I always prefer standalone daemons, and as we see the tendency is that most server run as standalone (apache, vsftpd, ssh...). at the begining they has (x)inetd version later remove it... IMHO ip/tcp filtering should have done in a firewall or some fitering can be implemented in the standalone server too.. but this is just my 2c:-)
Timo Sirainen wrote:
I was just thinking how they could be easily supported. This would work, right? :
imap stream tcp nowait root /usr/sbin/tcpd /usr/local/libexec/dovecot/imap-login imaps stream tcp nowait root /usr/sbin/tcpd /usr/local/libexec/dovecot/imap-login --ssl
imap-login would try to connect to master process using some named socket. If it couldn't, it would create the master process itself. Master process would work as usual (executes auth and imap processes), except it wouldn't be executing login processes.
This wouldn't require much code changing, and it would still be using all the same privilege separations as the standalone version so it would be just a secure.
Only thing I'm wondering is if any of the TCP wrappers care about the created child processes? The master process would have to stay alive after the connection that created it dies.
I guess I'll implement this soon and try if it works.
-- Levente "Si vis pacem para bellum!"