[Dovecot] dovecot.index mtime
Benjamin R. Haskell
dovecot at benizi.com
Mon Nov 12 17:31:22 EET 2007
On Mon, 12 Nov 2007, pod wrote:
>>>>>> "BH" == Benjamin R Haskell <dovecot at benizi.com> writes:
>
> >> Can I just touch the dovecot.index instead?
>
> BH> Maybe. Not sure what environment variable holds its location,
> BH> though. And I'm not 100% sure it always exists or whether you'd
> BH> have to special-case the first-time login. (Will 'touch' creating
> BH> a zero-length index cause trouble for dovecot? I suspect not.)
>
> Also be aware that the script is not being run with the uid of the user -
> it is /usr/libexec/dovecot/imap that drops privs - so touching the index
> file if it does not already exist may cause problems later when the user
> process wants to update the index file.
Thanks for pointing that out. I'd been testing by running:
dovecot --exec-mail imap
which runs as the current user. (Didn't realize that.)
You could also use mail_drop_priv_before_exec in dovecot.conf (with the
caveats in the comments):
# Drop all privileges before exec()ing the mail process. This is mostly
# meant for debugging, otherwise you don't get core dumps. It could be a small
# security risk if you use single UID for multiple users, as the users could
# ptrace() each others processes then.
mail_drop_priv_before_exec = yes
Or, probably better, you could put the last login information in a common
directory, rather than the user's home directory (which would also make
the cron job easier, I suspect).
> If you have sessreg from the X11 distribution you could also try:
>
> #!/bin/sh
> if test -z "$DUMP_CAPABILITY"; then
> /usr/bin/sessreg -a -L /var/log/lastlog -u none -w none -l imap -h "$IP" "$USER"
> fi
> exec /usr/libexec/dovecot/imap
>
> to put an entry into /var/log/lastlog (though note you need two scripts
> for both IMAP and POP logins).
Since you're not doing anything protocol-specific (like echo "* OK [ALERT]
Blah"), you could use the symlink trick to only require one script:
ln -s /path/script /path/imap
ln -s /path/script /path/pop3
Then replace the exec with:
exec /usr/libexec/dovecot/`basename $0`
> >> Also, I am bit confused. Why must the script exec imap?
>
> It doesn't _have_ to. It's a micro-optimisation. If the script did not
> exec the user imap process then a /bin/sh process would be sitting around
> waiting for the user imap process to exit and when it did then the /bin/sh
> process would itself just exit.
Ah. In my other email I took the question to mean "Why must the script run
imap?", but I bet this is what Matt meant.
Best,
Ben
More information about the dovecot
mailing list