From e1b1a945b1626d7a964bc0d221a0592f0824214d Mon Sep 17 00:00:00 2001 From: link2xt Date: Sat, 4 May 2024 14:57:37 +0000 Subject: [PATCH] Authenticate echobot by passing /run/echobot/password to doveauth --- chatmaild/src/chatmaild/doveauth.py | 10 ++++++++- chatmaild/src/chatmaild/echo.py | 21 +++++++++++++++++-- .../src/cmdeploy/service/echobot.service.f | 11 +++++++++- 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/chatmaild/src/chatmaild/doveauth.py b/chatmaild/src/chatmaild/doveauth.py index 7fbc7444..f6ffb4c7 100644 --- a/chatmaild/src/chatmaild/doveauth.py +++ b/chatmaild/src/chatmaild/doveauth.py @@ -4,6 +4,7 @@ import time import sys import json import crypt +from pathlib import Path from socketserver import ( UnixStreamServer, StreamRequestHandler, @@ -86,11 +87,18 @@ def lookup_userdb(db, config: Config, user): def lookup_passdb(db, config: Config, user, cleartext_password): if user == f"echo@{config.mail_domain}": + # Echobot writes password it wants to log in with into /run/echobot/password + try: + password = Path("/run/echobot/password").read_text() + except Exception: + logging.exception("Exception when trying to read /run/echobot/password") + return None + return dict( home=f"/home/vmail/mail/{config.mail_domain}/echo@{config.mail_domain}", uid="vmail", gid="vmail", - password=encrypt_password("eiPhiez0eo8raighoh0C"), # FIXME read from config + password=encrypt_password(password), ) with db.write_transaction() as conn: diff --git a/chatmaild/src/chatmaild/echo.py b/chatmaild/src/chatmaild/echo.py index 33e0289e..32049ebb 100644 --- a/chatmaild/src/chatmaild/echo.py +++ b/chatmaild/src/chatmaild/echo.py @@ -7,10 +7,13 @@ it will echo back any message that has non-empty text and also supports the /hel import logging import os import sys +import subprocess from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events +from pathlib import Path from chatmaild.config import read_config +from chatmaild.newemail import create_newemail_dict hooks = events.HookCollection() @@ -75,9 +78,23 @@ def main(): account = accounts[0] if accounts else deltachat.add_account() bot = Bot(account, hooks) + + config = read_config(sys.argv[1]) + + # Create password file + if bot.is_configured(): + password = bot.account.get_config("mail_pw") + else: + password = create_newemail_dict(config)["password"] + Path("/run/echobot/password").write_text(password) + + # Give the user which doveauth runs as access to the password file. + subprocess.run( + ["/usr/bin/setfacl", "-m", "user:vmail:r", "/run/echobot/password"], + check=True, + ) + if not bot.is_configured(): - config = read_config(sys.argv[1]) - password = "eiPhiez0eo8raighoh0C" # FIXME read from config email = "echo@" + config.mail_domain bot.configure(email, password) bot.run_forever() diff --git a/cmdeploy/src/cmdeploy/service/echobot.service.f b/cmdeploy/src/cmdeploy/service/echobot.service.f index 17b3a161..5117b394 100644 --- a/cmdeploy/src/cmdeploy/service/echobot.service.f +++ b/cmdeploy/src/cmdeploy/service/echobot.service.f @@ -13,6 +13,12 @@ Group=echobot # Create /var/lib/echobot StateDirectory=echobot +# Create /run/echobot +# +# echobot stores /run/echobot/password +# with a password there, which doveauth then reads. +RuntimeDirectory=echobot + WorkingDirectory=/var/lib/echobot # Apply security restrictions suggested by @@ -24,7 +30,10 @@ NoNewPrivileges=true PrivateDevices=true PrivateMounts=true PrivateTmp=true -PrivateUsers=true + +# We need to know about doveauth user to give it access to /run/echobot/password +PrivateUsers=false + ProtectClock=true ProtectControlGroups=true ProtectHostname=true