On Mon, Jul 07, 2014 at 08:09:31PM -0400, Brad Smith wrote:
> On 04/07/14 7:39 AM, Otto Moerbeek wrote:
> >On Sun, Jun 22, 2014 at 05:39:34AM -0400, Brad Smith wrote:
> >
> >>On Sun, Jun 22, 2014 at 05:01:38AM +0200, J??r??mie Courr??ges-Anglas wrote:
> >>>
> >>>(Redirecting this to ports@)
> >>>
> >>>Could you folks test this patch against dovecot from -stable? I only
> >>>did compile testing on -current. I don't know how the allocator(s)
> >>>handle failures nor how would i_realloc handle pwbuf_size ==
> >>>old_pwbuf_size, but this looks safe.
> >>>
> >>>
> >>>$OpenBSD$
> >>>
> >>>Hack: we avoid the actual ERANGE error case by always providing a large
> >>>enough buffer.
> >>
> >>I'd prefer to use the diff I had commited when this issue first came
> >>up although back then local auth didn't work at all without the hack
> >>that was added. I don't have a 5.5 system around at the moment so
> >>please check this builds first and then test as appropriate.
> >
> >What I see with this diff (thanks to sthen for the package) is no more
> >auto-of-mem errors. So that is good. But I see this instead:
> >
> >Jul 4 13:19:17 mx1 dovecot: auth-worker(14261): Error:
> >bsdauth(ottox,2001:981:aaf3:1:224:1dff:fede:e939): getpwnam() failed:
> >Operation not permitted
> >
> >The error code from getpwnam_r for a non-existent user is 1, which is
> >now interpreted as an errno (EPERM), it seems.
> >
> >On the client side I see:
> >xx NO [UNAVAILABLE] Temporary authentication failure
> >
> >instead of the
> >xx NO [AUTHENTICATIONFAILED] Authentication failed.
> >
> >So it can be seen which usernames are valid.
> >
> > -Otto
>
> So you're essentially screwed either way depending on which
> issue you consider more important. So the only option is to
> patch the broken libc with 5.5 if you want it fully working
> properly.
Well, it might be possible to rewrite the diff to return the right
error status en not clobber errno.... I'll see if I can get around to
doing that, but don't count on it.
-Otto
