From 36681376ffc13916cb0dd42ea9d01f9b1d936783 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Wed, 7 Feb 2018 13:03:23 +0200
Subject: [PATCH] master: Add default_internal_group setting, defaulting to
 "dovecot"

It's expected that this is the primary group of the default_internal_user.

This group will be used to provide access to sockets that are generally
required by all Dovecot processes, but aren't safe enough to be allowed
completely open access from untrusted processes.
---
 src/master/master-settings.c | 14 ++++++++++++++
 src/master/master-settings.h |  1 +
 2 files changed, 15 insertions(+)

diff --git a/src/master/master-settings.c b/src/master/master-settings.c
index b93a6ce1ec..ab62602edf 100644
--- a/src/master/master-settings.c
+++ b/src/master/master-settings.c
@@ -182,6 +182,7 @@ static const struct setting_define master_setting_defines[] = {
 	DEF(SET_STR, listen),
 	DEF(SET_ENUM, ssl),
 	DEF(SET_STR, default_internal_user),
+	DEF(SET_STR, default_internal_group),
 	DEF(SET_STR, default_login_user),
 	DEF(SET_UINT, default_process_limit),
 	DEF(SET_UINT, default_client_limit),
@@ -209,6 +210,7 @@ static const struct master_settings master_default_settings = {
 	.listen = "*, ::",
 	.ssl = "yes:no:required",
 	.default_internal_user = "dovecot",
+	.default_internal_group = "dovecot",
 	.default_login_user = "dovenull",
 	.default_process_limit = 100,
 	.default_client_limit = 1000,
@@ -262,6 +264,16 @@ expand_user(const char **user, enum service_user_default *default_r,
 	}
 }
 
+static void
+expand_group(const char **group, const struct master_settings *set)
+{
+	/* $variable expansion is typically done by doveconf, but these
+	   variables can come from built-in settings, so we need to expand
+	   them here */
+	if (strcmp(*group, "$default_internal_group") == 0)
+		*group = set->default_internal_group;
+}
+
 static bool
 fix_file_listener_paths(ARRAY_TYPE(file_listener_settings) *l,
 			pool_t pool, const struct master_settings *master_set,
@@ -284,6 +296,7 @@ fix_file_listener_paths(ARRAY_TYPE(file_listener_settings) *l,
 		}
 
 		expand_user(&set->user, &user_default, master_set);
+		expand_group(&set->group, master_set);
 		if (*set->path != '/') {
 			set->path = p_strconcat(pool, master_set->base_dir, "/",
 						set->path, NULL);
@@ -478,6 +491,7 @@ master_settings_verify(void *_set, pool_t pool, const char **error_r)
 			}
 		}
 		expand_user(&service->user, &service->user_default, set);
+		expand_group(&service->extra_groups, set);
 		service_set_login_dump_core(service);
 	}
 	set->protocols_split = p_strsplit_spaces(pool, set->protocols, " ");
diff --git a/src/master/master-settings.h b/src/master/master-settings.h
index 5bba84d2fa..1096d15733 100644
--- a/src/master/master-settings.h
+++ b/src/master/master-settings.h
@@ -12,6 +12,7 @@ struct master_settings {
 	const char *listen;
 	const char *ssl;
 	const char *default_internal_user;
+	const char *default_internal_group;
 	const char *default_login_user;
 	unsigned int default_process_limit;
 	unsigned int default_client_limit;