On Thu, 2005-10-06 at 14:59 +0100, Andrew Instone-Cowie wrote:
But if I try to authenticate as root with the correct password (which I still want NOT to work!), Dovecot still refuses IMAP access, and puts this in the maillog:
Oct 5 14:16:18 hadrian dovecot: Logins with UID 0 not permitted (user root) Oct 5 14:16:18 hadrian imap-login: Internal login failure: root [127.0.0.1]
But saslauthd seems to treat this as a successful authentication and still allows root to relay email!
So: Dovecot problem or saslauthd problem?
Well.. It happens because internally Dovecot works by first checking that password is valid. At this point there are no UID checks yet. Since the password is valid, Dovecot returns successful authentication. Only after that Dovecot checks the userdb information where the UID restrictions are. But at this point IMAP has already sent "OK" reply to client, and RIMAP authentication correctly assumes the authentication was valid.
I'm not really sure if there's a good way to solve this. I'd rather not add more hardcoded root-checks to the code.
With 1.0alpha3 you could add root to deny passdb and it would fail before even checking the passwd file.