[Dovecot] Last login tracking with login_executable

Ed W lists at wildgooses.com
Thu Oct 14 11:55:50 EEST 2010


  On 13/10/2010 13:14, Denny Lin wrote:
> Hi,
>
> I'm using Dovecot 1.2.14, and I've read PostLoginScripting on the wiki.
>
> Is there any way to make Dovecot use the same username/password for
> database access as userdb and passdb queries? Specifying the password
> with -p doesn't seem like a good idea, so I'm wondering if it can be
> handled by Dovecot directly.
>
> Or is it possible to track last logins with a plugin similar to quota?
>

So you have read here:
     http://wiki.dovecot.org/PostLoginScripting

What are you trying to defend against that this isn't covered here?

If your risk is that the user compromises the login process and can see 
the login script then why not create a separate user who only has 
permission to touch the "last_login" table.  If that's not enough then 
drop all that into a script and remove permissions from the script (I 
think chmod -r+x works?).

One step up might be to a) create a new user b) grant that user ONLY 
access to a stored proc c) now their only ability to influence the 
database is to call the stored proc which is itself only allowed to 
insert rows.  Difficult to imagine how you could lock down tighter than 
this AND it doesn't require per-user permissions?

I think unless you enforce row level AND table level security you won't 
defend against someone using a per user password anyway (you need to 
give everyone access to the last_logins table - what stops them wiping 
out other users rows simply because they are logged in as them?).

Ed W


More information about the dovecot mailing list