Attachment #3959 for bug #5480

View | Details | Raw Unified | Return to bug 5480
Collapse All | Expand All




# support setuid() to user unless:
# run with -u
# we're not root
# doing --vpopmail or --virtual-config-dir
# we disable user-config
my $setuid_to_user = (
	$opt{'username'} ||
	$> != 0 ||
	$opt{'vpopmail'} ||
	$opt{'virtual-config-dir'}
      ) ? 0 : 1;

dbg("spamd: will perform setuids? $setuid_to_user");

if ( $opt{'vpopmail'} ) {
  if ( !$opt{'username'} ) {
    die "spamd: cannot use --vpopmail without -u\n";
  }
}

if ( $opt{'virtual-config-dir'} ) {
  if ( !$opt{'username'} ) {
    die "spamd: cannot use --virtual-config-dir without -u\n";
  }
}

# always copy the config, later code may disable
my $copy_config_p = 1;


    $compress_zlib = $hdrs->{compress_zlib};
  }

  return 0 unless do_user_handling();
  if ($> == 0) { die "spamd: still running as root! dying"; }

  if ( $opt{'sql-config'} && !defined($current_user) ) {
    unless ( handle_user_sql('nobody') ) {
      service_unavailable_error("Error fetching user preferences via SQL");
      return 0;
    }
  }

  if ( $opt{'ldap-config'} && !defined($current_user) ) {
    handle_user_ldap('nobody');
  }

  my $resp = "EX_OK";

  # generate mail object from input

  my $expected_length = $hdrs->{expected_length};
  my $compress_zlib = $hdrs->{compress_zlib};

  return 0 unless do_user_handling();
  if ($> == 0) { die "spamd: still running as root! dying"; }

  if (!$opt{tell}) {
    service_unavailable_error("TELL commands have not been enabled.");
    return 0;

    return 0;
  }

  &handle_setuid_to_user if ($setuid_to_user && $> == 0);

  if ($opt{'sql-config'} && !defined($current_user)) {
    unless (handle_user_sql('nobody')) {
      service_unavailable_error("Error fetching user preferences via SQL");


###########################################################################

sub do_user_handling {
  if ($setuid_to_user && $> == 0) {
    handle_setuid_to_user();
  }

  if ( $opt{'sql-config'} && !defined($current_user) ) {
    unless ( handle_user_sql('nobody') ) {
      service_unavailable_error("Error fetching user preferences via SQL");
      return 0;
    }
  }

  if ( $opt{'ldap-config'} && !defined($current_user) ) {
    handle_user_ldap('nobody');
  }

  dbg ("spamd: running as uid $>");
  return 1;
}

# generalised header parser.  
sub parse_headers {
  my ($hdrs, $client) = @_;

      handle_user_setuid_with_ldap($current_user);
      $setuid_to_user = 1;    # as above
    }
    else {
      handle_user_setuid_basic($current_user);
    }
  }
  else {
    handle_user_setuid_basic($current_user);
    if ( $opt{'sql-config'} ) {
      unless ( handle_user_sql($current_user) ) {
        service_unavailable_error("Error fetching user preferences via SQL");

  return 1;
}

sub handle_user_setuid_basic {
  my $username = shift;

  #

    }
  }

  if ($opt{'user-config'}) {
    handle_user_set_user_prefs($dir, $username);
  }
}

sub handle_user_set_user_prefs {
  my ($dir, $username) = @_;

  #
  # If vpopmail config enabled then set $dir to virtual homedir
  #

  }
  my $cf_file = $dir . "/.spamassassin/user_prefs";

  create_default_cf_if_needed( $cf_file, $username, $dir );
  $spamtest->read_scoreonly_config($cf_file);
  $spamtest->signal_user_changed(
    {
      username => $username,
      user_dir => $dir
    }
  );
    $spamtest->read_scoreonly_config($cf_file);
    $spamtest->signal_user_changed(
      {
        username => $username,
        user_dir => $dir
      }
    );

  }
  else {
    create_default_cf_if_needed( $cf_file, $username, $dir );
    $spamtest->read_scoreonly_config($cf_file);
    $spamtest->signal_user_changed(
      {
        username => $username,
        user_dir => $dir
      }
    );
  }

  return 1;
}


The pattern B<must> expand to an absolute directory when spamd is running
daemonized (B<-d>).

Currently, use of this without B<-u> is not supported. This inhibits setuid.

=item B<-r> I<pidfile>, B<--pidfile>=I<pidfile>

Write the process ID of the spamd parent to the file specified by I<pidfile>.

maildir.  This option is useful for vpopmail virtual users who do not have an
entry in the system /etc/passwd file.

Currently, use of this without B<-u> is not supported. This inhibits setuid.

=item B<-s> I<facility>, B<--syslog>=I<facility>


Return to bug 5480

Lines 489-503 Link Here

(-)spamd/spamd.raw (-46 / +65 lines)
489	# support setuid() to user unless:	489	# support setuid() to user unless:
490	# run with -u	490	# run with -u
491	# we're not root	491	# we're not root
492	# doing --vpopmail	492	# doing --vpopmail or --virtual-config-dir
493	# we disable user-config	493	# we disable user-config
494	my $setuid_to_user = (	494	my $setuid_to_user = (
495	$opt{'username'} \|\|	495	$opt{'username'} \|\|
496	$> != 0 \|\|	496	$> != 0 \|\|
497	$opt{'vpopmail'} \|\|	497	$opt{'vpopmail'} \|\|
498	(!$opt{'user-config'} && !($opt{'setuid-with-sql'}\|\|$opt{'setuid-with-ldap'}))	498	$opt{'virtual-config-dir'}
499	) ? 0 : 1;	499	) ? 0 : 1;
500		500
		501	dbg("spamd: will perform setuids? $setuid_to_user");
		502
		503	if ( $opt{'vpopmail'} ) {
		504	if ( !$opt{'username'} ) {
		505	die "spamd: cannot use --vpopmail without -u\n";
		506	}
		507	}
		508
		509	if ( $opt{'virtual-config-dir'} ) {
		510	if ( !$opt{'username'} ) {
		511	die "spamd: cannot use --virtual-config-dir without -u\n";
		512	}
		513	}
		514
501	# always copy the config, later code may disable	515	# always copy the config, later code may disable
502	my $copy_config_p = 1;	516	my $copy_config_p = 1;
503		517
Lines 1463-1481 Link Here
1463	$compress_zlib = $hdrs->{compress_zlib};	1477	$compress_zlib = $hdrs->{compress_zlib};
1464	}	1478	}
1465		1479
1466	handle_setuid_to_user if ($setuid_to_user && $> == 0);	1480	return 0 unless do_user_handling();
		1481	if ($> == 0) { die "spamd: still running as root! dying"; }
1467		1482
1468	if ( $opt{'sql-config'} && !defined($current_user) ) {
1469	unless ( handle_user_sql('nobody') ) {
1470	service_unavailable_error("Error fetching user preferences via SQL");
1471	return 0;
1472	}
1473	}
1474
1475	if ( $opt{'ldap-config'} && !defined($current_user) ) {
1476	handle_user_ldap('nobody');
1477	}
1478
1479	my $resp = "EX_OK";	1483	my $resp = "EX_OK";
1480		1484
1481	# generate mail object from input	1485	# generate mail object from input
Lines 1669-1674 Link Here
1669	my $expected_length = $hdrs->{expected_length};	1673	my $expected_length = $hdrs->{expected_length};
1670	my $compress_zlib = $hdrs->{compress_zlib};	1674	my $compress_zlib = $hdrs->{compress_zlib};
1671		1675
		1676	return 0 unless do_user_handling();
		1677	if ($> == 0) { die "spamd: still running as root! dying"; }
		1678
1672	if (!$opt{tell}) {	1679	if (!$opt{tell}) {
1673	service_unavailable_error("TELL commands have not been enabled.");	1680	service_unavailable_error("TELL commands have not been enabled.");
1674	return 0;	1681	return 0;
Lines 1684-1691 Link Here
1684	return 0;	1691	return 0;
1685	}	1692	}
1686		1693
1687	&handle_setuid_to_user if ($setuid_to_user && $> == 0);
1688
1689	if ($opt{'sql-config'} && !defined($current_user)) {	1694	if ($opt{'sql-config'} && !defined($current_user)) {
1690	unless (handle_user_sql('nobody')) {	1695	unless (handle_user_sql('nobody')) {
1691	service_unavailable_error("Error fetching user preferences via SQL");	1696	service_unavailable_error("Error fetching user preferences via SQL");
Lines 1789-1794 Link Here
1789		1794
1790	###########################################################################	1795	###########################################################################
1791		1796
		1797	sub do_user_handling {
		1798	if ($setuid_to_user && $> == 0) {
		1799	handle_setuid_to_user();
		1800	}
		1801
		1802	if ( $opt{'sql-config'} && !defined($current_user) ) {
		1803	unless ( handle_user_sql('nobody') ) {
		1804	service_unavailable_error("Error fetching user preferences via SQL");
		1805	return 0;
		1806	}
		1807	}
		1808
		1809	if ( $opt{'ldap-config'} && !defined($current_user) ) {
		1810	handle_user_ldap('nobody');
		1811	}
		1812
		1813	dbg ("spamd: running as uid $>");
		1814	return 1;
		1815	}
		1816
1792	# generalised header parser.	1817	# generalised header parser.
1793	sub parse_headers {	1818	sub parse_headers {
1794	my ($hdrs, $client) = @_;	1819	my ($hdrs, $client) = @_;
Lines 1891-1899 Link Here
1891	handle_user_setuid_with_ldap($current_user);	1916	handle_user_setuid_with_ldap($current_user);
1892	$setuid_to_user = 1; # as above	1917	$setuid_to_user = 1; # as above
1893	}	1918	}
		1919	else {
		1920	handle_user_setuid_basic($current_user);
		1921	}
1894	}	1922	}
1895	else {	1923	else {
1896	handle_user($current_user);	1924	handle_user_setuid_basic($current_user);
1897	if ( $opt{'sql-config'} ) {	1925	if ( $opt{'sql-config'} ) {
1898	unless ( handle_user_sql($current_user) ) {	1926	unless ( handle_user_sql($current_user) ) {
1899	service_unavailable_error("Error fetching user preferences via SQL");	1927	service_unavailable_error("Error fetching user preferences via SQL");
Lines 2016-2022 Link Here
2016	return 1;	2044	return 1;
2017	}	2045	}
2018		2046
2019	sub handle_user {	2047	sub handle_user_setuid_basic {
2020	my $username = shift;	2048	my $username = shift;
2021		2049
2022	#	2050	#
Lines 2055-2060 Link Here
2055	}	2083	}
2056	}	2084	}
2057		2085
		2086	if ($opt{'user-config'}) {
		2087	handle_user_set_user_prefs($dir, $username);
		2088	}
		2089	}
		2090
		2091	sub handle_user_set_user_prefs {
		2092	my ($dir, $username) = @_;
		2093
2058	#	2094	#
2059	# If vpopmail config enabled then set $dir to virtual homedir	2095	# If vpopmail config enabled then set $dir to virtual homedir
2060	#	2096	#
Lines 2076-2109 Link Here
2076	}	2112	}
2077	my $cf_file = $dir . "/.spamassassin/user_prefs";	2113	my $cf_file = $dir . "/.spamassassin/user_prefs";
2078		2114
2079	#	2115	create_default_cf_if_needed( $cf_file, $username, $dir );
2080	# If vpopmail config enabled then pass virtual homedir onto create_default_cf_needed	2116	$spamtest->read_scoreonly_config($cf_file);
2081	#	2117	$spamtest->signal_user_changed(
2082	if ( $opt{'vpopmail'} ) {	2118	{
2083	if ( !$opt{'username'} ) {	2119	username => $username,
2084	warn "spamd: cannot use vpopmail without -u\n";	2120	user_dir => $dir
2085	}	2121	}
2086	create_default_cf_if_needed( $cf_file, $username, $dir );	2122	);
2087	$spamtest->read_scoreonly_config($cf_file);
2088	$spamtest->signal_user_changed(
2089	{
2090	username => $username,
2091	user_dir => $dir
2092	}
2093	);
2094		2123
2095	}
2096	else {
2097	create_default_cf_if_needed( $cf_file, $username, $dir );
2098	$spamtest->read_scoreonly_config($cf_file);
2099	$spamtest->signal_user_changed(
2100	{
2101	username => $username,
2102	user_dir => $dir
2103	}
2104	);
2105	}
2106
2107	return 1;	2124	return 1;
2108	}	2125	}
2109		2126
Lines 2780-2785 Link Here
2780	The pattern B<must> expand to an absolute directory when spamd is running	2797	The pattern B<must> expand to an absolute directory when spamd is running
2781	daemonized (B<-d>).	2798	daemonized (B<-d>).
2782		2799
		2800	Currently, use of this without B<-u> is not supported. This inhibits setuid.
		2801
2783	=item B<-r> I<pidfile>, B<--pidfile>=I<pidfile>	2802	=item B<-r> I<pidfile>, B<--pidfile>=I<pidfile>
2784		2803
2785	Write the process ID of the spamd parent to the file specified by I<pidfile>.	2804	Write the process ID of the spamd parent to the file specified by I<pidfile>.
Lines 2793-2799 Link Here
2793	maildir. This option is useful for vpopmail virtual users who do not have an	2812	maildir. This option is useful for vpopmail virtual users who do not have an
2794	entry in the system /etc/passwd file.	2813	entry in the system /etc/passwd file.
2795		2814
2796	Currently, use of this without B<-u> is not supported.	2815	Currently, use of this without B<-u> is not supported. This inhibits setuid.
2797		2816
2798	=item B<-s> I<facility>, B<--syslog>=I<facility>	2817	=item B<-s> I<facility>, B<--syslog>=I<facility>
2799		2818