Re: dovecot (fwd)

Tue, 11 Mar 2014 06:19:36 -0700 

Hi William,

William Yodlowsky wrote on Mon, Mar 10, 2014:

> The fix is to back out the workaround in dovecot, as getpwnam_r()
> was recently fixed.  With the below applied, you instead get:
> 
> Mar 10 14:42:41 host1 dovecot: auth-worker(5241): Error:
> bsdauth(notauser,1.2.3.4): getpwnam() failed: Operation not permitted

That is strange and certainly not what i expect.
If merely the user does not exist, why would getpwnam_r()
return EPERM in -current?  It is expected to return 0
and set *result = NULL.

I just checked on my own -current installation, and getpwnam_r()
works as expected.

Which -current snapshot are you running, or if you compiled yourself,
when did you last update lib/libc/gen?  Did you maybe miss a patch
that i committed?

> I'm new to dovecot but that seems alot better than a crash.

Well, as far as i understand, the patch was required because with
our old libc still containing all the bugs, valid users could
sometimes be rejected with EPERM, when the buffer started with a
size that was too small.

> --- src/lib/ipwd.c.orig       Mon Mar 10 14:00:34 2014
> +++ src/lib/ipwd.c    Mon Mar 10 14:03:41 2014
> @@ -50,11 +50,6 @@ int i_getpwnam(const char *name, struct passwd *pwd_r)
>       do {
>               pw_init();
>               errno = getpwnam_r(name, pwd_r, pwbuf, pwbuf_size, &result);
> -#ifdef __OpenBSD__
> -             /* OpenBSD returns 1 for all errors, assume it's ERANGE */
> -             if (errno == 1)
> -                     errno = ERANGE;
> -#endif
>       } while (errno == ERANGE);
>       if (result != NULL)
>               return 1;
> @@ -73,11 +68,6 @@ int i_getpwuid(uid_t uid, struct passwd *pwd_r)
>       do {
>               pw_init();
>               errno = getpwuid_r(uid, pwd_r, pwbuf, pwbuf_size, &result);
> -#ifdef __OpenBSD__
> -             /* OpenBSD returns 1 for all errors, assume it's ERANGE */
> -             if (errno == 1)
> -                     errno = ERANGE;
> -#endif
>       } while (errno == ERANGE);
>       if (result != NULL)
>               return 1;

Removing that patch now is definitely correct, and from inspecting
the upstream dovecot code, i conclude that it is going to work
correctly on -current.

However, i'd like to confirm with you that it does in actual testing.
Can you make sure you habe the latest lib/libc/gen, remove the
patch, and see what happens when trying to authenticate as a non-
existent user?

I'd expect some message to be generated from PASSDB_RESULT_USER_UNKNOWN.
The message "Operation not permitted" clearly is the wrong one.

Yours,
  Ingo

Reply via email to