On 13/10/2010 13:14, Denny Lin wrote:
Hi,
I'm using Dovecot 1.2.14, and I've read PostLoginScripting on the wiki.
Is there any way to make Dovecot use the same username/password for database access as userdb and passdb queries? Specifying the password with -p doesn't seem like a good idea, so I'm wondering if it can be handled by Dovecot directly.
Or is it possible to track last logins with a plugin similar to quota?
So you have read here: http://wiki.dovecot.org/PostLoginScripting
What are you trying to defend against that this isn't covered here?
If your risk is that the user compromises the login process and can see the login script then why not create a separate user who only has permission to touch the "last_login" table. If that's not enough then drop all that into a script and remove permissions from the script (I think chmod -r+x works?).
One step up might be to a) create a new user b) grant that user ONLY access to a stored proc c) now their only ability to influence the database is to call the stored proc which is itself only allowed to insert rows. Difficult to imagine how you could lock down tighter than this AND it doesn't require per-user permissions?
I think unless you enforce row level AND table level security you won't defend against someone using a per user password anyway (you need to give everyone access to the last_logins table - what stops them wiping out other users rows simply because they are logged in as them?).
Ed W