[Dovecot] Setting up a local shared mailbox

Phil Brutsche phil at brutsche.us
Sat Sep 13 00:08:26 EEST 2003


Timo Sirainen wrote:
> On Friday, Sep 12, 2003, at 21:42 Europe/Helsinki, Bob Hall wrote:
> 
> 
>>On Fri, Sep 12, 2003 at 11:54:56AM -0500, Peter Clark wrote:
>>
>>>auth_passdb = pam
>>>auth_user = root
>>
>>I thought you didn't need to be root to authenticate with PAM? If you
>>can do this as dovecot-auth, it will be more secure.
> 
> 
> I think PAM always requires roots.

The process authenticating via PAM needs whatever access rights are 
required to read the password database.

Anyone who uses PAM to authenticate out of /etc/shadow (or the 
equivalent) will inevitably end up with the authentication daemon 
running as root.

If you tell PAM to authenticate via:
  * LDAP
  * any SQL database
  * SMB (aka ask a Windows or Samba box)
  * winbind (aka ask a WinNT, Win2k, or Win2k3 domain controller)
then the ability to open a TCP, UDP, or unix domain socket is the only 
access required.

Note that the above list of PAM authentication mechanisms is by no means 
complete.

-- 

Phil Brutsche
phil at brutsche.us




More information about the dovecot mailing list