[Dovecot] Userdb passwd and 'nologin' users

[Timo Sirainen]

After thinking about this for a while, I think the best solution is simply to remove the shell check unconditionally. I'm not sure if anyone else except me ever wanted it (and I can live with a couple of unnecessary users getting mailboxes). Done for v2.2:
http://hg.dovecot.org/dovecot-2.2/rev/4eea2224e16b

I did also wonder about using a special "dovecot-skip" GECOS field for this, but maybe not a good idea either.

On 1.2.2013, at 0.35, Ben Morrow <ben at morrow.me.uk> wrote:

> I am running Dovecot with system users (userdb passwd), but some of
> those users don't have shell accounts on the IMAP server so their shell
> on that machine is set to /usr/sbin/nologin. Currently I am using
> maildirs and this is not a problem, but I am in the process of switching
> to dbox which means I will need a cronjob running 'doveadm purge -A'.
> 
> During testing I found that those users with a 'nologin' shell are not
> included in the list returned by the userdb iterator, and that the
> iterator doesn't honour the first/last_valid_uid settings. This
> inconsistency seems undesirable, so the attached patch
> 
>    - makes lookup perform the same checks as iteration,
>    - makes the 'nologin' check configurable,
>    - adds a new optional check that the user owns their home directory.
> 
> The last check was the one performed by qmail, and seems to me to be a
> more reliable 'is this a real user' check than a nologin shell.
> 
> If this patch is applied, the release notes for the next release should
> probably mention that system users with a 'nologin' shell will no longer
> be allowed to log in to IMAP until the 'auth_check_nologin' setting is
> changed from true to false.
> 
> Also, there seem to be two first/last_valid_uid settings:
> first_valid_uid itself, which is honoured by the storage subsystem, and
> auth_first_valid_uid, which is honoured by the 'passwd' userdb. Is this
> intentional?
> 
> Ben
> 
> <userdb-passwd-nologin.patch>