[Dovecot] checkpassword protocol
Heiko Schlichting
dovecot-l at fu-berlin.de
Mon Apr 8 10:00:48 EEST 2013
> Hmm. The AUTH_PASSWORD wasn't really an intentional addition .. but
> I guess it can stay there. Some 10 years ago that might not have been
> such a good idea since there were still some systems where process
> environment variables were readable to all users in the system, but
> I doubt there exist such systems anymore (at least where people would
> want to run Dovecot).
Very optimistic assumption. Wouldn't it be safer to remove the password
from the environment? Anyone using checkpassword should use FD 3 and 4 for
this purpose. Environment variables and command line arguments are not safe
to transport passwords.
Heiko
Heiko Schlichting Freie Universität Berlin
heiko.schlichting at fu-berlin.de Zentraleinrichtung für Datenverarbeitung
Telefon +49 30 838-54327 Fabeckstraße 32
Telefax +49 30 838454327 14195 Berlin
More information about the dovecot
mailing list