Mail Auth Module - Auth-Server local unix socket support

Maxim Dounin mdounin at mdounin.ru
Tue Apr 6 18:20:45 MSD 2010


Hello!

On Tue, Apr 06, 2010 at 03:23:07PM +0200, Simon Lécaille wrote:

> Hi all,
> 
> Because I need it, I add the unix socket support to Mail Auth Module.
> Now if nginx mail auth module receives Auth-Server containing a sock
> path e.g :
> 
> HTTP/1.0 200 OK
> Auth-Status: OK
> Auth-Server: /tmp/cyrus.sock
> Auth-Port: [SomethingOrNot]
> Auth-User: user at domain.tld
> Auth-Pass: password
> 
> Nginx will be able to connect to the socket (e.g /tmp/cyrus.sock)
> 
> I'm writting the tests set for prove.
> 
> Patch in this mail (nginx-0.8.35)
> 
> For people who wonder why :
> Unix sockets allow me to restrict rights and permissions on cyrus.
> By chrooting a lot of services, bad local users could contact cyrus
> from localhost with tcp connections.
> With unix sockets, the problem is now solved.
> 
> Best regards,
> Simon LECAILLE.
> 
> -- 
> (Logo EmisFr)
> *Simon LECAILLE*
> EmisFR
> /Infogérance totale ou partagée, sur site ou distante,
> Développements sur mesure web 2.0/
> 10 rue Mazagran, 54000 NANCY, France
> http://www.emisfr.com
> Tel/Fax.: +33.3 83 32 25 75

> --- ./src/mail/ngx_mail_auth_http_module.c	2009-12-25 16:43:40.000000000 +0100
> +++ ./src/mail/ngx_mail_auth_http_module.c	2010-04-06 14:55:05.000000000 +0200
> @@ -458,7 +458,6 @@
>      size_t               len, size;
>      ngx_int_t            rc, port, n;
>      ngx_addr_t          *peer;
> -    struct sockaddr_in  *sin;
>  
>      ngx_log_debug0(NGX_LOG_DEBUG_MAIL, s->connection->log, 0,
>                     "mail auth http process headers");
> @@ -744,7 +743,7 @@
>                  return;
>              }
>  
> -            if (ctx->addr.len == 0 || ctx->port.len == 0) {
> +			if ((ctx->addr.len == 0 && ctx->port.len == 0) || (ctx->port.len == 0 && ngx_strncmp(ctx->addr.data,"/",1)!=0)) {

Whitespace damage (don't use tabs in nginx code, please).  Calling 
ngx_strncmp isn't needed here as it's enough to check just one 
character.  Pointer in ctx->addr.data used without checking if 
it's supposed to be valid (i.e. you have to check if addr.len 
isn't 0 first).

>                  ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
>                                "auth http server %V did not send server or port",
>                                ctx->peer.name);
> @@ -770,9 +769,38 @@
>                  ngx_mail_session_internal_server_error(s);
>                  return;
>              }
> +			/* AF_UNIX or AF_INET*/
> +			if(ngx_strncmp(ctx->addr.data,"/",1)==0){

Whitespace damage, no spaces where they are supposed to be, and 
same as the above about ngx_strncmp.

> +
> +				/* AF_UNIX */
> +				port = 0;
> +				struct sockaddr_un  *sun;
> +				sun = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_un));
> +				if (sun == NULL) {
> +					ngx_destroy_pool(ctx->pool);
> +					ngx_mail_session_internal_server_error(s);
> +					return;
> +				}
>  
> -            /* AF_INET only */
> +				sun->sun_family = AF_UNIX;

Not all systems have unix sockets, it should be in #if's with
NGX_HAVE_UNIX_DOMAIN check as appropriate.  Not even mentioning 
whitespace damage.

Also, please don't define variables in the middle of function 
unless they are only used in #if'ed block.

> +				ngx_memcpy(sun->sun_path, ctx->addr.data, ctx->addr.len);
> +				peer->sockaddr = (struct sockaddr *) sun;
> +				peer->socklen = sizeof(struct sockaddr_un);
> +				len = ctx->addr.len;
> +				peer->name.len = len;
> +				peer->name.data = ngx_pnalloc(s->connection->pool, len);
> +				if (peer->name.data == NULL) {
> +					ngx_destroy_pool(ctx->pool);
> +					ngx_mail_session_internal_server_error(s);
> +					return;
> +				}
>  
> +				len = ctx->addr.len;
> +				ngx_memcpy(peer->name.data, ctx->addr.data, len);
> +			}
> +			else{
> +				/* AF_INET */
> +				struct sockaddr_in  *sin;
>              sin = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_in));
>              if (sin == NULL) {
>                  ngx_destroy_pool(ctx->pool);
> @@ -823,10 +850,9 @@
>              len = ctx->addr.len;
>  
>              ngx_memcpy(peer->name.data, ctx->addr.data, len);
> -
>              peer->name.data[len++] = ':';
> -
>              ngx_memcpy(peer->name.data + len, ctx->port.data, ctx->port.len);
> +			}

You may want to re-indent else{} part and avoid unrelated 
whitespace changes.

But actually I think it's good idea to plug something like 
ngx_parse_url() here instead of re-inventing the wheel.

Maxim Dounin



More information about the nginx-devel mailing list