cmd/ip/*: chown the network connection after authentication

for servers that handle incoming network connections and authentication,
change the owner of the network connection file to the authenticated user
after successfull authentication.

note that we set the permissions as well to 0660 because old devip used
to unconditionally set the bits.

9 files changed, 84 insertions, 8 deletions

diff --git a/sys/src/cmd/cpu.c b/sys/src/cmd/cpu.c
index d38d71740..985325022 100644
--- a/sys/src/cmd/cpu.c
+++ b/sys/src/cmd/cpu.c
@@ -458,6 +458,19 @@ readln(char *buf, int n)
 }
 
 /*
+ *  chown network connection
+ */
+static void
+setnetuser(int fd, char *user)
+{
+	Dir nd;
+	nulldir(&nd);
+	nd.mode = 0660;
+	nd.uid = user;
+	dirfwstat(fd, &nd);
+}
+
+/*
  *  user level challenge/response
  */
 static int
@@ -517,6 +530,7 @@ netkeysrvauth(int fd, char *user)
 	writestr(fd, "", "challenge", 1);
 	if(auth_chuid(ai, 0) < 0)
 		fatal("newns: %r");
+	setnetuser(fd, ai->cuid);
 	auth_freeAI(ai);
 	return fd;
 }
@@ -628,6 +642,7 @@ srvp9auth(int fd, char *user)
 		return -1;
 	if(auth_chuid(ai, nil) < 0)
 		fatal("newns: %r");
+	setnetuser(fd, ai->cuid);
 	snprint(user, MaxStr, "%s", ai->cuid);
 	fd = sslsetup(fd, ai->secret, ai->nsecret, 0);
 	auth_freeAI(ai);
diff --git a/sys/src/cmd/exportfs/exportfs.c b/sys/src/cmd/exportfs/exportfs.c
index 7fac15ba3..275151a6c 100644
--- a/sys/src/cmd/exportfs/exportfs.c
+++ b/sys/src/cmd/exportfs/exportfs.c
@@ -187,6 +187,13 @@ main(int argc, char **argv)
 			fatal("exportfs by none disallowed");
 		if(auth_chuid(ai, nsfile) < 0)
 			fatal("auth_chuid: %r");
+		else {	/* chown network connection */
+			Dir nd;
+			nulldir(&nd);
+			nd.mode = 0660;
+			nd.uid = ai->cuid;
+			dirfwstat(0, &nd);
+		}
 		putenv("service", "exportfs");
 	}
 
diff --git a/sys/src/cmd/ip/cifsd/smb.c b/sys/src/cmd/ip/cifsd/smb.c
index 912925e00..d0917ddca 100644
--- a/sys/src/cmd/ip/cifsd/smb.c
+++ b/sys/src/cmd/ip/cifsd/smb.c
@@ -122,6 +122,13 @@ smbsessionsetupandx(Req *r, uchar *h, uchar *p, uchar *e)
 			}
 			if(auth_chuid(ai, nil) < 0)
 				logit("auth_chuid: %r");
+			else {	/* chown network connection */
+				Dir nd;
+				nulldir(&nd);
+				nd.mode = 0660;
+				nd.uid = ai->cuid;
+				dirfwstat(0, &nd);
+			}
 			auth_freeAI(ai);
 			auth_freechal(smbcs);
 			smbcs = nil;
diff --git a/sys/src/cmd/ip/ftpd.c b/sys/src/cmd/ip/ftpd.c
index 1aa395b89..df91065bb 100644
--- a/sys/src/cmd/ip/ftpd.c
+++ b/sys/src/cmd/ip/ftpd.c
@@ -606,6 +606,7 @@ passcmd(char *response)
 {
 	char namefile[128];
 	AuthInfo *ai;
+	Dir nd;
 
 	if(response == nil)
 		response = "";
@@ -632,9 +633,17 @@ passcmd(char *response)
 		ch->nresp = strlen(response);
 		ai = auth_response(ch);
 		if(ai == nil || auth_chuid(ai, nil) < 0) {
+			auth_freeAI(ai);
 			slowdown();
 			return reply("530 Not logged in: %r");
 		}
+		/* chown network connection */
+		nulldir(&nd);
+		nd.mode = 0660;
+		nd.uid = ai->cuid;
+		dirfwstat(0, &nd);
+
+		auth_freeAI(ai);
 		auth_freechal(ch);
 		ch = nil;
 
diff --git a/sys/src/cmd/ip/rexexec.c b/sys/src/cmd/ip/rexexec.c
index f04ea3c87..ab2b85f50 100644
--- a/sys/src/cmd/ip/rexexec.c
+++ b/sys/src/cmd/ip/rexexec.c
@@ -12,6 +12,7 @@ main(int argc, char **argv)
 	char buf[8192];
 	int n, nn;
 	AuthInfo *ai;
+	Dir nd;
 
 	ARGBEGIN{
 	}ARGEND;
@@ -24,6 +25,14 @@ main(int argc, char **argv)
 	if(auth_chuid(ai, nil) < 0)
 		sysfatal("auth_chuid: %r");
 
+	/* chown network connection */
+	nulldir(&nd);
+	nd.mode = 0660;
+	nd.uid = ai->cuid;
+	dirfwstat(0, &nd);
+
+	auth_freeAI(ai);
+
 	n = 0;
 	do {
 		nn = read(0, buf+n, 1);
diff --git a/sys/src/cmd/ip/telnetd.c b/sys/src/cmd/ip/telnetd.c
index cf5483a93..62d708b21 100644
--- a/sys/src/cmd/ip/telnetd.c
+++ b/sys/src/cmd/ip/telnetd.c
@@ -245,6 +245,7 @@ challuser(char *user)
 	char response[64];
 	Chalstate *ch;
 	AuthInfo *ai;
+	Dir nd;
 
 	if(strcmp(user, "none") == 0){
 		if(nonone)
@@ -260,13 +261,20 @@ challuser(char *user)
 	ch->nresp = strlen(response);
 	ai = auth_response(ch);
 	auth_freechal(ch);
-	if(ai == nil){
+	if(ai == nil || auth_chuid(ai, nil) < 0){
 		rerrstr(response, sizeof response);
 		print("!%s\n", response);
+
+		auth_freeAI(ai);
 		return -1;
 	}
-	if(auth_chuid(ai, nil) < 0)
-		return -1;
+	/* chown network connection */
+	nulldir(&nd);
+	nd.mode = 0660;
+	nd.uid = ai->cuid;
+	dirfwstat(0, &nd);
+
+	auth_freeAI(ai);
 	return 0;
 }
 /*
diff --git a/sys/src/cmd/tlssrv.c b/sys/src/cmd/tlssrv.c
index 274b5c6c5..cd94e03c0 100644
--- a/sys/src/cmd/tlssrv.c
+++ b/sys/src/cmd/tlssrv.c
@@ -84,9 +84,18 @@ main(int argc, char *argv[])
 		if(ai == nil)
 			sysfatal("auth_proxy: %r");
 
-		if(auth == 1)
-		if(auth_chuid(ai, nil) < 0)
-			sysfatal("auth_chuid: %r");
+		if(auth == 1){
+			Dir nd;
+
+			if(auth_chuid(ai, nil) < 0)
+				sysfatal("auth_chuid: %r");
+
+			/* chown network connection */
+			nulldir(&nd);
+			nd.mode = 0660;
+			nd.uid = ai->cuid;
+			dirfwstat(0, &nd);
+		}
 
 		conn->pskID = "p9secret";
 		conn->psk = ai->secret;
diff --git a/sys/src/cmd/upas/imap4d/auth.c b/sys/src/cmd/upas/imap4d/auth.c
index 748174f52..27174ddfb 100644
--- a/sys/src/cmd/upas/imap4d/auth.c
+++ b/sys/src/cmd/upas/imap4d/auth.c
@@ -63,9 +63,15 @@ setupuser(AuthInfo *ai)
 
 	if(ai){
 		strecpy(username, username + sizeof username, ai->cuid);
-
-		if(auth_chuid(ai, nil) == -1)
+		if(auth_chuid(ai, nil) < 0)
 			bye("user auth failed: %r");
+		else {	/* chown network connection */
+			Dir nd;
+			nulldir(&nd);
+			nd.mode = 0660;
+			nd.uid = ai->cuid;
+			dirfwstat(Bfildes(&bin), &nd);
+		}
 		auth_freeAI(ai);
 	}else
 		strecpy(username, username + sizeof username, getuser());
diff --git a/sys/src/cmd/upas/pop3/pop3.c b/sys/src/cmd/upas/pop3/pop3.c
index 55f9d1b84..d26a407ee 100644
--- a/sys/src/cmd/upas/pop3/pop3.c
+++ b/sys/src/cmd/upas/pop3/pop3.c
@@ -768,6 +768,12 @@ dologin(char *response)
 	if(auth_chuid(ai, nil) < 0){
 		senderr("chuid failed: %r; server exiting");
 		exits(nil);
+	} else {	/* chown network connection */
+		Dir nd;
+		nulldir(&nd);
+		nd.mode = 0660;
+		nd.uid = ai->cuid;
+		dirfwstat(Bfildes(&in), &nd);
 	}
 	auth_freeAI(ai);
 	auth_freechal(chs);