[dspam-dev] Patch to allow even untrusted users to see their statistics

Mon, 14 Apr 2008 17:38:30 -0700 

 Hello,

 I believe it to be wrong, or at least very counterintuitive, that normal
users can't run dspam_stats to see their own statistics. The following
simple patch allows them to see them while still allowing only trusted
users to see the statics for users other than themselves:

diff -r bbc278ac94b3 src/tools/dspam_stats.c
--- a/src/tools/dspam_stats.c   Mon Mar 10 05:01:44 2008 +0000
+++ b/src/tools/dspam_stats.c   Tue Apr 15 02:20:18 2008 +0200
@@ -47,6 +47,11 @@

 #define TSYNTAX        "syntax: dspam_stats [-hHrsSt] [username]"

+#ifdef _WIN32
+/* no trusted users under Windows */
+#undef TRUSTED_USER_SECURITY
+#endif
+
 DSPAM_CTX *open_ctx, *open_mtx;
 int opt_humanfriendly;
 int opt_reset;
@@ -68,11 +73,9 @@ main (int argc, char **argv)
 #endif
   struct _ds_spam_totals totals;

-#ifndef _WIN32
 #ifdef TRUSTED_USER_SECURITY
   struct passwd *p = getpwuid (getuid ());
-
-#endif
+  int trusted = 0;
 #endif


@@ -94,14 +97,10 @@ main (int argc, char **argv)

   libdspam_init(_ds_read_attribute(agent_config, "StorageDriver"));

-#ifndef _WIN32
 #ifdef TRUSTED_USER_SECURITY
-  if (!_ds_match_attribute(agent_config, "Trust", p->pw_name) && p->pw_uid) {
-    fprintf(stderr, ERR_TRUSTED_MODE "\n");
-    _ds_destroy_config(agent_config);
-    goto BAIL;
-  }
-#endif
+  if (_ds_match_attribute(agent_config, "Trust", p->pw_name) || !p->pw_uid) {
+    trusted = 1;
+  }
 #endif

   for(i=0;i<argc;i++) {
@@ -181,13 +180,32 @@ main (int argc, char **argv)
   for (i=0; i < argc; i++)
   {
       if (strncmp(argv[i], "--", 2)) {
+#ifdef TRUSTED_USER_SECURITY
+        if ( !trusted && strcmp(argv[i], p->pw_name) )
+        {
+          fprintf(stderr, ERR_TRUSTED_MODE "\n");
+          _ds_destroy_config(agent_config);
+          goto BAIL;
+        }
+#endif
         stat_user(argv[i], &totals);
         users++;
       }
   }

   if (!users)
+  {
+#ifdef TRUSTED_USER_SECURITY
+    if ( !trusted )
+    {
+      fprintf(stderr, ERR_TRUSTED_MODE "\n");
+      _ds_destroy_config(agent_config);
+      goto BAIL;
+    }
+#endif
+
     process_all_users (&totals);
+  }

   if (opt_total)
     stat_user(NULL, &totals);


 I believe this patch should be safe to apply but please let me know if you
see any problems with or have any questions about it.

 Thanks,
VZ

Reply via email to