Timo Sirainen wrote:
On Friday, Sep 12, 2003, at 21:42 Europe/Helsinki, Bob Hall wrote:
On Fri, Sep 12, 2003 at 11:54:56AM -0500, Peter Clark wrote:
auth_passdb = pam auth_user = root
I thought you didn't need to be root to authenticate with PAM? If you can do this as dovecot-auth, it will be more secure.
I think PAM always requires roots.
The process authenticating via PAM needs whatever access rights are required to read the password database.
Anyone who uses PAM to authenticate out of /etc/shadow (or the equivalent) will inevitably end up with the authentication daemon running as root.
If you tell PAM to authenticate via: then the ability to open a TCP, UDP, or unix domain socket is the only
- LDAP
- any SQL database
- SMB (aka ask a Windows or Samba box)
- winbind (aka ask a WinNT, Win2k, or Win2k3 domain controller)
access required.
Note that the above list of PAM authentication mechanisms is by no means complete.
--
Phil Brutsche phil@brutsche.us