From d83ee5a2feae663d9bcc6b08d19631e342628259 Mon Sep 17 00:00:00 2001 From: danw Date: Tue, 17 Jun 1997 20:20:24 +0000 Subject: [PATCH] Don't create a user group with new accounts. Don't allow users to rename a list to someone else's username. Also, allow users to get `MR_NO_MATCH' if they get_user_account_by_login on a non-existent account. (Used by the client to be able to check for this case.) --- server/qaccess.pc | 17 +++++++++++++---- server/qsupport.pc | 41 ++++------------------------------------- 2 files changed, 17 insertions(+), 41 deletions(-) diff --git a/server/qaccess.pc b/server/qaccess.pc index 8a7a0d97..5d92824e 100644 --- a/server/qaccess.pc +++ b/server/qaccess.pc @@ -83,7 +83,10 @@ int access_login(q, argv, cl) WHERE u.unix_uid = :argv[0] AND u.users_id != 0; } - if (sqlca.sqlerrd[2] != 1 || id != cl->users_id) + if (sqlca.sqlcode == SQL_NO_MATCH) + return(MR_NO_MATCH); /* ought to be MR_USER, but this is what + gual returns, so we have to be consistent */ + else if (sqlca.sqlerrd[2] != 1 || id != cl->users_id) return(MR_PERM); else return(MR_SUCCESS); @@ -110,8 +113,8 @@ int access_list(q, argv, cl) client *cl; { EXEC SQL BEGIN DECLARE SECTION; - int list_id, acl_id, flags, gid; - char acl_type[9]; + int list_id, acl_id, flags, gid, users_id; + char acl_type[9], *newname; EXEC SQL END DECLARE SECTION; char *client_type; int client_id, status; @@ -134,13 +137,19 @@ int access_list(q, argv, cl) (!strcmp("dmfl", q->shortname))) && (!strcmp("USER", argv[1]))) { if (*(int *)argv[2] == client_id) return(MR_SUCCESS); - /* if update_list, don't allow them to change the GID */ + /* if update_list, don't allow them to change the GID or rename to + a username other than their own */ } else if (!strcmp("ulis", q->shortname)) { if (!strcmp(argv[7], UNIQUE_GID)) { if(gid != -1) return MR_PERM; } else { if(gid != atoi(argv[7])) return MR_PERM; } + newname = argv[1]; + EXEC SQL SELECT users_id INTO :users_id FROM users + WHERE login=:newname; + if ((sqlca.sqlcode != SQL_NO_MATCH) && (users_id != client_id)) + return MR_PERM; } /* check for client in access control list */ diff --git a/server/qsupport.pc b/server/qsupport.pc index 2ef8246d..53305928 100644 --- a/server/qsupport.pc +++ b/server/qsupport.pc @@ -1280,42 +1280,6 @@ int register_user(q, argv, cl) strtrim(machname)); incremental_after(USERS_TABLE, buffer, 0); - /* create group list */ - if (set_next_object_id("gid", LIST_TABLE, 1)) - return(MR_NO_ID); - if (set_next_object_id("list_id", LIST_TABLE, 0)) - return(MR_NO_ID); - EXEC SQL SELECT value INTO :list_id FROM numvalues - WHERE name='list_id'; - if (dbms_errno) return(mr_errcode); - if (sqlca.sqlerrd[2] != 1) - return(MR_INTERNAL); - incremental_clear_before(); - EXEC SQL SELECT value INTO :gidval FROM numvalues WHERE name = 'gid'; - EXEC SQL INSERT INTO list - (name, list_id, active, publicflg, hidden, maillist, grouplist, - gid, description, acl_type, acl_id, - modtime, modby, modwith) - VALUES (:login, :list_id, 1, 0, 0, 0, 1, - :gidval, 'User Group', 'USER', :users_id, - SYSDATE, :who, :entity); - if (dbms_errno) return(mr_errcode); - if (sqlca.sqlerrd[2] != 1) - return(MR_INTERNAL); - sprintf(buffer, "l.list_id = %d", list_id); - incremental_after(LIST_TABLE, buffer, 0); - aargv[0] = (char *) list_id; - aargv[1] = "USER"; - aargv[2] = (char *) users_id; - incremental_clear_before(); - EXEC SQL INSERT INTO imembers - (list_id, member_type, member_id, ref_count, direct) - VALUES (:list_id, 'USER', :users_id, 1, 1); - if (dbms_errno) return(mr_errcode); - if (sqlca.sqlerrd[2] != 1) - return(MR_INTERNAL); - incremental_after(IMEMBERS_TABLE, 0, aargv); - if (m_id == 0) { /* Cell Name (I know, it shouldn't be hard coded...) */ strcpy(machname, "ATHENA.MIT.EDU"); @@ -1323,6 +1287,9 @@ int register_user(q, argv, cl) WHERE name = :machname; } + EXEC SQL SELECT list_id INTO :list_id FROM list + WHERE name='wheel'; + /* create filesystem */ if (set_next_object_id("filsys_id", FILESYS_TABLE, 0)) return(MR_NO_ID); @@ -1381,7 +1348,7 @@ int register_user(q, argv, cl) EXEC SQL UPDATE tblstats SET updates=updates+1, modtime=SYSDATE WHERE table_name='users'; EXEC SQL UPDATE tblstats SET appends=appends+1, modtime=SYSDATE - WHERE table_name='list' OR table_name='filesys' OR table_name='quota'; + WHERE table_name='filesys' OR table_name='quota'; if (dbms_errno) return(mr_errcode); return(MR_SUCCESS); } -- 2.45.2