script-login: When -d isn't given, drop privileges as specified by the service settings.
authorTimo Sirainen <tss@iki.fi>
Mon May 09 20:11:00 2011 +0300 (2011-05-09)
changeset 1278425a452227a09
parent 12783 56a1b3082b4b
child 12785 40a5f8f07bd2
script-login: When -d isn't given, drop privileges as specified by the service settings.
src/util/script-login.c
     1.1 --- a/src/util/script-login.c	Mon May 09 20:03:24 2011 +0300
     1.2 +++ b/src/util/script-login.c	Mon May 09 20:11:00 2011 +0300
     1.3 @@ -22,7 +22,7 @@
     1.4  #define SCRIPT_COMM_FD 3
     1.5  
     1.6  static const char **exec_args;
     1.7 -static bool drop_privileges = FALSE;
     1.8 +static bool drop_to_userdb_privileges = FALSE;
     1.9  
    1.10  static void client_connected(struct master_service_connection *conn)
    1.11  {
    1.12 @@ -119,7 +119,7 @@
    1.13  		i_fatal("%s", error);
    1.14  	mail_storage_service_restrict_setenv(service_ctx, user);
    1.15  
    1.16 -	if (drop_privileges)
    1.17 +	if (drop_to_userdb_privileges)
    1.18  		restrict_access_by_env(getenv("HOME"), TRUE);
    1.19  
    1.20  	if (dup2(fd, STDIN_FILENO) < 0)
    1.21 @@ -190,7 +190,7 @@
    1.22  	while ((c = master_getopt(master_service)) > 0) {
    1.23  		switch (c) {
    1.24  		case 'd':
    1.25 -			drop_privileges = TRUE;
    1.26 +			drop_to_userdb_privileges = TRUE;
    1.27  			break;
    1.28  		default:
    1.29  			return FATAL_DEFAULT;
    1.30 @@ -200,12 +200,20 @@
    1.31  	argv += optind;
    1.32  
    1.33  	master_service_init_log(master_service, "script-login: ");
    1.34 +
    1.35 +	if (!drop_to_userdb_privileges &&
    1.36 +	    (flags & MASTER_SERVICE_FLAG_STANDALONE) == 0) {
    1.37 +		/* drop to privileges defined by service settings */
    1.38 +		restrict_access_by_env(NULL, FALSE);
    1.39 +	}
    1.40 +
    1.41  	master_service_init_finish(master_service);
    1.42  	master_service_set_service_count(master_service, 1);
    1.43  
    1.44 -	if ((flags & MASTER_SERVICE_FLAG_STANDALONE) != 0)
    1.45 +	if ((flags & MASTER_SERVICE_FLAG_STANDALONE) != 0) {
    1.46 +		/* The last post-login script is calling us to finish login */
    1.47  		script_execute_finish();
    1.48 -	else {
    1.49 +	} else {
    1.50  		if (argv[0] == NULL)
    1.51  			i_fatal("Missing script path");
    1.52  		exec_args = i_new(const char *, argc + 2);