[Dovecot] saslauthd/dovecot/root
Timo Sirainen
tss at iki.fi
Sun Oct 16 18:17:40 EEST 2005
On Thu, 2005-10-06 at 14:59 +0100, Andrew Instone-Cowie wrote:
> But if I try to authenticate as root with the correct password (which I
> still want NOT to work!), Dovecot still refuses IMAP access, and puts
> this in the maillog:
>
> Oct 5 14:16:18 hadrian dovecot: Logins with UID 0 not permitted (user root)
> Oct 5 14:16:18 hadrian imap-login: Internal login failure: root [127.0.0.1]
>
> But saslauthd seems to treat this as a successful authentication and
> still allows root to relay email!
>
> So: Dovecot problem or saslauthd problem?
Well.. It happens because internally Dovecot works by first checking
that password is valid. At this point there are no UID checks yet. Since
the password is valid, Dovecot returns successful authentication. Only
after that Dovecot checks the userdb information where the UID
restrictions are. But at this point IMAP has already sent "OK" reply to
client, and RIMAP authentication correctly assumes the authentication
was valid.
I'm not really sure if there's a good way to solve this. I'd rather not
add more hardcoded root-checks to the code.
With 1.0alpha3 you could add root to deny passdb and it would fail
before even checking the passwd file.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20051016/38566b82/attachment.pgp
More information about the dovecot
mailing list