Code question about mycanonifyid() in lib/auth_unix.c
Wesley Craig
wes at umich.edu
Tue Aug 26 15:21:09 EDT 2008
On 20 Aug 2008, at 03:42, Thomas Jarosch wrote:
> I've noticed a little piece of code and wanted to ask about the
> original idea behind it. In mycanconifyid() is a special code path
> if the identifier begins with "group:". If so, we call getgrnam()
> and then copy the resulting group name into the buffer.
> I'm wondering why the code does this?
> F.e. could getgrnam() return a group alias name when querying an
> LDAP server?
> Either the group name can change (so we need to check the buffer as
> in the attached cyrus-imapd-protect-buffer.patch) or it will never
> change and we can drop the strcpy() like in the cyrus-imapd-remove-
> unused-strcpy.patch.
I think the comment is pretty illuminating:
/* This used to be far more restrictive, but many sites seem to
ignore the
* ye olde Unix conventions of username. Specifically, we used to
* - drop case on the buffer
* - disallow lots of non-alpha characters ('-', '_', others)
* Now we do neither of these, but impose a very different
policy based on
* the character map above.
*/
If you were using nss_ldap, as you mention, and the user types a
group like "MiXeDcAsE", the ldap servers matching rules will allow
that to match "mixedcase" -- the group name is typically "cn", which
is a case-ignore-string, in LDAP parlance. . Since Cyrus isn't
restricting the case, one hopes getgrnam() is applying some sort of
name canonicalization. (Examining nss_ldap from PADL, I see that the
group name returned is indeed the one provided by the LDAP server.)
The memberof function provide by auth_unix.c is case sensitive,
you'll notice.
So, I think cyrus-imapd-protect-buffer.patch is appropriate (committed).
:wes
More information about the Cyrus-devel
mailing list