Authenticate echobot by passing /run/echobot/password to doveauth

2024-05-04 14:57:37 +00:00 · 2024-05-04 14:57:37 +00:00 · e1b1a945b1
commit e1b1a945b1
parent 0493e27312
3 changed files with 38 additions and 4 deletions
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@ -4,6 +4,7 @@ import time
 import sys
 import json
 import crypt
+from pathlib import Path
 from socketserver import (
    UnixStreamServer,
    StreamRequestHandler,
@ -86,11 +87,18 @@ def lookup_userdb(db, config: Config, user):

 def lookup_passdb(db, config: Config, user, cleartext_password):
    if user == f"echo@{config.mail_domain}":
+        # Echobot writes password it wants to log in with into /run/echobot/password
+        try:
+            password = Path("/run/echobot/password").read_text()
+        except Exception:
+            logging.exception("Exception when trying to read /run/echobot/password")
+            return None
+
        return dict(
            home=f"/home/vmail/mail/{config.mail_domain}/echo@{config.mail_domain}",
            uid="vmail",
            gid="vmail",
-            password=encrypt_password("eiPhiez0eo8raighoh0C"),  # FIXME read from config
+            password=encrypt_password(password),
        )

    with db.write_transaction() as conn:
--- a/chatmaild/src/chatmaild/echo.py
+++ b/chatmaild/src/chatmaild/echo.py
@ -7,10 +7,13 @@ it will echo back any message that has non-empty text and also supports the /hel
 import logging
 import os
 import sys
+import subprocess

 from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events
+from pathlib import Path

 from chatmaild.config import read_config
+from chatmaild.newemail import create_newemail_dict

 hooks = events.HookCollection()

@ -75,9 +78,23 @@ def main():
        account = accounts[0] if accounts else deltachat.add_account()

        bot = Bot(account, hooks)
+
+        config = read_config(sys.argv[1])
+
+        # Create password file
+        if bot.is_configured():
+            password = bot.account.get_config("mail_pw")
+        else:
+            password = create_newemail_dict(config)["password"]
+        Path("/run/echobot/password").write_text(password)
+
+        # Give the user which doveauth runs as access to the password file.
+        subprocess.run(
+            ["/usr/bin/setfacl", "-m", "user:vmail:r", "/run/echobot/password"],
+            check=True,
+        )
+
        if not bot.is_configured():
-            config = read_config(sys.argv[1])
-            password = "eiPhiez0eo8raighoh0C"  # FIXME read from config
            email = "echo@" + config.mail_domain
            bot.configure(email, password)
        bot.run_forever()
--- a/cmdeploy/src/cmdeploy/service/echobot.service.f
+++ b/cmdeploy/src/cmdeploy/service/echobot.service.f
@ -13,6 +13,12 @@ Group=echobot
 # Create /var/lib/echobot
 StateDirectory=echobot

+# Create /run/echobot
+#
+# echobot stores /run/echobot/password
+# with a password there, which doveauth then reads.
+RuntimeDirectory=echobot
+
 WorkingDirectory=/var/lib/echobot

 # Apply security restrictions suggested by
@ -24,7 +30,10 @@ NoNewPrivileges=true
 PrivateDevices=true
 PrivateMounts=true
 PrivateTmp=true
-PrivateUsers=true
+
+# We need to know about doveauth user to give it access to /run/echobot/password
+PrivateUsers=false
+
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true