Code question about mycanonifyid() in lib/auth_unix.c

Wesley Craig wes at
Tue Aug 26 15:21:09 EDT 2008

On 20 Aug 2008, at 03:42, Thomas Jarosch wrote:
> I've noticed a little piece of code and wanted to ask about the  
> original idea behind it. In mycanconifyid() is a special code path  
> if the identifier begins with "group:". If so, we call getgrnam()  
> and then copy the resulting group name into the buffer.
> I'm wondering why the code does this?
> F.e. could getgrnam() return a group alias name when querying an  
> LDAP server?
> Either the group name can change (so we need to check the buffer as  
> in the attached cyrus-imapd-protect-buffer.patch) or it will never  
> change and we can drop the strcpy() like in the cyrus-imapd-remove- 
> unused-strcpy.patch.

I think the comment is pretty illuminating:

     /* This used to be far more restrictive, but many sites seem to  
ignore the
      * ye olde Unix conventions of username.  Specifically, we used to
      * - drop case on the buffer
      * - disallow lots of non-alpha characters ('-', '_', others)
      * Now we do neither of these, but impose a very different  
policy based on
      * the character map above.

If you were using nss_ldap, as you mention, and the user types a  
group like "MiXeDcAsE", the ldap servers matching rules will allow  
that to match "mixedcase" -- the group name is typically "cn", which  
is a case-ignore-string, in LDAP parlance. .  Since Cyrus isn't  
restricting the case, one hopes getgrnam() is applying some sort of  
name canonicalization.  (Examining nss_ldap from PADL, I see that the  
group name returned is indeed the one provided by the LDAP server.)   
The memberof function provide by auth_unix.c is case sensitive,  
you'll notice.

So, I think cyrus-imapd-protect-buffer.patch is appropriate (committed).


More information about the Cyrus-devel mailing list