[Dovecot] New userdb backend for checkpassword like programs
Timo Sirainen
tss at iki.fi
Mon Oct 20 21:04:31 EEST 2008
On Oct 20, 2008, at 8:57 PM, Sascha Wilde wrote:
> Timo Sirainen <tss at iki.fi> writes:
>
>> On Oct 20, 2008, at 8:00 PM, Sascha Wilde wrote:
>>
>>> My solution:
>>>
>>> 1. The userdb-only checkpassword script sees no AUTHORIZED in the
>>> environment and returns with an exit code != 0[0]
>>
>> You assume that the script actually checks this.
>
> More than that, I defined that it MUST do so.
> As you said, it's a new variant, so _we_ can define how it has to
> behave.
People are badly behaving :) There's nothing that's technically
forcing to check that.
>> There's no requirement that a userdb-only script needs to bother
>> doing
>> it. The use of AUTHORIZED environment is necessary only if the script
>> wants to handle both passdb and userdb.
>
> But you are requiring the userdb-only checkpassword program to set
> AUTHORIZED (or any other environment variable) to a specific value.
> Why
> should a developer ignoring my requirement bother to obey yours?
If you aren't changing AUTHORIZED environment to a specific value, the
userdb lookup will fail because checkpassword-reply sees that it's not
set correctly. So the handling goes like:
1) userdb lookup: userdb-only checkpassword script setting
AUTHORIZED=2 -> checkpassword returns 2 -> dovecot-auth assumes ok
2) passdb lookup: userdb-only checkpassword script setting
AUTHORIZED=2 -> checkpassword returns 2 -> dovecot-auth fails the
passdb lookup
3) userdb lookup: passdb-only checkpassword script doesn't set
AUTHORIZED=2 -> checkpassword returns 0 -> dovecot-auth fails the
userdb lookup
4) passdb lookup: passdb-only checkpassword script doesn't set
AUTHORIZED=2 -> checkpassword returns 0 -> dovecot-auth assumes ok
All of this forces that the checkpassword script developer either
handles the AUTHORIZED environment correctly or it doesn't work at
all. And it prevents admin from accidentally using the script wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081020/740a4715/attachment.bin
More information about the dovecot
mailing list