * 80-FF forbidden because you can't send them in IMAP anyway
+ * (and they're forbidden as folder names). (This could be fixed.)
+ *
+ * + and - are *allowed* although '+' is probably used for userid+detail
+ * subaddressing and qmail users use '-' for subaddressing.
+ *
+ * Identifiers don't require a digit, really, so that should probably be
+ * relaxed, too.
+ */
+static char allowedchars[256] = {
+ /* 0 1 2 3 4 5 6 7 8 9 A B C D E F */
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 00-0F */
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 10-1F */
+ 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */
+
+ 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 40-4F */
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, /* 50-5F */
+ 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 60-6F */
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 0, /* 70-7F */
+
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * Convert 'identifier' into canonical form.
+ * Returns a pointer to a static buffer containing the canonical form
+ * or NULL if 'identifier' is invalid.
+ *
+ * XXX If any of the characters marked with 0 are valid and are cropping up,
+ * the right thing to do is probably to canonicalize the identifier to two
+ * representations: one for getpwent calls and one for folder names. The
+ * latter canonicalizes to a MUTF7 representation.
+ */
+static char *mycanonifyid(identifier, len)
+const char *identifier;
+size_t len;
+{
+ static char retbuf[81];
+ struct group *grp;
+ char sawalpha;
+ char *p;
+ int username_tolower = 0;
+
+ if(!len) len = strlen(identifier);
+ if(len >= sizeof(retbuf)) return NULL;
+
+ memmove(retbuf, identifier, len);
+ retbuf[len] = '\0';
+
+ /* This used to be far more restrictive, but many sites seem to ignore the
+ * ye olde Unix conventions of username. Specifically, we used to
+ * - drop case on the buffer
+ * - disallow lots of non-alpha characters ('-', '_', others)
+ * Now we do neither of these, but impose a very different policy based on
+ * the character map above.
+ */
+
+ if (!strncmp(retbuf, "group:", 6)) {
+ grp = getgrnam(retbuf+6);
+ if (!grp) return 0;
+ strcpy(retbuf+6, grp->gr_name);
+ return retbuf;
+ }
+
+ /* Copy the string and look up values in the allowedchars array above.
+ * If we see any we don't like, reject the string.
+ * Lowercase usernames if requested.
+ */
+ username_tolower = libcyrus_config_getswitch(CYRUSOPT_USERNAME_TOLOWER);
+ sawalpha = 0;
+ for(p = retbuf; *p; p++) {
+ if (username_tolower && isupper((unsigned char)*p))
+ *p = tolower((unsigned char)*p);
+
+ switch (allowedchars[*(unsigned char*) p]) {
+ case 0:
+ return NULL;
+
+ case 2:
+ sawalpha = 1;
+ /* FALL THROUGH */
+
+ default:
+ ;
+ }
+ }
+
+ /* we used to enforce "has to be one alpha char" */
+ /* now we don't */
+ /* if (!sawalpha) return NULL; */
+
+ return retbuf;
+}
+
+/*
+ * Set the current user to 'identifier'. 'cacheid', if non-null,
+ * points to a 16-byte binary key to cache identifier's information
+ * with.
+ */
+static struct auth_state *mynewstate(const char *identifier)
+{
+ struct auth_state *newstate;
+ struct passwd *pwd;
+ struct group *grp;
+#if defined(HAVE_GETGROUPLIST) && defined(__GLIBC__)
+ gid_t gid, *groupids = NULL;
+ int ret, ngroups = 10;
+#else
+ char **mem;
+#endif
+
+ identifier = mycanonifyid(identifier, 0);
+ if (!identifier) return 0;
+ if (!strncmp(identifier, "group:", 6)) return 0;
+
+ newstate = (struct auth_state *)xmalloc(sizeof(struct auth_state));
+
+ strcpy(newstate->userid, identifier);
+ newstate->ngroups = 0;
+ newstate->group = NULL;
+
+ if(!libcyrus_config_getswitch(CYRUSOPT_AUTH_UNIX_GROUP_ENABLE))
+ return newstate;
+
+ pwd = getpwnam(identifier);
+
+#if defined(HAVE_GETGROUPLIST) && defined(__GLIBC__)
+ gid = pwd ? pwd->pw_gid : (gid_t) -1;
+
+ /* get the group ids */
+ do {
+ groupids = (gid_t *)xrealloc((gid_t *)groupids,
+ ngroups * sizeof(gid_t));
+
+ newstate->ngroups = ngroups; /* copy of ngroups for comparision */
+ ret = getgrouplist(identifier, gid, groupids, &ngroups);
+ /*
+ * This is tricky. We do this as long as getgrouplist tells us to
+ * realloc _and_ the number of groups changes. It tells us to realloc
+ * also in the case of failure...
+ */
+ } while (ret == -1 && ngroups != newstate->ngroups);
+
+ if (ret == -1) {
+ newstate->ngroups = 0;
+ newstate->group = NULL;
+ goto err;
+ }
+
+ newstate->ngroups = 0;
+ newstate->group = (char **)xmalloc(ngroups * sizeof(char *));
+ while (ngroups--) {
+ if (pwd || groupids[ngroups] != gid) {
+ if ((grp = getgrgid(groupids[ngroups]))) {
+ newstate->ngroups++;
+ newstate->group[newstate->ngroups-1] = xstrdup(grp->gr_name);
+ }
+ }
+ }
+
+err:
+ if (groupids) free(groupids);
+
+#else /* !HAVE_GETGROUPLIST */
+ setgrent();
+ while ((grp = getgrent())) {
+ for (mem = grp->gr_mem; *mem; mem++) {
+ if (!strcmp(*mem, identifier)) break;
+ }
+
+ if (*mem || (pwd && pwd->pw_gid == grp->gr_gid)) {
+ newstate->ngroups++;
+ newstate->group = (char **)xrealloc((char *)newstate->group,
+ newstate->ngroups * sizeof(char *));
+ newstate->group[newstate->ngroups-1] = xstrdup(grp->gr_name);
+ }
+ }
+ endgrent();
+#endif /* HAVE_GETGROUPLIST */
+
+ return newstate;
+}
+
+static void myfreestate(auth_state)
+struct auth_state *auth_state;
+{
+ if (auth_state->group) {
+ while (auth_state->ngroups) {
+ free((char *)auth_state->group[--auth_state->ngroups]);
+ }
+ free((char *)auth_state->group);
+ }
+ free((char *)auth_state);
+}
+
+
+struct auth_mech auth_unix =
+{
+ "unix", /* name */
+
+ &mycanonifyid,
+ &mymemberof,
+ &mynewstate,
+ &myfreestate,
+};
Index: Makefile
===================================================================
RCS file: /kolabrepository/server/imapd/Makefile,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -d -r1.32 -r1.33
--- Makefile 11 Mar 2008 15:42:19 -0000 1.32
+++ Makefile 11 Mar 2008 15:58:35 -0000 1.33
@@ -17,9 +17,10 @@
PACKAGE=imapd
VERSION=2.3.11
RELEASE=20080101
-KOLABRELEASE=20080101_kolab
+KOLABRELEASE=20080101_kolab2
-PATCHES=$(KOLABCVSDIR)/timsieved-starttls-sendcaps.patch
+PATCHES=$(KOLABCVSDIR)/timsieved-starttls-sendcaps.patch \
+ $(KOLABCVSDIR)/imapd.patch.group
all: $(PACKAGE)-$(VERSION)-$(KOLABRELEASE).src.rpm
Index: kolab.patch
===================================================================
RCS file: /kolabrepository/server/imapd/kolab.patch,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -d -r1.33 -r1.34
--- kolab.patch 11 Mar 2008 15:47:13 -0000 1.33
+++ kolab.patch 11 Mar 2008 15:58:35 -0000 1.34
@@ -5,7 +5,7 @@
License: BSD
Version: 2.3.11
-Release: 20080101
-+Release: 20080101_kolab
++Release: 20080101_kolab2
# package options
%option with_fsl yes
More information about the commits
mailing list