fetchmail/fetchmail-re-read-passwordfile-on-every-poll.patch

173 lines
5.3 KiB
Diff

From: Matthew Ogilvie <mmogilvi+fml@zoho.com>
Date: Fri, 9 Jun 2017 18:20:40 -0600
Subject: re-read passwordfile on every poll
Git-repo: https://gitlab.com/fetchmail/fetchmail.git
Git-commit: c2b96715bb39b9cfd1c751eae6b0111bed9c8581
---
fetchmail.c | 100 ++++++++++++++++++++++++++++++++++++++--------------------
fetchmail.man | 9 +----
2 files changed, 69 insertions(+), 40 deletions(-)
Index: fetchmail-6.5.1/fetchmail.c
===================================================================
--- fetchmail-6.5.1.orig/fetchmail.c
+++ fetchmail-6.5.1/fetchmail.c
@@ -681,48 +681,19 @@ int main(int argc, char **argv)
}
ctl->password = xstrdup(msg);
+ ctl->passwordfile = NULL;
memset(msg, 0x55, mi-msg);
} else if (ctl->passwordfile) {
- int fd = open(ctl->passwordfile, O_RDONLY);
- char msg[PASSWORDLEN+1];
- char *newline;
- int res;
-
- if (fd == -1) {
+ if (access(ctl->passwordfile, R_OK) != 0) {
int saveErrno = errno;
fprintf(stderr,
- GT_("fetchmail: unable to open %s: %s\n"),
+ GT_("fetchmail: unable to access %s: %s\n"),
ctl->passwordfile,
strerror(saveErrno));
return PS_AUTHFAIL;
}
-
- res = read(fd, msg, sizeof(msg)-1);
- if (res == -1 || close(fd) == -1) {
- int saveErrno = errno;
- fprintf(stderr,
- GT_("fetchmail: error reading %s: %s\n"),
- ctl->passwordfile,
- strerror(saveErrno));
- return PS_AUTHFAIL;
- }
- msg[res] = '\0';
-
- newline = memchr(msg, '\n', res);
- if (newline != NULL) {
- *newline = '\0';
- }
-
- if (strlen(msg) == 0) {
- fprintf(stderr,
- GT_("fetchmail: empty password read from %s\n"),
- ctl->passwordfile);
- memset(msg, 0x55, res);
- return PS_AUTHFAIL;
- }
-
- ctl->password = xstrdup(msg);
- memset(msg, 0x55, res);
+ ctl->password = xstrdup("dummy");
+ /* file will be read/re-read on each poll interval below */
} else if (!isatty(0)) {
fprintf(stderr,
GT_("fetchmail: can't find a password for %s@%s.\n"),
@@ -739,6 +710,8 @@ int main(int argc, char **argv)
ctl->password = xstrdup((char *)fm_getpassword(tmpbuf));
free(tmpbuf);
}
+ } else {
+ ctl->passwordfile = NULL;
}
}
@@ -938,6 +911,65 @@ int main(int argc, char **argv)
dofastuidl = 0; /* this is reset in the driver if required */
+ if (ctl->passwordfile) {
+ int fd = open(ctl->passwordfile, O_RDONLY);
+ char msg[PASSWORDLEN+1];
+ char *newline;
+ int res;
+
+ if (fd == -1) {
+ int saveErrno = errno;
+ report(stderr,
+ GT_("fetchmail: unable to open %s: %s\n"),
+ ctl->passwordfile,
+ strerror(saveErrno));
+ continue;
+ }
+
+ res = read(fd, msg, sizeof(msg)-1);
+ close(fd);
+ if (res == -1) {
+ int saveErrno = errno;
+ report(stderr,
+ GT_("fetchmail: error reading %s: %s\n"),
+ ctl->passwordfile,
+ strerror(saveErrno));
+ continue;
+ }
+ msg[res] = '\0';
+
+ newline = memchr(msg, '\n', res);
+ if (newline != NULL) {
+ *newline = '\0';
+ }
+
+ if (strlen(msg) == 0) {
+ report(stderr,
+ GT_("fetchmail: empty password read from %s\n"),
+ ctl->passwordfile);
+ memset(msg, 0x55, res);
+ continue;
+ }
+
+ if (ctl->password) {
+ memset(ctl->password, 0x55, strlen(ctl->password));
+ xfree(ctl->password);
+ }
+ ctl->password = xstrdup(msg);
+ memset(msg, 0x55, res);
+ }
+
+ if (!ctl->password) {
+ /* This shouldn't be reachable (all cases caught
+ * earlier), but keep it for safety since there
+ * are many cases.
+ */
+ report(stderr,
+ GT_("password is unexpectedly NULL querying %s\n"),
+ ctl->server.pollname);
+ continue;
+ }
+
querystatus = query_host(ctl);
if (NUM_NONZERO(ctl->fastuidl))
Index: fetchmail-6.5.1/fetchmail.man
===================================================================
--- fetchmail-6.5.1.orig/fetchmail.man
+++ fetchmail-6.5.1/fetchmail.man
@@ -1061,12 +1061,9 @@ See USER AUTHENTICATION below for a comp
.br
Specifies a file name from which to read the first line to use as the password.
Useful if something changes the password/token often without regenerating a
-long fetchmailrc file, such as with typical xoauth2 authentication tokens.
+long fetchmailrc file, such as with typical oauth2 authentication tokens.
Protect the file with appropriate permissions to avoid leaking your password.
-Fetchmail might not re-read the file in daemon mode (-d) unless the
-fetchmailrc file also changes, so it might make sense to run it in
-non-daemon mode from some other background process (cron and/or whatever
-updates the password).
+Fetchmail will re-read the file for each poll when in daemon mode.
.TP
.B \-\-passwordfd <integer>
(Keyword: passwordfd)
@@ -1079,7 +1076,7 @@ although it could also be a redirected i
(equivalent to "fetchmail \-\-passwordfd 5 5</path/to/file").
Useful if something wants to manage password ownership more securely
than files, or if the password/token changes often,
-such as with typical xoauth2 authentication tokens. Normal interactive
+such as with typical oauth2 authentication tokens. Normal interactive
mode passwords requires that standard input is a terminal and disables
echo, but passwordfd does not care. Do not do something
like "echo 'password' | fetchmail ...", since echo's arguments are