[Dovecot] Clash between multiple authentication databases (security problem?)
Hi all,
I just installed dovecot-1.0_beta2 and love it! However, I've run into issues using multiple authentication databases.
I use both pam (for users on my system) and sql (for virtual users). I've noticed that if I have system user "userabc" and virtual user "userabc@otherdomain.com" (two distinct users) and my "auth default" section contains these passdb/userdb entries in this order (the order in the example config):
passdb pam passdb sql userdb pam userdb sql
then when userabc@otherdomain.com logs in, he'll get the system user userabc's mail instead of his own. It appears that the sql password check succeeds, then Dovecot grabs the home directory from pam, NOT sql.
I can work around this by setting up "userdb prefetch" and adding that section *before* "userdb pam". If I put "userdb prefetch" after "userdb pam" or after "userdb sql", then Dovecot doesn't actually do the prefetch (which causes an error since Dovecot issues the default SQL query for "user_query", which my MySQL database doesn't like).
Is there a safer way to do this? If not, should there be?
Thanks! Richard
====================================================== complete working dovecot.conf:
first_valid_uid = 900 mail_debug = yes default_mail_env = maildir:%h/.maildir maildir_copy_with_hardlinks = yes protocol imap { login_greeting_capability = yes } protocol pop3 { } auth_debug = yes auth default { mechanisms = plain passdb pam { args = "*" } passdb sql { args = /etc/dovecot/dovecot-sql.conf } userdb prefetch { } userdb passwd { } userdb sql { args = /etc/dovecot/dovecot-sql.conf } user = root }
====================================================== dovecot-sql.conf:
driver = mysql connect = host=/var/run/mysqld/mysqld.sock user=mail password=** dbname=mail default_pass_scheme = SSHA password_query = <query that returns user, password, userdb_home, userdb_uid, userdb_gid>
On Thu, 2006-02-02 at 12:24 -0500, dovecot-ri wrote:
Hi all,
I just installed dovecot-1.0_beta2 and love it! However, I've run into issues using multiple authentication databases.
I use both pam (for users on my system) and sql (for virtual users). I've noticed that if I have system user "userabc" and virtual user "userabc@otherdomain.com" (two distinct users) and my "auth default" section contains these passdb/userdb entries in this order (the order in the example config):
passdb pam passdb sql userdb pam userdb sql .. then when userabc@otherdomain.com logs in, he'll get the system user userabc's mail instead of his own. It appears that the sql password check succeeds, then Dovecot grabs the home directory from pam, NOT sql.
Yes, because passdbs and userdbs aren't tied together. It always goes through them in order.
Is there a safer way to do this? If not, should there be?
Why is userdbc@otherdomain.com found from passwd? If there was only "userabc" in passwd and "userabc@otherdomain.com" in SQL, there should be no conflicts since they'd be completely different usernames.
Anyway I'm not sure if I can do anything about this in Dovecot's side. Unless maybe if I added some kind of optional relationships so you could configure what userdb to use when a user is found from one passdb..
Timo Sirainen wrote:
Hi all,
I just installed dovecot-1.0_beta2 and love it! However, I've run into issues using multiple authentication databases.
I use both pam (for users on my system) and sql (for virtual users). I've noticed that if I have system user "userabc" and virtual user "userabc@otherdomain.com" (two distinct users) and my "auth default"
On Thu, 2006-02-02 at 12:24 -0500, dovecot-ri wrote: section contains these passdb/userdb entries in this order (the order in the example config):
passdb pam passdb sql userdb pam userdb sql
..
then when userabc@otherdomain.com logs in, he'll get the system user userabc's mail instead of his own. It appears that the sql password check succeeds, then Dovecot grabs the home directory from pam, NOT sql.
Yes, because passdbs and userdbs aren't tied together. It always goes through them in order.
Is there a safer way to do this? If not, should there be?
Why is userdbc@otherdomain.com found from passwd? If there was only "userabc" in passwd and "userabc@otherdomain.com" in SQL, there should be no conflicts since they'd be completely different usernames.
Anyway I'm not sure if I can do anything about this in Dovecot's side. Unless maybe if I added some kind of optional relationships so you could configure what userdb to use when a user is found from one passdb..
I finally spent the time to properly debug this. Turns out my passdb sql query was returning "userabc" instead of "userabc@otherdomain.com" in the "user" field. This caused dovecot to switch to "userabc" when looking up userdb stuff (as evidenced by "username changed userabc@otherdomain.com -> userabc" in my dovecot logs).
Now I have another problem, but I'll send a separate e-mail to ask about it.
participants (2)
-
dovecot-ri
-
Timo Sirainen