On Tue, Jan 10, 2012 at 2:59 AM, Timo Sirainen tss@iki.fi wrote:
On 7.1.2012, at 5.36, Yubao Liu wrote:
In old version, "auth->passdbs" contains all passdbs, this revision changes "auth->passdbs" to only contain non-master passdbs.
I'm not sure which fix is better or even my proposal is correct or fully: a) in src/auth/auth.c:auth_passdb_preinit(), insert master passdb to auth->passdbs too, and remove duplicate code for masterdbs in auth_init() and auth_deinit().
Not a good idea. The master passdb needs to be treated specially, otherwise you might accidentally allow regular users logging in as other users.
Sorry I don't understand well. This scheme adds all master dbs to auth->passdbs, auth->masterdbs are not changed and still contains only master users. I guess dovecot lookups auth->masterdbs for master users and auth->passdbs for regular users, regular users don't know master users' passwords so they can't login as other users.
http://wiki2.dovecot.org/Authentication/MasterUsers The "Example configuration" already shows master user account can be added to auth->passdbs too.
This scheme does bring unexpected issue, the master users can't have separate passwords for regular login as themselves(because masterdbs are also added to passdbs), the risk of password leak increases much, but I don't think it's a good practice to do regular login with master user account.
Quoted from same wiki page(I really enjoy the wonderful Dovecot wiki, it's the most well organized and documented wiki in open source projects, thank you very much!): "If you want master users to be able to log in as themselves, you'll need to either add the user to the normal passdb or add the passdb to dovecot.conf twice, with and without master=yes. Note that if the passdbs point to different locations, the user can have a different password when logging in as other users than when logging in as himself. This is a good idea since it can avoid accidentally logging in as someone else. "
Anyway, the scheme B is much less risky and much simple, just a little annoying code duplication:-)
b) add similar code for masterdbs in auth_passdb_list_have_verify_plain(), auth_passdb_list_have_lookup_credentials(), auth_passdb_list_have_set_credentials().
Kind of annoying code duplication, but .. I guess it can't really be helped. Added: http://hg.dovecot.org/dovecot-2.0/rev/bed15faedfd4
Thank you very much, I don't have to maintain my private package:-)
Another related question is "pass" option in master passdb, if I set it to "yes", the authentication fails: .. My normal passdb is a PAM passdb, it doesn't support credential lookups, that's reasonable,
Right.
but I feel the comment for "pass" option is confusing:
# Unless you're using PAM, you probably still want the destination user to # be looked up from passdb that it really exists. pass=yes does that. pass = yes }
According the comment, it's to check whether the real user exists, why not to check userdb but another passdb?
Well.. It is going to check userdb eventually anyway, so it would still fail, just a bit later and maybe with different error message.
If Dovecot doesn't check password for the real user against passdb (actually it doesn't have the password of real user because it's doing master user proxy authorization), it won't fail on userdb lookup because the userdb does contain the real user, in my case, the real user is system user and absolutely exists.
Even it must check against passdb, in this case, it's obvious not necessary to lookup credentials, it's enough to to lookup user name only.
There's currently no passdb that supports "does user exist?" lookup, but doesn't support credentials lookup, so this is more of a theoretical issue. (I guess maybe PAM could be abused in some configurations to do the check, but that's rather ugly..)
I don't understand why master user proxy authorization in Dovecot has to check real user against his credential, does that mean "user*master" has to authenticate twice? one for master, one for user, but often client can't provide two passwords in single login and the regular passdb such as PAM passdb doesn't support credentials lookup. So I feel it's better Dovecot checks only destination user names in passdbs or userdbs after master user authentication part succeeds to decide whether the destination user exists, just as the comment for "pass=yes" describes.
This may not be a bug, IMHO just a confusing feature.
Regards, Yubao Liu