[Dovecot] checkpassword protocol
Timo Sirainen
tss at iki.fi
Mon Apr 8 13:26:36 EEST 2013
On 8.4.2013, at 10.00, Heiko Schlichting <dovecot-l at FU-Berlin.DE> wrote:
>> Hmm. The AUTH_PASSWORD wasn't really an intentional addition .. but
>> I guess it can stay there. Some 10 years ago that might not have been
>> such a good idea since there were still some systems where process
>> environment variables were readable to all users in the system, but
>> I doubt there exist such systems anymore (at least where people would
>> want to run Dovecot).
>
> Very optimistic assumption. Wouldn't it be safer to remove the password
> from the environment? Anyone using checkpassword should use FD 3 and 4 for
> this purpose. Environment variables and command line arguments are not safe
> to transport passwords.
All the OSes made the environment private 10-15 years ago. I think it's pretty safe to assume that older multiuser systems won't be running Dovecot with checkpassword backend.
But .. eh. I guess: http://hg.dovecot.org/dovecot-2.2/rev/9feb2986945c
More information about the dovecot
mailing list