[Dovecot] New userdb backend for checkpassword like programs

Timo Sirainen tss at iki.fi
Mon Oct 20 21:04:31 EEST 2008


On Oct 20, 2008, at 8:57 PM, Sascha Wilde wrote:

> Timo Sirainen <tss at iki.fi> writes:
>
>> On Oct 20, 2008, at 8:00 PM, Sascha Wilde wrote:
>>
>>> My solution:
>>>
>>>   1. The userdb-only checkpassword script sees no AUTHORIZED in the
>>>      environment and returns with an exit code != 0[0]
>>
>> You assume that the script actually checks this.
>
> More than that, I defined that it MUST do so.
> As you said, it's a new variant, so _we_ can define how it has to  
> behave.

People are badly behaving :) There's nothing that's technically  
forcing to check that.

>> There's no requirement that a userdb-only script needs to bother  
>> doing
>> it. The use of AUTHORIZED environment is necessary only if the script
>> wants to handle both passdb and userdb.
>
> But you are requiring the userdb-only checkpassword program to set
> AUTHORIZED (or any other environment variable) to a specific value.   
> Why
> should a developer ignoring my requirement bother to obey yours?

If you aren't changing AUTHORIZED environment to a specific value, the  
userdb lookup will fail because checkpassword-reply sees that it's not  
set correctly. So the handling goes like:

1) userdb lookup: userdb-only checkpassword script setting  
AUTHORIZED=2 -> checkpassword returns 2 -> dovecot-auth assumes ok

2) passdb lookup: userdb-only checkpassword script setting  
AUTHORIZED=2 -> checkpassword returns 2 -> dovecot-auth fails the  
passdb lookup

3) userdb lookup: passdb-only checkpassword script doesn't set  
AUTHORIZED=2 -> checkpassword returns 0 -> dovecot-auth fails the  
userdb lookup

4) passdb lookup: passdb-only checkpassword script doesn't set  
AUTHORIZED=2 -> checkpassword returns 0 -> dovecot-auth assumes ok

All of this forces that the checkpassword script developer either  
handles the AUTHORIZED environment correctly or it doesn't work at  
all. And it prevents admin from accidentally using the script wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081020/740a4715/attachment.bin 


More information about the dovecot mailing list