[Dovecot] Last login tracking with login_executable

Denny Lin dennylin93 at hs.ntnu.edu.tw
Thu Oct 14 17:04:37 EEST 2010


Hi,

On Thu, Oct 14, 2010 at 03:00:32PM +0100, Timo Sirainen wrote:
> On Thu, 2010-10-14 at 09:55 +0100, Ed W wrote:
> > > Is there any way to make Dovecot use the same username/password for
> > > database access as userdb and passdb queries? Specifying the password
> > > with -p doesn't seem like a good idea, so I'm wondering if it can be
> > > handled by Dovecot directly.
> > If your risk is that the user compromises the login process and can see 
> > the login script 
> 
> BTW. That's not enough. The login process is chrooted to nearly empty
> directory and can't read anything. To read the post-login script the
> user would have to compromise imap/pop3 process (which is more likely
> anyway, because they're more complex). But that could also be prevented
> by not giving that process read access to the script.
> 
> I think more problematic is that the -p password shows up in ps list.
> That can be avoided by placing the script to MySQL's config file.
> http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html

Sorry for not describing the problem clearly. Timo is spot on the
problem I was trying to describe.

I was wondering if it would be possible to read the username/password
from a Dovecot config file (like userdb/passdb/quota/expire) instead of
using my.cnf.

Thanks!

-- 
Denny Lin


More information about the dovecot mailing list