[Dovecot] Running auth as root
Hi,
I seem to be forced to run the auth proces as root because I want to use pam for local users. My gut feeling says that this is Not Good. Is there another way? For the virtual users 'vmail' is good enough because that user may access the MySQL database.
This is on Ubuntu server 10.04.1 and Dovecot 1.2.9.
TIA, Egbert Jan
On Mon, 2010-08-30 at 14:15 +0200, Egbert Jan van den Bussche wrote:
Hi,
I seem to be forced to run the auth proces as root because I want to use pam for local users. My gut feeling says that this is Not Good. Is there another way? For the virtual users 'vmail' is good enough because that user may access the MySQL database.
If your /etc/shadow is readable by "shadow" group, you can use auth_user=something that uses shadow group as the primary group (maybe create a new "doveauth" user).
Op 31-8-2010 20:04, Timo Sirainen schreef:
On Mon, 2010-08-30 at 14:15 +0200, Egbert Jan van den Bussche wrote:
Hi,
I seem to be forced to run the auth proces as root because I want to use pam for local users. My gut feeling says that this is Not Good. Is there another way? For the virtual users 'vmail' is good enough because that user may access the MySQL database.
If your /etc/shadow is readable by "shadow" group, you can use auth_user=something that uses shadow group as the primary group (maybe create a new "doveauth" user).
TNX Timo. I have added vmail to the shadow group. Now it may read /etc/shadow.
Egbert Jan
On Tue, 2010-08-31 at 21:07 +0200, Egbert Jan van den Bussche wrote:
If your /etc/shadow is readable by "shadow" group, you can use auth_user=something that uses shadow group as the primary group (maybe create a new "doveauth" user).
TNX Timo. I have added vmail to the shadow group. Now it may read /etc/shadow.
That doesn't sound like such a good idea. Now all imap/pop3/etc processes can read your /etc/shadow. Only auth process needs to do that.
Op 31-8-2010 21:10, Timo Sirainen schreef:
On Tue, 2010-08-31 at 21:07 +0200, Egbert Jan van den Bussche wrote:
If your /etc/shadow is readable by "shadow" group, you can use auth_user=something that uses shadow group as the primary group (maybe create a new "doveauth" user).
TNX Timo. I have added vmail to the shadow group. Now it may read /etc/shadow.
That doesn't sound like such a good idea. Now all imap/pop3/etc processes can read your /etc/shadow. Only auth process needs to do that.
Hmmm, you're right. I better create a doveauth user for it. Hope that it doesn't give problem when 1.2.9 gets replaced by the Ubuntu update mechanism
EJ
participants (2)
-
Egbert Jan van den Bussche
-
Timo Sirainen