/[smeserver]/rpms/qpsmtpd/sme8/0008-added-auth_checkpassword-plugin.patch
ViewVC logotype

Contents of /rpms/qpsmtpd/sme8/0008-added-auth_checkpassword-plugin.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sun Nov 14 20:50:20 2010 UTC (14 years ago) by slords
Branch: MAIN
CVS Tags: qpsmtpd-0_84-3_el5_sme, qpsmtpd-0_84-6_el5_sme, qpsmtpd-0_84-2_el5_sme, qpsmtpd-0_84-5_el5_sme, qpsmtpd-0_84-8_el5_sme, qpsmtpd-0_84-9_el5_sme, qpsmtpd-0_84-4_el5_sme, qpsmtpd-0_84-7_el5_sme, HEAD
Error occurred while calculating annotation data.
* Sun Nov 14 2010 <slords@mail.com> 0.84-2.sme
- Sync with upstream git repo.
- Fix require_resolvable_fromhost doesn't work [SME: 6369]
- Fix TLS security defaults [SME: 6366]
- Fix fatal errors when mail has no headers [SME: 6345]

1 From fbbf43ad15c1025d9f1e0a2259371ff1533504cd Mon Sep 17 00:00:00 2001
2 From: Matt Simerson <matt@tnpi.net>
3 Date: Mon, 10 May 2010 19:07:48 -0400
4 Subject: added auth_checkpassword plugin
5
6 New and improved!
7 With POD! (because JP said so: http://www.nntp.perl.org/group/perl.qpsmtpd/2005/06/msg3145.html)
8 Includes usage notes and a perl script useful for diagnosing a checkpassword program.
9
10 Signed-off-by: Robert <rspier@pobox.com>
11 ---
12 MANIFEST | 1 +
13 plugins/auth/auth_checkpassword | 145 +++++++++++++++++++++++++++++++++++++++
14 2 files changed, 146 insertions(+), 0 deletions(-)
15 create mode 100644 plugins/auth/auth_checkpassword
16
17 diff --git a/MANIFEST b/MANIFEST
18 index 930ddbf..9d5912a 100644
19 --- a/MANIFEST
20 +++ b/MANIFEST
21 @@ -62,6 +62,7 @@ plugins/async/queue/smtp-forward
22 plugins/async/require_resolvable_fromhost
23 plugins/async/rhsbl
24 plugins/async/uribl
25 +plugins/auth/auth_checkpassword
26 plugins/auth/auth_cvm_unix_local
27 plugins/auth/auth_flat_file
28 plugins/auth/auth_ldap_bind
29 diff --git a/plugins/auth/auth_checkpassword b/plugins/auth/auth_checkpassword
30 new file mode 100644
31 index 0000000..6337ff7
32 --- /dev/null
33 +++ b/plugins/auth/auth_checkpassword
34 @@ -0,0 +1,145 @@
35 +#!/usr/bin/perl -w
36 +
37 +=head1 NAME
38 +
39 +auth_checkpassword - Authenticate against a DJB style checkpassword program
40 +
41 +=head1 DESCRIPTION
42 +
43 +This plugin authenticates users against a DJB style checkpassword
44 +program. Unlike previous checkpassword implementations, this plugin
45 +expects qpsmtpd to be running as the qpsmtpd user. Privilege
46 +escalation can be attained by running the checkpassword binary setuid
47 +or with sudo.
48 +
49 +=head1 CONFIGURATION
50 +
51 +Configure the path to your checkpassword binary:
52 +
53 + echo "/usr/local/vpopmail/bin/vchkpw /usr/bin/true" > ~qpsmtpd/config/smtpauth-checkpassword
54 +
55 +vchkpw is the checkpassword program provided by vpopmail. Substitute
56 +your own checkpassword app as appropriate.
57 +
58 +If you are using vchkpw and this plugin is being executed by a user ID
59 +other than 89 or 0 (as is the default), and the vchkpw binary is not
60 +setuid (as is the default), this plugin will automatically prepend the
61 +vchkpw command with sudo. If that is the case, you must configure sudo
62 +by adding these two lines to your sudoers file:
63 +
64 + Defaults:qpsmtpd closefrom_override
65 + qpsmtpd ALL = (ALL) NOPASSWD: /usr/local/vpopmail/bin/vchkpw
66 +
67 +The closefrom_override option is necessary because, by default, sudo
68 +appropriates the first 3 file descriptors. Those descriptors are
69 +necessary to communicate with the checkpassword program. If you run
70 +qpsmtpd as some other user, adjust the sudo lines approriately.
71 +
72 +Using sudo is preferable to enabling setuid on the vchkpw binary. If
73 +you reinstall vpopmail and the setuid bit is lost, this plugin will be
74 +broken.
75 +
76 +=head1 DIAGNOSTICS
77 +
78 +Is the path in the config/smtpauth-checkpassword correct?
79 +
80 +Is the path to true in config/smtpauth-checkpassword correct?
81 +
82 +Is qpsmtpd running as the qpsmtpd user? If not, did you adjust the
83 +sudo configuration appropriately?
84 +
85 +If you are not using sudo, did you remember to make the vchkpw binary
86 +setuid (chmod 4711 ~vpopmail/bin/vchkpw)?
87 +
88 +While writing this plugin, I first wrote myself a little test script,
89 +which helped me identify the sudo closefrom_override issue. Here is
90 +that script:
91 +
92 + #!/usr/bin/perl
93 + use strict;
94 + my $sudo = "/usr/local/bin/sudo";
95 + $sudo .= " -C4 -u vpopmail";
96 + my $vchkpw = "/usr/local/vpopmail/bin/vchkpw";
97 + my $true = "/usr/bin/true";
98 +
99 + open(CPW,"|$sudo $vchkpw $true 3<&0");
100 + printf(CPW "%s\0%s\0Y123456\0",'user@example.com','pa55word');
101 + close(CPW);
102 +
103 + my $status = $?;
104 + print "FAIL\n" and exit if ( $status != 0 );
105 + print "OK\n";
106 +
107 +Save that script to vchkpw.pl and then run it as the same user that
108 +qpsmtpd runs as:
109 +
110 + setuidgid qpsmtpd perl vchkpw.pl
111 +
112 +If you aren't using sudo, then remove $sudo from the open line.
113 +
114 +=head1 ACKNOWLEDGEMENTS
115 +
116 +based upon authcheckpassword by Michael Holzt
117 +and adapted by Johan Almqvist 2006-01-18
118 +
119 +=head1 AUTHOR
120 +
121 +Matt Simerson <msimerson@cpan.org>
122 +
123 +=head1 COPYRIGHT AND LICENSE
124 +
125 +Copyright (c) 2010 Matt Simerson
126 +
127 +This plugin is licensed under the same terms as the qpsmtpd package itself.
128 +Please see the LICENSE file included with qpsmtpd for details.
129 +
130 +=cut
131 +
132 +sub register {
133 + my ($self, $qp) = @_;
134 +
135 + $self->register_hook("auth-plain", "auth_checkpassword");
136 + $self->register_hook("auth-login", "auth_checkpassword");
137 +}
138 +
139 +sub auth_checkpassword {
140 + my ($self, $transaction, $method, $user, $passClear, $passHash, $ticket) =
141 + @_;
142 +
143 + my $command = $self->qp->config("smtpauth-checkpassword")
144 + or return (DECLINED);
145 + my ($binary, $params) = $command =~ /^(\S+)(.*)$/;
146 +
147 + return (DECLINED) if (!-x $binary);
148 + my $sudo = get_sudo($binary);
149 +
150 + open(CPW, "|$sudo $binary $params 3<&0");
151 + printf(CPW "%s\0%s\0Y123456\0", $user, $passClear);
152 + close(CPW);
153 +
154 + my $status = $?;
155 +
156 + return (DECLINED) if ($status != 0);
157 +
158 + $self->connection->notes('authuser', $user);
159 + return (OK, "auth_checkpassword");
160 +}
161 +
162 +sub get_sudo {
163 + my $binary = shift;
164 +
165 + return '' if $> == 0; # running as root
166 + return '' if $> == 89 && $binary =~ /vchkpw/; # running as vpopmail
167 +
168 + my $mode = (stat($binary))[2];
169 + $mode = sprintf "%lo", $mode & 07777;
170 + return '' if $mode eq '4711'; # $binary is setuid
171 +
172 + my $sudo = `which sudo` || '/usr/local/bin/sudo';
173 + return '' if !-x $sudo;
174 + $sudo .= ' -C4'; # prevent sudo from clobber file descriptor 3
175 +
176 + return "$sudo -u vpopmail" if $binary =~ /vchkpw/;
177 + return $sudo;
178 +}
179 +
180 --
181 1.7.2.2
182

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed