merge 'security password' branch

Author: pjstevns

acinclude.m4

@@ -689,4 +689,12 @@ AC_DEFUN([DM_UPGRADE_STEPS], [dnl
 	AC_SUBST(MYSQL_32003)
 	AC_SUBST(SQLITE_32003)
 
+	PGSQL_32004=`sed -e 's/\"/\\\"/g' -e 's/^/\"/' -e 's/$/\\\n\"/' -e '$!s/$/ \\\\/'  sql/postgresql/upgrades/32004.psql`
+	MYSQL_32004=`sed -e 's/\"/\\\"/g' -e 's/^/\"/' -e 's/$/\\\n\"/' -e '$!s/$/ \\\\/'  sql/mysql/upgrades/32004.mysql`
+	SQLITE_32004=`sed -e 's/\"/\\\"/g' -e 's/^/\"/' -e 's/$/\\\n\"/' -e '$!s/$/ \\\\/'  sql/sqlite/upgrades/32004.sqlite`
+	AC_SUBST(PGSQL_32004)
+	AC_SUBST(MYSQL_32004)
+	AC_SUBST(SQLITE_32004)
+
+
 ])

configure.in

@@ -1,7 +1,8 @@
 # Copyright (C) 1999-2004 IC & S  [email protected]
 # Copyright (C) 2004-2013 NFG Net Facilities Group [email protected]
 
-AC_INIT([dbmail], [3.1.1], [[email protected]])
+<<<<<<< HEAD
+AC_INIT([dbmail], [3.1.3.1], [[email protected]])
 AC_CONFIG_AUX_DIR(config)
 AM_CONFIG_HEADER(config.h:config.in)
 AC_CONFIG_MACRO_DIR([m4])

doc/README.security-password

@@ -0,0 +1,71 @@
+
+Security Password
+=================
+
+DBMail now supports a special, separate password.
+
+This separate password allows you to specify behavior when users log into one
+of the DBMail servers using this password.
+
+The use-case for this feature is when you want to provide your users with an
+unobtrusive way to delete all sensitive messages from their accounts, even when
+under duress or active observation. When a lot of messages are affected the
+login delay will be somewhat greater, but other than that, it is impossible to
+tell that anything out of the ordinary has happpened.
+
+Changes
+-------
+
+A small schema-migration is required and provided in
+sql/DRIVER/upgrades/31202.xxx. If you run a version prior to 3.2.0 you will
+have to apply it manually.
+
+The password can be specified with the --security-password argument of
+dbmail-users. The same encryption as for the regular password is used.
+
+The behavior after logging in using this password can be set per user using the
+--security-action argument of dbmail-users. Currently two actions are
+hard-coded, but you can expand them as needed.
+
+Security-action:
+----------------
+
+0: do nothing. This is also the default behavior.
+1: delete everything. In this case all mailboxes owned by the authenticated 
+   user are deleted immediately and irretrievably.
+2 and higher: these can be configured through the security_action setting
+   in dbmail.conf:
+
+The first two are hard-coded, as said. It is not possible to override them in
+dbmail.conf. Trying to do so will invalidate the entry in dbmail.conf.
+
+An example:
+
+security_action = 2:\Deleted;3:\Flagged \Deleted Important $Important
+
+In this case two additional behaviors are defined. When a user has
+security-action 2, and logs on using the security-password all messages that
+have the \Deleted system-flag set are queued for later deletion by dbmail-util,
+and are immediately inaccessible to the user.
+
+For users with security-action 3, all messages that have the \Flagged or
+\Deleted system flags, or have a user labels 'Important' or '$Important' are
+queued for deletion and are also immediately inaccessible to the user.
+
+Please Note:
+------------
+
+This feature is not without risks if used casually. Instruct your users
+carefully! Also make sure the security password can never be the same as the
+regular password because in that case it just won't work.
+
+Messages that have been queued for deletion *can*, if required, be restored to
+visibility by a system adminitrator by setting the status field. If the
+security action was set to '1' however, only a restore from backup of the
+database will bring back the deleted mail.
+
+
+LDAP support is currently not available. Please contact [email protected] if you
+required this feature and need LDAP authentication.
+
+#EOF

sql/mysql/create_tables.mysql

@@ -384,6 +384,9 @@ CREATE TABLE `dbmail_users` (
   `cursieve_size` bigint(20) NOT NULL default '0',
   `encryption_type` varchar(255) NOT NULL default '',
   `last_login` datetime NOT NULL default '1979-11-03 22:05:58',
+  `spasswd` varchar(255) NOT NULL default '',
+  `saction` smallint NOT NULL default '0',
+  `active` smallint NOT NULL default '1',
   PRIMARY KEY  (`user_idnr`),
   UNIQUE KEY `userid_index` (`userid`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

sql/mysql/upgrades/32004.mysql

@@ -0,0 +1,8 @@
+
+BEGIN;
+ALTER TABLE dbmail_users ADD COLUMN spasswd VARCHAR(130) DEFAULT '' NOT NULL;
+ALTER TABLE dbmail_users ADD COLUMN saction SMALLINT DEFAULT '0' NOT NULL;
+ALTER TABLE dbmail_users ADD COLUMN active SMALLINT DEFAULT '1' NOT NULL;
+
+INSERT INTO dbmail_upgrade_steps (from_version, to_version, applied) values (32001, 32004, now());
+COMMIT;

sql/oracle/dbmail_schema.sql

@@ -514,6 +514,9 @@ CREATE TABLE dbmail_users (
   cursieve_size number(20) default '0' NOT NULL,
   encryption_type varchar2(255)  default NULL,
   last_login timestamp default TO_TIMESTAMP('1979-11-03 22:05:58','YYYY-MM-DD HH24:MI:SS') NOT NULL
+  spasswd varchar2(255) default NULL,
+  saction number(1) default '0' NOT NULL,
+  active number(1) default '1' NOT NULL
 );
 CREATE UNIQUE INDEX dbmail_users_idx ON dbmail_users (user_idnr) TABLESPACE DBMAIL_TS_IDX;
 ALTER TABLE dbmail_users ADD CONSTRAINT dbmail_users_pk PRIMARY KEY (user_idnr) USING INDEX dbmail_users_idx;

sql/postgresql/create_tables.pgsql

@@ -62,6 +62,9 @@ CREATE TABLE dbmail_users (
    cursieve_size INT8 DEFAULT '0' NOT NULL,
    encryption_type VARCHAR(20) DEFAULT '' NOT NULL,
    last_login TIMESTAMP DEFAULT '1979-11-03 22:05:58' NOT NULL,
+   spasswd VARCHAR(130) DEFAULT '' NOT NULL,
+   saction SMALLINT DEFAULT '0' NOT NULL,
+   active SMALLINT DEFAULT '1' NOT NULL
    PRIMARY KEY (user_idnr)
 );
 

sql/postgresql/upgrades/32004.pgsql

@@ -0,0 +1,8 @@
+
+BEGIN;
+ALTER TABLE dbmail_users ADD COLUMN spasswd VARCHAR(130) DEFAULT '' NOT NULL;
+ALTER TABLE dbmail_users ADD COLUMN saction SMALLINT DEFAULT '0' NOT NULL;
+ALTER TABLE dbmail_users ADD COLUMN active SMALLINT DEFAULT '1' NOT NULL;
+
+INSERT INTO dbmail_upgrade_steps (from_version, to_version) values (32001, 32004);
+COMMIT;

sql/sqlite/create_tables.sqlite

@@ -53,7 +53,10 @@ CREATE TABLE dbmail_users (
    maxmail_size INTEGER DEFAULT '0' NOT NULL,
    curmail_size INTEGER DEFAULT '0' NOT NULL,
    encryption_type TEXT DEFAULT '' NOT NULL,
-   last_login DATETIME DEFAULT '1979-11-03 22:05:58' NOT NULL
+   last_login DATETIME DEFAULT '1979-11-03 22:05:58' NOT NULL,
+   spasswd TEXT NOT NULL DEFAULT '',
+   saction SMALLINT NOT NULL DEFAULT '0',
+   active BOOLEAN NOT NULL DEFAULT '1'
 );
 CREATE UNIQUE INDEX dbmail_users_1 ON dbmail_users(userid);
 

sql/sqlite/upgrades/32004.sqlite

@@ -0,0 +1,8 @@
+
+BEGIN;
+ALTER TABLE dbmail_users ADD COLUMN spasswd VARCHAR(130) DEFAULT '' NOT NULL;
+ALTER TABLE dbmail_users ADD COLUMN saction SMALLINT DEFAULT '0' NOT NULL;
+ALTER TABLE dbmail_users ADD COLUMN active SMALLINT DEFAULT '1' NOT NULL;
+
+INSERT INTO dbmail_upgrade_steps (from_version, to_version) values (32001, 32004);
+COMMIT;

src/dbmail-imapsession.c

@@ -1314,13 +1314,11 @@ int dbmail_imap_session_handle_auth(ImapSession * self, const char * username, c
 {
 	uint64_t userid = 0;
 
+	TRACE(TRACE_DEBUG, "[%p] trying to validate user [%s]", self, username);
 	int valid = auth_validate(self->ci, username, password, &userid);
 
 	if (self->ci->auth)
 		username = Cram_getUsername(self->ci->auth);
-
-	TRACE(TRACE_DEBUG, "[%p] trying to validate user [%s]", self, username);
-
 
 	switch(valid) {
 		case -1: /* a db-error occurred */

src/dbmail-user.c

@@ -428,18 +428,18 @@ int do_aliases(const uint64_t useridnr,
 	GList *current_aliases, *matching_aliases, *matching_alias_del;
 
 	if (no_to_all) {
-		qprintf("Pretending to remove aliases for user id number [%" PRIu64 "]\n",
-			useridnr);
 		if (alias_del) {
+			qprintf("Pretending to remove aliases for user id number [%" PRIu64 "]\n",
+				useridnr);
 			alias_del = g_list_first(alias_del);
 			while (alias_del) {
 				qprintf("  [%s]\n", (char *)alias_del->data);
 				alias_del = g_list_next(alias_del);
 			}
 		}
-		qprintf("Pretending to add aliases for user id number [%" PRIu64 "]\n",
-			useridnr);
 		if (alias_add) {
+			qprintf("Pretending to add aliases for user id number [%" PRIu64 "]\n",
+				useridnr);
 			alias_add = g_list_first(alias_add);
 			while (alias_add) {
 				qprintf("  [%s]\n", (char *)alias_add->data);
@@ -521,6 +521,32 @@ int do_aliases(const uint64_t useridnr,
 	return result;
 }
 
+int do_spasswd(const uint64_t useridnr, const char * const spasswd)
+{
+	if (no_to_all) {
+		qprintf("Pretending to set security password for user [%" PRIu64 "] to [%s]\n", useridnr, spasswd);
+		return 1;
+	}
+	return db_user_set_security_password(useridnr, spasswd);
+}
+
+int do_saction(const uint64_t useridnr, long int saction)
+{
+	if (no_to_all) {
+		qprintf("Pretending to set security action for user [%" PRIu64 "] to [%ld]\n", useridnr, saction);
+		return 1;
+	}
+	return db_user_set_security_action(useridnr, saction);
+}
+
+int do_enable(const uint64_t useridnr, bool enable)
+{
+	if (no_to_all) {
+		qprintf("Pretending to %s authentication for user [%" PRIu64 "]\n", enable?"enable":"disable", useridnr);
+		return 1;
+	}
+	return db_user_set_active(useridnr, enable);
+}
 
 int do_delete(const uint64_t useridnr, const char * const name)
 {
@@ -708,7 +734,7 @@ int do_empty(uint64_t useridnr)
 		qprintf("Emptying mailbox... ");
 		fflush(stdout);
 
-		result = db_empty_mailbox(useridnr);
+		result = db_empty_mailbox(useridnr, 1);
 		if (result != 0) {
 			qerrorf("Error. Please check the log.\n");
 		} else {

src/dbmail-user.h

@@ -43,16 +43,6 @@ int mkpassword(const char * const user, const char * const passwd,
                const char * const passwdtype, const char * const passwdfile,
                char ** password, char ** enctype);
 
-struct change_flags {
-	unsigned int newuser         : 1;
-	unsigned int newmaxmail      : 1;
-	unsigned int newclientid     : 1;
-	unsigned int newpasswd       : 1;
-	unsigned int newpasswdfile   : 1;
-	unsigned int newpasswdstdin  : 1;
-	unsigned int newpasswdshadow : 1;
-};
-
 /* The prodigious use of const ensures that programming
  * mistakes inside of these functions don't cause us to
  * use incorrect values when calling auth_ and db_ internals.
@@ -75,6 +65,9 @@ int do_clientid(const uint64_t useridnr, const uint64_t clientid);
 int do_password(const uint64_t useridnr,
                 const char * const password,
                 const char * const enctype);
+int do_spasswd(const uint64_t useridnr, const char * const password);
+int do_saction(const uint64_t useridnr, long int saction);
+int do_enable(const uint64_t useridnr, bool enable);
 int do_aliases(const uint64_t useridnr,
                GList * alias_add,
                GList * alias_del);

src/dbmail.h.in

@@ -205,6 +205,9 @@
 #define DM_PGSQL_32003 @PGSQL_32003@
 #define DM_SQLITE_32003 @SQLITE_32003@
 
+#define DM_MYSQL_32004 @MYSQL_32004@
+#define DM_PGSQL_32004 @PGSQL_32004@
+#define DM_SQLITE_32004 @SQLITE_32004@
 
 /* include dbmail.conf for autocreation */
 #define DM_DEFAULT_CONFIGURATION @DM_DEFAULT_CONFIGURATION@

src/dbmailtypes.h

@@ -408,6 +408,7 @@ typedef struct {
         Field_T tls_ciphers;
 	int (*ClientHandler) (client_sock *);
 	void (*cb) (struct evhttp_request *, void *);
+	GTree *security_actions;
 } ServerConfig_T;
 
 
@@ -494,6 +495,7 @@ typedef struct {
 	gchar *hdrplist;
 	GList *names;
 	GTree *headers;
+	GList *names;
 } body_fetch;
 
 

src/dm_config.c

@@ -496,3 +496,53 @@ char * config_get_pidfile(ServerConfig_T *config, const char *name)
 	return res;
 }
 
+void config_get_security_actions(ServerConfig_T *config)
+{
+	Field_T var;
+	char **values;
+	uint64_t *key;
+	char *value;
+
+	if (config->security_actions)
+		return;
+
+	GTree *actions = g_tree_new_full((GCompareDataFunc)ucmp, NULL, g_free, g_free);
+
+	memset(var, '\0', sizeof(var));
+	GETCONFIGVALUE("security_action", "DBMAIL", var);
+	key = g_new0(uint64_t, 1);
+	*key = 0;
+	g_tree_insert(actions, key, g_strdup("NONE"));
+	key = g_new0(uint64_t, 1);
+	*key = 1;
+	g_tree_insert(actions, key, g_strdup("ALL"));
+
+	if (strlen(var) > 2) { // 2:a;3:b
+		int i = 0;
+		values = g_strsplit(var, ";", 0);
+		while (values[i]) {
+			uint64_t tmp = dm_strtoull(values[i], &value, 10);
+			if ((tmp == 0) || (value == NULL) || (value[0] != ':')) {
+				TRACE(TRACE_NOTICE, "error parsing security action");
+				break;
+			}
+			if (g_tree_lookup(actions, &tmp)) {
+				TRACE(TRACE_ERR, "duplicate security action specified [%" PRIu64 "]",
+						tmp);
+				TRACE(TRACE_ERR, "ignoring security_action configuration. using defaults.");
+				break;
+			}
+			value++;
+			key = g_new0(uint64_t, 1);
+			*key = tmp;
+			g_tree_insert(actions, key, g_strdup(value));
+			i++;
+		}
+		i = 0;
+		g_strfreev(values);
+	}
+
+	config->security_actions = actions;
+}
+
+

src/dm_config.h

@@ -71,6 +71,7 @@ void pidfile_create(const char *pidFile, pid_t pid);
 
 void config_get_timeout(ServerConfig_T *config, const char * const service);
 void config_get_logfiles(ServerConfig_T *config, const char * const service);
+void config_get_security_actions(ServerConfig_T *config);
 
 char * config_get_pidfile(ServerConfig_T *config, const char *name);
 char * config_get_statefile(ServerConfig_T *config, const char *name);