On 25.08.10 15:03, Timo Sirainen wrote:
The group way I mentioned would avoid problems with them, but of course not security problems related to Dovecot processes themselves.
There are users with shell access to the Dovecot server, and as long as all these users require write permissions for the dict socket, I see some potential for trouble.
the whole point of expire database is that a single command can quickly see what users have mails to expunge. So this needs to be a shared dictionary across users.
Does it really? I use something like this for cleanup:
for user in $MAILUSERS; do doveadm expunge -u $user ... done
As I loop over users anyway, I don't think that a per-user dictionary would be a bad idea. "doveadm expunge -A" might be different, but I think that even with "-A" you'll need to iterate over users.
If I understand the current implementation correctly, there is one expire dictionary (one SQLite DB in my case), and the lookups are performed with a primary key consisting of username-mailbox-pairs. I suggest using one dictionary/DB per username and using only the mailbox as primary key within this dictionary.
The difference, performance-wise, would be that multiple databases need to be opened and closed, which could hurt performance on systems with a large number of users unless the DB connections are cached. Personally, I'd be inclined to accept a performance penalty if this was the price to pay for improved security by means of better user dictionary separation.
-Ralph