[Dovecot] Userdb passwd and 'nologin' users

Ben Morrow ben at morrow.me.uk
Fri Feb 1 00:35:42 EET 2013


I am running Dovecot with system users (userdb passwd), but some of
those users don't have shell accounts on the IMAP server so their shell
on that machine is set to /usr/sbin/nologin. Currently I am using
maildirs and this is not a problem, but I am in the process of switching
to dbox which means I will need a cronjob running 'doveadm purge -A'.

During testing I found that those users with a 'nologin' shell are not
included in the list returned by the userdb iterator, and that the
iterator doesn't honour the first/last_valid_uid settings. This
inconsistency seems undesirable, so the attached patch

    - makes lookup perform the same checks as iteration,
    - makes the 'nologin' check configurable,
    - adds a new optional check that the user owns their home directory.

The last check was the one performed by qmail, and seems to me to be a
more reliable 'is this a real user' check than a nologin shell.

If this patch is applied, the release notes for the next release should
probably mention that system users with a 'nologin' shell will no longer
be allowed to log in to IMAP until the 'auth_check_nologin' setting is
changed from true to false.

Also, there seem to be two first/last_valid_uid settings:
first_valid_uid itself, which is honoured by the storage subsystem, and
auth_first_valid_uid, which is honoured by the 'passwd' userdb. Is this
intentional?

Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: userdb-passwd-nologin.patch
Type: text/x-diff
Size: 4203 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130131/afec23bb/attachment-0002.bin>


More information about the dovecot mailing list