[Dovecot] Setting up a local shared mailbox
Phil Brutsche
phil at brutsche.us
Sat Sep 13 00:08:26 EEST 2003
Timo Sirainen wrote:
> On Friday, Sep 12, 2003, at 21:42 Europe/Helsinki, Bob Hall wrote:
>
>
>>On Fri, Sep 12, 2003 at 11:54:56AM -0500, Peter Clark wrote:
>>
>>>auth_passdb = pam
>>>auth_user = root
>>
>>I thought you didn't need to be root to authenticate with PAM? If you
>>can do this as dovecot-auth, it will be more secure.
>
>
> I think PAM always requires roots.
The process authenticating via PAM needs whatever access rights are
required to read the password database.
Anyone who uses PAM to authenticate out of /etc/shadow (or the
equivalent) will inevitably end up with the authentication daemon
running as root.
If you tell PAM to authenticate via:
* LDAP
* any SQL database
* SMB (aka ask a Windows or Samba box)
* winbind (aka ask a WinNT, Win2k, or Win2k3 domain controller)
then the ability to open a TCP, UDP, or unix domain socket is the only
access required.
Note that the above list of PAM authentication mechanisms is by no means
complete.
--
Phil Brutsche
phil at brutsche.us
More information about the dovecot
mailing list