[Dovecot] Login into other user's account // master user for non-master users // chroot to users.<user>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Currently some of our organizational roles uses shared secrets (aka the password) to access the mail account of an organizational role, say "sales" for example. For one, I don't like shared secrets, for second, there had been some changes to shared mailboxes, I can only say "user sales has deleted the message at then and then". Therefore I would like to access the mailboxes of organizational roles with the accounts of the humans performing the role currently.
Using sharing and ACLs it is possible to map the mailboxes of "sales" to "users.sales" namespace for specific other users, actually the human ones, say userA and userB for example.
However, userB does not like managing identities in its MUA and refuses to acknowledge the messages in users.sales for various reasons. One reason was that userB wants to visibly separate strictly both mail accounts, the private messages in "userB" and the role's ones in "sales".
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB" - much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
If I simulate "sales*userB" with password of userB and let the userdb return the home of sales, userB would gain "owner" privilegues of sales implicitly. So there seems to exist no workaround.
Kind regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUmDx3l3r2wJMiz2NAQLgVwgAw/RgAll9QPEwEPAY4hNHrTcieyZoCMUc iTGBDYcfaELnlLZJupbM4fRPyVYMe4uRmuy2pBKXwDplCriW9FIETQ36Jx6oppZn Ojf1+ZLjBUwr0OBpGMXyDd0XpNWgaEOiEzvvpOykO+pJJCKEJR7uR0usQ5cV6JRt z7qiY3t7n7H0j12Oas7w+IsRrTgMe9FsJ4D37SwxeZCpM12y17E2T2mX10ycvnTM 27/Gai8iyp/4dlO0NqBZ+qU/txqs2h+y5SARngj4Ru9YkmwutC9b8/4kBObTzzdx w1ahO3sYPTH0KmQ0Voc63H6T6U6CkBmYr9kqplkTdEiwtdg9AJSSfQ== =1arj -----END PGP SIGNATURE-----
On 2013-10-18 4:31 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB" - much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
I would actually find that very useful. We have similar role based email accounts, and currently we have the same problem - no way to tell which of the users in question did what...
--
Best regards,
*/Charles/*
Am 20.10.2013 15:25, schrieb Charles Marcus:
On 2013-10-18 4:31 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB"
- much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
I would actually find that very useful. We have similar role based email accounts, and currently we have the same problem - no way to tell which of the users in question did what...
and how does the different username change anything? the inbox is still shared
you see a differnt username for login but you still do not se *what* he did and if you would have *that* in the logs username + ip-address makes the match
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 20 Oct 2013, Reindl Harald wrote:
Am 20.10.2013 15:25, schrieb Charles Marcus:
On 2013-10-18 4:31 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB"
- much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
I would actually find that very useful. We have similar role based email accounts, and currently we have the same problem - no way to tell which of the users in question did what...
and how does the different username change anything? the inbox is still shared
you see a differnt username for login but you still do not se *what* he did and if you would have *that*
with mail_log you do.
in the logs username + ip-address makes the match
With NAT all users share the same IP. Then we have webmail users, that share the same IP, too.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUmUrUF3r2wJMiz2NAQJ6qQf+KiRj+nXTggmZQN+TzcAazXifuUk49+/e wbj/JxKtw5pGUc2APQ5E6/C6XoYwBjZySWbufM0ZJUPeS6E62Hn+TjdGWH4YatDs jhTZmujUSEemVQlt++KMKMZ2qEgTbA26lItJSiubuqQoeNT0V0RrkQi0b1giJZXk aScomo9xvWm0o/4IBK2KUgUmFOAz6ZMnmhGmgmQhJIqLLM6unUWUHmSb64bBfVB0 R77qN3zStg6hTAv1Oc2QCs7ycTP31nngbRjbv4fZgIBKBFyX1Ygz5xZGtJwVgeqo 3MWx6pgtL30A1hjey8l5t9vHzivT2kvrT70ukUlYNAuN9w8oW0Bh5A== =O2s5 -----END PGP SIGNATURE-----
Thanks Steffen...
I kill-filed Reindl a while back due to his abusive, arrogant nature...
Too bad - I held off for a long time, because he does actually seem to have a clue most of the time.
Charles
On 2013-10-21 9:25 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 20 Oct 2013, Reindl Harald wrote:
Am 20.10.2013 15:25, schrieb Charles Marcus:
On 2013-10-18 4:31 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB"
- much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
I would actually find that very useful. We have similar role based email accounts, and currently we have the same problem - no way to tell which of the users in question did what...
and how does the different username change anything? the inbox is still shared
you see a differnt username for login but you still do not se *what* he did and if you would have *that*
with mail_log you do.
in the logs username + ip-address makes the match
With NAT all users share the same IP. Then we have webmail users, that share the same IP, too.
- -- Steffen Kaiser
--
Best regards,
*/Charles/*
Am 21.10.2013 15:30, schrieb Charles Marcus:
Thanks Steffen...
I kill-filed Reindl a while back due to his abusive, arrogant nature...
what was absusive in this thread?
and the abusive reply to you in the following thread was well deserved after your "prove it" http://dovecot.org/list/dovecot/2013-February/088587.html
Too bad - I held off for a long time, because he does actually seem to have a clue most of the time.
because i read docs, not only for dovecot, for a lot of other server software far away from mail and the underlying RFC's too
On 2013-10-21 9:25 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 20 Oct 2013, Reindl Harald wrote:
Am 20.10.2013 15:25, schrieb Charles Marcus:
On 2013-10-18 4:31 AM, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB"
- much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
I would actually find that very useful. We have similar role based email accounts, and currently we have the same problem - no way to tell which of the users in question did what...
and how does the different username change anything? the inbox is still shared
you see a differnt username for login but you still do not se *what* he did and if you would have *that*
with mail_log you do.
in the logs username + ip-address makes the match
With NAT all users share the same IP. Then we have webmail users, that share the same IP, too
[ Reply-To set: let's not make this another pointless thread ]
On Mon, Oct 21, 2013 at 03:37:10PM +0200, Reindl Harald wrote:
Am 21.10.2013 15:30, schrieb Charles Marcus:
Thanks Steffen...
I kill-filed Reindl a while back due to his abusive, arrogant nature...
what was absusive in this thread?
I think you misunderstand. Charles was actually paying you a partial compliment. He was not saying that your response was abusive. He was saying that you actually seem to have a clue most of the time.
FWIW I agree on both counts. You tend to get abusive sometimes, but your technical accuracy is very good.
and the abusive reply to you in the following thread was well deserved after your "prove it" http://dovecot.org/list/dovecot/2013-February/088587.html
The idea that abuse is "well deserved" could be the origin of your difficulty in fitting in with online technical communities. There's really nothing worth getting angry over. If I think someone has been rude to me, my best response is no response.
I haven't seen that from you. You never let anything pass. You'll probably ignore my Reply-To: header and reply to this.
Too bad - I held off for a long time, because he does actually seem to have a clue most of the time.
because i read docs, not only for dovecot, for a lot of other server software far away from mail and the underlying RFC's too
Yes, that is obvious. You have a lot to contribute. Too bad we can only get that at a price that many posters consider too high.
Sincere best wishes to you. EOT.
http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
On 18.10.2013, at 11.31, Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
Now, I came into thinking that it would be good in such case, if userB could authentificate as, say "sales*userB" - much like a master user - and ends in "sales"'s home, but with access permissions of "userB", well, like a chroot.
Would it be an interesting feature to add to Dovecot's core?
If I simulate "sales*userB" with password of userB and let the userdb return the home of sales, userB would gain "owner" privilegues of sales implicitly. So there seems to exist no workaround.
I think that’s already possible. If master user=sales and userB = login user, the ACLs would work the way you want. The problem is how to have different passwords for the sales master user for userA and userB. But that could be done by e.g. a checkpassword script.
participants (5)
-
/dev/rob0
-
Charles Marcus
-
Reindl Harald
-
Steffen Kaiser
-
Timo Sirainen