[Dovecot] Last login tracking with login_executable
Ed W
lists at wildgooses.com
Thu Oct 14 11:55:50 EEST 2010
On 13/10/2010 13:14, Denny Lin wrote:
> Hi,
>
> I'm using Dovecot 1.2.14, and I've read PostLoginScripting on the wiki.
>
> Is there any way to make Dovecot use the same username/password for
> database access as userdb and passdb queries? Specifying the password
> with -p doesn't seem like a good idea, so I'm wondering if it can be
> handled by Dovecot directly.
>
> Or is it possible to track last logins with a plugin similar to quota?
>
So you have read here:
http://wiki.dovecot.org/PostLoginScripting
What are you trying to defend against that this isn't covered here?
If your risk is that the user compromises the login process and can see
the login script then why not create a separate user who only has
permission to touch the "last_login" table. If that's not enough then
drop all that into a script and remove permissions from the script (I
think chmod -r+x works?).
One step up might be to a) create a new user b) grant that user ONLY
access to a stored proc c) now their only ability to influence the
database is to call the stored proc which is itself only allowed to
insert rows. Difficult to imagine how you could lock down tighter than
this AND it doesn't require per-user permissions?
I think unless you enforce row level AND table level security you won't
defend against someone using a per user password anyway (you need to
give everyone access to the last_logins table - what stops them wiping
out other users rows simply because they are logged in as them?).
Ed W
More information about the dovecot
mailing list