noffle: src/server.c comparison

comparison src/server.c @ 288:c02c4eb95f95 noffle

[svn] * src/configfile.h,src/configfile.c,docs/noffle.conf.5: Add noffle-user and noffle-group configs. * src/configfile.c,src/fetch.c,src/fetchlist.c,src/protocol.c, src/server.c: Replace strcpy() with Utl_cpyStr() where appropriate. See Debian bug 168128. * src/control.c,src/configfile.c,src/noffle.c: Replace [s]scanf("%s") with [s]scanf(MAXCHAR_FMT). * src/noffle.c: Log warning if noffle.conf is world readable. * src/noffle.c: Restrict most options to news admins; i.e. those who are root or news on running Noffle. * Makefile.in,acconfig.h,aclocal.m4,config.h.in,configure,configure.in, docs/Makefile.in,docs/noffle.conf.5,packages/Makefile.in, packages/redhat/Makefile.in,src/Makefile.am,src/Makefile.in, src/authenticate.c,src/authenticate.h,src/noffle.c,src/server.c: Add basic authentication using either Noffle-specific user file or authenticating via PAM (service 'noffle'). PAM authentication needs to run as root, so a Noffle server that needs PAM must be started by root. Helpful (?) error messages will be logged if not. Noffle will switch ruid and euid to 'news' (or whatever is configured) ASAP. * src/noffle.c: Add uid checking.

author	bears
date	Fri, 10 Jan 2003 23:25:45 +0000
parents	3477050e8d10
children	f81fdcc2696b

comparison

equal deleted inserted replaced

-:01755687c565
+:c02c4eb95f95
 /*
 server.c
-$Id: server.c 403 2002-11-10 11:32:17Z bears $
+$Id: server.c 420 2003-01-10 23:25:45Z bears $
 */
 #if HAVE_CONFIG_H
 #include <config.h>
 #endif
 #include <errno.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include "authenticate.h"
 #include "client.h"
 #include "common.h"
 #include "configfile.h"
 #include "content.h"
 #include "database.h"
 #include "server.h"
 #include "util.h"
 #include "wildmat.h"
 #include "portable.h"
+enum AuthState {
+NEED_USER,
+NEED_PASS,
+AUTH_DONE
+};
 struct
 {
 Bool running;
 time_t lastServerOpen;
 int artPtr;
 Str grp; /* selected group, "" if none */
 DynStr *reply;
 Bool eotAfterReply;
 Bool groupReady;
-} server = { FALSE, 0L, 0, "", NULL, FALSE, FALSE };
+enum AuthState auth;
+char *user;
+} server = {
+FALSE,		/* running */
+0L,			/* lastServerOpen */
+0,			/* artPtr */
+"",			/* grp */
+NULL,		/* reply */
+FALSE,		/* eotAfterReply */
+FALSE,		/* groupReady */
+NEED_USER,		/* auth */
+NULL		/* user */
+};
 typedef struct Cmd
 {
 const char *name;
 const char *syntax;
+Bool needAuth;
 /* Returns false, if quit cmd */
 Bool (*cmdProc)( char *arg, const struct Cmd *cmd );
 }
 Cmd;
 static Bool doArt( char *arg, const Cmd *cmd );
+static Bool doAuthinfo( char *arg, const Cmd *cmd );
 static Bool doBody( char *arg, const Cmd *cmd );
 static Bool doGrp( char *arg, const Cmd *cmd );
 static Bool doHead( char *arg, const Cmd *cmd );
 static Bool doHelp( char *arg, const Cmd *cmd );
 static Bool doIhave( char *arg, const Cmd *cmd );
 static void closeServer( void );
 static Bool initServer( void );
 Cmd commands[] =
 {
-{ "article", "ARTICLE [msg-id|n]", &doArt },
+{ "article", "ARTICLE [msg-id|n]", TRUE, &doArt },
-{ "body", "BODY [msg-id|n]", &doBody },
+{ "authinfo", "AUTHINFO USER username|PASS password", FALSE, &doAuthinfo },
-{ "head", "HEAD [msg-id|n]", &doHead },
+{ "body", "BODY [msg-id|n]", TRUE, &doBody },
-{ "group", "GROUP grp", &doGrp },
+{ "head", "HEAD [msg-id|n]", TRUE, &doHead },
-{ "help", "HELP", &doHelp },
+{ "group", "GROUP grp", TRUE, &doGrp },
-{ "ihave", "IHAVE (ignored)", &doIhave },
+{ "help", "HELP", FALSE, &doHelp },
-{ "last", "LAST", &doLast },
+{ "ihave", "IHAVE (ignored)", TRUE, &doIhave },
+{ "last", "LAST", TRUE, &doLast },
 { "list", "LIST [ACTIVE [pat]]|ACTIVE.TIMES [pat]|"
-"EXTENSIONS|NEWSGROUPS [pat]|OVERVIEW.FMT", &doList },
+"EXTENSIONS|NEWSGROUPS [pat]|OVERVIEW.FMT", TRUE, &doList },
-{ "listgroup", "LISTGROUP grp", &doListgrp },
+{ "listgroup", "LISTGROUP grp", TRUE, &doListgrp },
-{ "mode", "MODE (ignored)", &doMode },
+{ "mode", "MODE (ignored)", FALSE, &doMode },
-{ "newgroups", "NEWGROUPS [xx]yymmdd hhmmss [GMT]", &doNewgrps },
+{ "newgroups", "NEWGROUPS [xx]yymmdd hhmmss [GMT]", TRUE, &doNewgrps },
-{ "newnews", "NEWNEWS (not implemented)", &notImplemented },
+{ "newnews", "NEWNEWS (not implemented)", TRUE, &notImplemented },
-{ "next", "NEXT", &doNext },
+{ "next", "NEXT", TRUE, &doNext },
-{ "post", "POST", &doPost },
+{ "post", "POST", TRUE, &doPost },
-{ "quit", "QUIT", &doQuit },
+{ "quit", "QUIT", FALSE, &doQuit },
-{ "slave", "SLAVE (ignored)", &doSlave },
+{ "slave", "SLAVE (ignored)", TRUE, &doSlave },
-{ "stat", "STAT [msg-id|n]", &doStat },
+{ "stat", "STAT [msg-id|n]", TRUE, &doStat },
-{ "xhdr", "XHDR over-field [msg-id|m[-[n]]]", &doXhdr },
+{ "xhdr", "XHDR over-field [msg-id|m[-[n]]]", TRUE, &doXhdr },
-{ "xpat", "XPAT over-field msg-id|m[-[n]] pat", &doXpat },
+{ "xpat", "XPAT over-field msg-id|m[-[n]] pat", TRUE, &doXpat },
-{ "xover", "XOVER [m[-[n]]]", &doXOver }
+{ "xover", "XOVER [m[-[n]]]", TRUE, &doXOver }
 };
 /*
 Notice interest in reading this group.
 Automatically subscribe if option set in config file.
 noteInterest();
 return TRUE;
 }
 static Bool
+doAuthinfo( char *line, const Cmd *cmd )
+{
+#if USE_AUTH
+Str s, arg;
+const char *data;
+if ( ! Cfg_needClientAuth() )
+{
+	putStat( STAT_AUTH_REJECTED, "Authentication not required" );
+	return TRUE;
+}
+if ( sscanf( line, MAXCHAR_FMT, s ) != 1 )
+{
+badsyntax:
+	if ( server.auth != AUTH_DONE )
+	    server.auth = NEED_USER;
+	putSyntax( cmd );
+}
+else
+{
+	Utl_toLower( s );
+	Utl_cpyStr( arg, Utl_restOfLn( line, 1 ) );
+	data = Utl_stripWhiteSpace( arg );
+	if ( strcmp( "user", s ) != 0 && strcmp( "pass", s ) != 0 )
+	    goto badsyntax;
+	if ( strcmp( "user", s ) == 0 && server.auth == NEED_USER )
+	{
+	    if ( server.user != NULL )
+		free( server.user );
+	    Utl_allocAndCpy( &server.user, data );
+	    server.auth = NEED_PASS;
+	    putStat( STAT_MORE_AUTH_REQUIRED, "More authentication required" );
+	}
+	else if ( strcmp( "pass", s ) == 0 && server.auth == NEED_PASS )
+	{
+	    enum AuthResult authRes = Auth_authenticate( server.user, data );
+	    char *p;
+	    /* Zap the password */
+	    for ( p = line; *p != '\0'; p++ )
+		*p = 'X';
+	    switch ( authRes )
+	    {
+	    case AUTH_OK:
+		server.auth = AUTH_DONE;
+		putStat( STAT_AUTH_ACCEPTED, "Authentication accepted" );
+		Log_inf( "User %s authenticated", server.user );
+		break;
+	    case AUTH_FAILED:
+		server.auth = NEED_USER;
+		putStat( STAT_NO_PERMISSION, "No permission");
+		Log_dbg( LOG_DBG_AUTH, "User %s password %s rejected",
+			 server.user, data );
+		break;
+	    case AUTH_DISCONNECT:
+		putStat( STAT_NO_PERMISSION, "No permission - disconnecting" );
+		Log_dbg( LOG_DBG_AUTH,
+			 "User %s password %s rejected - disconnecting",
+			 server.user, data );
+		return FALSE;
+	    default:	/* AUTH_ERROR */
+		putStat( STAT_PROGRAM_FAULT, "Authentication program error" );
+		Log_dbg( LOG_DBG_AUTH,
+			 "Error authenticating User %s password %s",
+			 server.user, data );
+		return FALSE;
+	    }
+	}
+	else
+	{
+	    if ( server.auth == AUTH_DONE )
+		putStat( STAT_AUTH_REJECTED, "Reauthentication not possible" );
+	    else
+	    {
+		putStat( STAT_AUTH_REJECTED, "Authentication rejected" );
+		server.auth = NEED_USER;
+	    }
+	}
+}
+#else
+UNUSED( line );
+UNUSED( cmd );
+putStat( STAT_AUTH_REJECTED, "Authentication not possible" );
+#endif
+return TRUE;
+}
+static Bool
 doHelp( char *arg, const Cmd *cmd )
 {
 unsigned int i;
 UNUSED( arg );
 if ( sscanf( line, MAXCHAR_FMT, s ) != 1 )
 doListActive( "*" );
 else
 {
 Utl_toLower( s );
-strcpy( arg, Utl_restOfLn( line, 1 ) );
+Utl_cpyStr( arg, Utl_restOfLn( line, 1 ) );
 pat = Utl_stripWhiteSpace( arg );
 if ( pat[ 0 ] == '\0' )
 pat = "*";
 if ( strcmp( "active", s ) == 0 )
 doListActive( pat );
 putStat( STAT_PROGRAM_FAULT, "%s", s );
 }
 /* Parse line, execute command and return FALSE, if it was the quit command. */
 static Bool
-parseAndExecute( Str line )
+parseAndExecute( Str line, Bool authDone )
 {
 unsigned int i, n;
 Cmd *c;
 Str s, arg;
 Bool ret;
 if ( sscanf( line, MAXCHAR_FMT, s ) == 1 )
 {
 Utl_toLower( s );
-strcpy( arg, Utl_restOfLn( line, 1 ) );
+Utl_cpyStr( arg, Utl_restOfLn( line, 1 ) );
 n = sizeof( commands ) / sizeof( commands[ 0 ] );
 for ( i = 0, c = commands; i < n; ++i, ++c )
 if ( strcmp( c->name, s ) == 0 )
 {
+#if USE_AUTH
+		if ( c->needAuth && ! authDone )
+		{
+		    putStat( STAT_AUTH_REQUIRED, "Authentication required" );
+		    return TRUE;
+		}
+#else
+		UNUSED( authDone );
+#endif
 ret = c->cmdProc( Utl_stripWhiteSpace( arg ), c );
 return ret;
 }
 }
 putStat( STAT_NO_SUCH_CMD, "Command not recognized" );
 {
 Bool done;
 Str line;
 putWelcome();
+#if USE_AUTH
+/*
+* If authentication is required, we issue the welcome message and
+* go into a command loop that doesn't open the databases and just
+* accepts authentication commands. Once successfully authenticated,
+* we drop root privs (if we have them - they are needed for PAM
+* authentication to work) and proceed to the normal loop.
+*/
+if ( Cfg_needClientAuth() )
+{
+	if ( ! Auth_open() )
+	{
+	    initOutput();
+	    putFatal( "Cannot open authorisation" );
+	    sendOutput();
+	    return;
+	}
+	done = FALSE;
+	while ( ! done )
+	{
+	    if ( Prt_getLn( line, stdin, -1 ) )
+	    {
+		initOutput();
+		if ( ! parseAndExecute( line, FALSE ) )
+		    done = TRUE;
+		if ( server.auth == AUTH_DONE )
+		    done = TRUE;
+		sendOutput();
+	    }
+	    else
+	    {
+		Log_inf( "Client disconnected. Terminating." );
+		done = TRUE;
+	    }
+	}
+	Auth_close();
+	/* Did we finish because we successfully authenticated? */
+	if ( server.auth != AUTH_DONE )
+	    return;
+}
+#endif
+if ( ! Auth_dropPrivs() )
+{
+	initOutput();
+	putFatal( "Cannot set user privs" );
+	sendOutput();
+	return;
+}
 done = FALSE;
 while ( ! done )
 {
 	if ( Prt_getLn( line, stdin, -1 ) )
 	{
 		putFatal( "Cannot init server" );
 		done = TRUE;
 	    }
 	    else
 	    {
-		if ( ! parseAndExecute( line ) )
+		if ( ! parseAndExecute( line, TRUE ) )
 		    done = TRUE;
 	    }
 	    if ( server.running )
 		closeServer();

Mercurial > noffle

comparison src/server.c @ 288:c02c4eb95f95 noffle