[Dovecot] dovecot user
Any thoughts on this:
The primary use for "dovecot" user has been for login processes. But people keep misunderstanding this and try to use dovecot for accessing mails. For years I've been wondering about renaming this user to something else like dovelogin, but it never really seemed practical.
So now with v2.0 there are a bunch of new processes, and for example anvil and dict are now run as dovecot user by default. But it's not really good that login processes can just go and kill those processes. And even worse, if drop_priv_before_exec=yes they could ptrace these processes.
So I think we need two Dovecot users for v2.0:
- Completely untrusted user for login processes.
- Slightly more trusted internal Dovecot user.
So "dovecot" could be reused for 2. And it would no longer be a mortal sin to use dovecot user for owning mail files. For 1. there would be a new user. I'd use "dovelogin", but apparently tools still don't much like usernames that are longer than 8 characters. Like ps could show numeric uid instead of 9 character long username. So .. any suggestions? "dovlogin" could be one possibility I guess. It would be nice if the name somehow reminded of login processes, but maybe something else could be used too, like: dovenil, dovenull, dovezero, dovenone, dovevoid, doveint, dovedown, dovein, dove0
On 23.01.10 13:51, Timo Sirainen wrote:
- Completely untrusted user for login processes.
- Slightly more trusted internal Dovecot user.
So "dovecot" could be reused for 2. And it would no longer be a mortal sin to use dovecot user for owning mail files. For 1. there would be a new user. I'd use "dovelogin", but apparently tools still don't much like usernames that are longer than 8 characters.
You could use "dovecotl" (lower-case "l" as the eighth character) which as a nice Aztec ring. ;-) Seriously, I'd suggest you make both users configurable, either by providing a compile time option for "configure" or by adding runtime options to dovecot.conf. That would allow each administrator to chose users according to local regulations.
-Ralph
On Sat, 2010-01-23 at 14:19 +0100, Ralph Seichter wrote:
You could use "dovecotl" (lower-case "l" as the eighth character) which as a nice Aztec ring. ;-) Seriously, I'd suggest you make both users configurable, either by providing a compile time option for "configure" or by adding runtime options to dovecot.conf. That would allow each administrator to chose users according to local regulations.
Sure they're already configurable in dovecot.conf, but there needs to be defaults. And almost no one changes the defaults. (Well, Apple used _dovecot instead of dovecot.)
Well, I don't know how you feel about it, but you could always go with something similar to what courier does and call it "doveauth" while keeping the real "dovecot" user for the reset of the processes.
It's eight characters, reminds you of the login process, and very easy to understand for anyone who sees it for the first time.
/my two cents...
So "dovecot" could be reused for 2. And it would no longer be a mortal sin to use dovecot user for owning mail files. For 1. there would be a new user. I'd use "dovelogin", but apparently tools still don't much like usernames that are longer than 8 characters. Like ps could show numeric uid instead of 9 character long username. So .. any suggestions? "dovlogin" could be one possibility I guess. It would be nice if the name somehow reminded of login processes, but maybe something else could be used too, like: dovenil, dovenull, dovezero, dovenone, dovevoid, doveint, dovedown, dovein, dove0
On Sat, 2010-01-23 at 10:33 -0500, David Halik wrote:
Well, I don't know how you feel about it, but you could always go with something similar to what courier does and call it "doveauth" while keeping the real "dovecot" user for the reset of the processes.
It's eight characters, reminds you of the login process, and very easy to understand for anyone who sees it for the first time.
doveauth reminds me of dovecot-auth process. It's already mentioned in wiki as an example user for dovecot-auth.
Quoting David Halik <dhalik@jla.rutgers.edu>:
Well, I don't know how you feel about it, but you could always go
with something similar to what courier does and call it "doveauth"
while keeping the real "dovecot" user for the reset of the processes.
+1
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is though. Two more ideas:
"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
"dovehole" - you go inside dovecot via a hole, right?
On Sat, 2010-01-23 at 14:51 +0200, Timo Sirainen wrote:
Any thoughts on this:
The primary use for "dovecot" user has been for login processes. But people keep misunderstanding this and try to use dovecot for accessing mails. For years I've been wondering about renaming this user to something else like dovelogin, but it never really seemed practical.
So now with v2.0 there are a bunch of new processes, and for example anvil and dict are now run as dovecot user by default. But it's not really good that login processes can just go and kill those processes. And even worse, if drop_priv_before_exec=yes they could ptrace these processes.
So I think we need two Dovecot users for v2.0:
- Completely untrusted user for login processes.
- Slightly more trusted internal Dovecot user.
So "dovecot" could be reused for 2. And it would no longer be a mortal sin to use dovecot user for owning mail files. For 1. there would be a new user. I'd use "dovelogin", but apparently tools still don't much like usernames that are longer than 8 characters. Like ps could show numeric uid instead of 9 character long username. So .. any suggestions? "dovlogin" could be one possibility I guess. It would be nice if the name somehow reminded of login processes, but maybe something else could be used too, like: dovenil, dovenull, dovezero, dovenone, dovevoid, doveint, dovedown, dovein, dove0
Timo Sirainen put forth on 3/25/2010 1:30 PM:
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is though. Two more ideas:
"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ... just not right at all.
-- Stan
On Mar 25, 2010, at 9:48 PM, Stan Hoeppner wrote:
Timo Sirainen put forth on 3/25/2010 1:30 PM:
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is
though. Two more ideas:"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all.
dovetail
-Terry
Sent from my iPhone
On Mar 25, 2010, at 9:50 PM, Bradley Giesbrecht <bradley.giesbrecht@gmail.com
wrote:
On Mar 25, 2010, at 9:48 PM, Stan Hoeppner wrote:
Timo Sirainen put forth on 3/25/2010 1:30 PM:
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is
though. Two more ideas:"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all.dovetail
On Mar 25, 2010, at 9:50 PM, Bradley Giesbrecht <bradley.giesbrecht@gmail.com
wrote:
On Mar 25, 2010, at 9:48 PM, Stan Hoeppner wrote:
Timo Sirainen put forth on 3/25/2010 1:30 PM:
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is
though. Two more ideas:"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all.dovetail
Nice!!
On Thu, 2010-03-25 at 21:50 -0700, Bradley Giesbrecht wrote:
On Mar 25, 2010, at 9:48 PM, Stan Hoeppner wrote:
Timo Sirainen put forth on 3/25/2010 1:30 PM:
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is
though. Two more ideas:"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all.dovetail
+1
On Fri, 2010-03-26 at 20:01 +1000, Noel Butler wrote:
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all.dovetail
+1
Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
Timo Sirainen ha scritto:
On Fri, 2010-03-26 at 20:01 +1000, Noel Butler wrote:
"dovehole" - you go inside dovecot via a hole, right? That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all. dovetail +1Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
I don't remember if 'dove-nil', 'dovenil' or 'dovenull' were suggested by anyone. If not please consider them.
Kind regards, Marco
--
| Marco Nenciarini | Debian/GNU Linux Developer - Plug Member | | mnencia@prato.linux.it | http://www.prato.linux.it/~mnencia |
Key fingerprint = FED9 69C7 9E67 21F5 7D95 5270 6864 730D F095 E5E4
On 3/26/2010 10:32 AM, Marco Nenciarini wrote:
Timo Sirainen ha scritto:
On Fri, 2010-03-26 at 20:01 +1000, Noel Butler wrote:
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ... just not right at all.
dovetail
+1
Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
I don't remember if 'dove-nil', 'dovenil' or 'dovenull' were suggested by anyone. If not please consider them.
Kind regards, Marco
Well...I'll throw my silly hat into the ring: "doveman" "dover"
Tony
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 26 Mar 2010, Marco Nenciarini wrote:
"dovehole" - you go inside dovecot via a hole, right? That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ... just not right at all. dovetail +1
Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
I don't remember if 'dove-nil', 'dovenil' or 'dovenull' were suggested by anyone. If not please consider them.
Hmm, it's going to make fun; there used to be the Monty Python skits using constructs like:
" it is spelled dove-in / dovein , but it is pronounced login "
Or consider yet another meaning of "dove" as past tense of to dive: dove-in: {one} dove in{to the [dove]cot}
However, I dunno if the preposition "in" fits ... .
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS6zQQb+Vh58GPL/cAQKceggAgQ1DoVxgPA5gfbakqdRj3guPaIH5J7E4 wuL6T9zZGMx47uMlfkOyHWHK1UKDK2JNEB3GzSVx6jIpGekmz1zNCzWonr3r6BH5 xm22DLXXlisalnjO8kvaapvraqr4B09aZHunSH8AI3HPIRwCqMEUmHJ2StIUTMgN ssszq8MLMX9tgbhLlWMV4+NBvUZoouHsC/Ka9lvmSjQjWi2KlUfgtVJFyIsSuhjI Fd+ccS3mbH1caqcGRH37gluGJ5w/kHVzSojsb1ow+Fww1twx/UHEXSDEvR/ZBIqb LpQbNF0dTQ1N3aqr0m823R6Luly542e7cpQM6Qz9B2swGj4TOjnFDg== =Q/Lw -----END PGP SIGNATURE-----
On Fri, 26 Mar 2010 16:18:23 +0100 (CET), Steffen Kaiser <skdovecot@smail.inf.fh-brs.de> articulated:
On Fri, 26 Mar 2010, Marco Nenciarini wrote:
> "dovehole" - you go inside dovecot via a hole, right? That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ... just not right at all. dovetail +1
Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
I don't remember if 'dove-nil', 'dovenil' or 'dovenull' were suggested by anyone. If not please consider them.
Hmm, it's going to make fun; there used to be the Monty Python skits using constructs like:
" it is spelled dove-in / dovein , but it is pronounced login "
Or consider yet another meaning of "dove" as past tense of to dive: dove-in: {one} dove in{to the [dove]cot}
Playing around with my 'acronym' creator, I came up with test:
HOOLIGAN (2 possibilities)
hOOLIgaN: dOvecOt LogIN
hOOLiGaN: dOvecOt LoGiN
VENOM (2 possibilities)
VEnOm: doVEcot lOgin
VENom: doVEcot logiN
DAEMON (2 possibilities)
DaEmON: DovEcOt logiN
DaEmON: DovEcot lOgiN
DOCTOR (5 possibilities)
DOCTOr: DOveCoT lOgin
DOCtOr: DOveCot lOgin
DOcTOr: DOvecoT lOgin
DOcTOr: DovecOT lOgin
DoCTOr: DoveCoT lOgin
DROOL (5 possibilities)
DrOOL: DOvecOt Login
DrOoL: DOvecot Login
DroOL: DOvecot Login
DrOoL: DovecOt Login
DroOL: DovecOt Login
7 possibilities)
DemON: DOvecot logiN
DEmON: DovEcOt logiN
DEmON: DovEcot lOgiN
DEmoN: DovEcot logiN
DEmOn: DovEcot lOgin
DemON: DovecOt logiN
DemON: Dovecot lOgiN
DOOM (2 possibilities)
DOOm: DOvecot lOgin
DOOm: DovecOt lOgin
DarLINg: Dovecot LogIN
DEviL: DovEcot Login
That is about enough playing around for one day.
-- Jerry Dovecot.user@seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
"How many people work here?"
"Oh, about half."
On Fri, 2010-03-26 at 15:32 +0100, Marco Nenciarini wrote:
Timo Sirainen ha scritto:
On Fri, 2010-03-26 at 20:01 +1000, Noel Butler wrote:
"dovehole" - you go inside dovecot via a hole, right? That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all. dovetail +1Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
I don't remember if 'dove-nil', 'dovenil' or 'dovenull' were suggested by anyone. If not please consider them.
Nice Marco... OK, Timo, we must have a winner here with " dovenull", surely :P
Noel Butler put forth on 3/26/2010 8:12 PM:
Nice Marco... OK, Timo, we must have a winner here with " dovenull", surely :P
I fear anything with "null" in it will be confusing to people not-in-the-know. The average OP may see that process name and think it's a dovecot trashcan for various unwanted bits/bytes, maybe deleted mails or some such. I think it will confuse too many OPs, at least initially.
-- Stan
On 27.3.2010, at 7.01, Stan Hoeppner wrote:
Noel Butler put forth on 3/26/2010 8:12 PM:
Nice Marco... OK, Timo, we must have a winner here with " dovenull", surely :P
I fear anything with "null" in it will be confusing to people not-in-the-know. The average OP may see that process name and think it's a dovecot trashcan for various unwanted bits/bytes, maybe deleted mails or some such. I think it will confuse too many OPs, at least initially.
That's definitely better than what people now think of "dovecot" user. "dovenull" is a user who can be thought of as "trash": no files should be owned by dovenull, dovenull shouldn't belong to any groups and in general it shouldn't have access to anything at all. Preferably it should even have restricted access to network, but there's no standard way to configure that.
On Sat, 2010-03-27 at 00:01 -0500, Stan Hoeppner wrote:
Noel Butler put forth on 3/26/2010 8:12 PM:
Nice Marco... OK, Timo, we must have a winner here with " dovenull", surely :P
I fear anything with "null" in it will be confusing to people not-in-the-know. The average OP may see that process name and think it's a dovecot trashcan for various unwanted bits/bytes, maybe deleted mails or some such. I think it will confuse too many OPs, at least initially.
If they are not in the know, what are they doing touching it, for all else, there are these things called "docs" and "changelogs"
On 2010-03-26 8:36 AM, Timo Sirainen wrote:
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
I liked doveauth, but understand why it might be confusing...
Here are some other suggestion...
doveuser
dovein
doveme
dovelogn
--
Best regards,
Charles
Timo Sirainen put forth on 3/26/2010 7:36 AM:
On Fri, 2010-03-26 at 20:01 +1000, Noel Butler wrote:
"dovehole" - you go inside dovecot via a hole, right?
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ...
just not right at all.dovetail
+1
Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
No, no, totally free of pornographic connotation. Dovetail is a type of woodworking joint. That's what the vast majority of people on planet earth will associate "dovetail" with anyway.
http://en.wikipedia.org/wiki/Dovetail_joint
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
Or how about just "dovel", a crafty word smithing merge of dovecot+shovel? Although I'm unsure of any parallels between the work done by this thing and that performed by a shovel. ;) Still, it's catchy.
-- Stan
On 27.3.2010, at 6.49, Stan Hoeppner wrote:
Tail just doesn't make much sense to me. Also it's not completely free of pornographic associations either. :)
No, no, totally free of pornographic connotation. Dovetail is a type of woodworking joint. That's what the vast majority of people on planet earth will associate "dovetail" with anyway.
Maybe the native english speakers (and I'd think only a subset of them too). I had never heard of dovetail.
So my last idea: doveless. "It's less of a dovecot process." To me it seems closer to perfect as anything I've seen so far.
Or how about just "dovel", a crafty word smithing merge of dovecot+shovel? Although I'm unsure of any parallels between the work done by this thing and that performed by a shovel. ;) Still, it's catchy.
I want something that's at least potentially understandable to people who understand english (and not just native speakers). I wouldn't know why some process is owned by user "dovel". That might not even make me realize it's a Dovecot process.
On 03/26/2010 05:48 AM Stan Hoeppner wrote:
Timo Sirainen put forth on 3/25/2010 1:30 PM:
… "dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :) …
That is downright pornographic. "dovehole" - "lovehole"?
"dovenest" isn't totally horrible (close), but "dovehole" is ... just not right at all.
"dovenest" was just quick idea, after Timo has suggested "dovehole" in #dovecot. I thought we all love porn‽ :-D After reading something¹ about the architecture of dovecots, I finally suggest: doveband
Regards, Pascal
http://en.wikipedia.org/wiki/Dovecote#Architecture
The trapper recommends today: decade.1008518@localdomain.org
Well, I made this a poll. Please vote. :) http://blog.dovecot.org/
I only added those options that I thought people might have a chance of understanding what it could possibly mean.
Timo Sirainen put forth on 3/26/2010 5:47 PM:
Well, I made this a poll. Please vote. :) http://blog.dovecot.org/
I only added those options that I thought people might have a chance of understanding what it could possibly mean.
Add "dovel" and restart the vote. Short, sweet, to the point, universally understood as dovecot login, you can dig holes with it as it's also a shovel, so it is similar to your original "dovehole" idea. :)
-- Stan
On 03/26/2010 11:47 PM Timo Sirainen wrote:
Well, I made this a poll. Please vote. :) http://blog.dovecot.org/
The result:
- dovein ###[23]################ (31.94%)
- doveless ###[15]######## (20.83%)
- dovenull ###[34]########################### (47.22%)
Regards, Pascal
The trapper recommends today: fabaceae.1012405@localdomain.org
Am 25.03.2010 19:30, schrieb Timo Sirainen:
I think the next v2.0 release (rc1?) will include the new changed default_login_user. I'm still not completely sure what it is though. Two more ideas:
"dovenest" (by Pascal Volk) - although reminds me a bit too much of lovenest :)
What about dovedevil and doveangel. Sorry just kidding
On Mar 27, 2010, at 3:59 AM, Timo Sirainen wrote:
On 27.3.2010, at 12.32, Patrick Wallura wrote:
What about dovedevil and doveangel. Sorry just kidding
Even if not, the problem with those is that the name is longer than
8 characters, which makes them not show up in all ps outputs.
doveun or doveup
dovecot un-priviledged
// Brad
participants (17)
-
Bradley Giesbrecht
-
Charles Marcus
-
David Halik
-
Edgar Fuß
-
Eric Rostetter
-
Jerry
-
Marco Nenciarini
-
Noel Butler
-
Pascal Volk
-
Patrick Wallura
-
Ralph Seichter
-
Stan Hoeppner
-
Steffen Kaiser
-
Terry Barnum
-
Thomas Leuxner
-
Timo Sirainen
-
Tony Rutherford