[Dovecot] New userdb backend for checkpassword like programs

Sascha Wilde wilde at intevation.de
Mon Oct 20 19:08:04 EEST 2008


Timo Sirainen <tss at iki.fi> writes:

> On Mon, 2008-10-20 at 17:26 +0200, Sascha Wilde wrote:
>>     Currently the code handles only two cases: success and (any kind of)
>>     error.  The passdb-checkpassword stuff seems not to handle "user
>>     doesn't exist" in any special way, so I don't see why the userdb
>>     backend should.
>
> The difference is that userdb lookups need to know if the user exists or
> if the error is only temporary. That determines if deliver returns
> EX_TEMPFAIL or EX_NOUSER.

Ah, I see.  I'll implement it accordingly.

>> >  - a valid userdb checkpassword script shouldn't be a valid passdb
>> > checkpassword script to avoid accidents. I guess this could be done by
>> 
>> I don't agree here.  I think it would be ok to have only one
>> checkpassword executable to handle both cases.
>
> Yes, but a checkpassword script written to handle *only* userdb lookups
> shouldn't be a valid passdb script.

Ok, we can agree on that.  But I think it would be sufficient to say
that such an userdb only checkpassword script MUST fail if AUTHORIZED is
not set.

>> > 1) Require userdb scripts to set USERDB environment.
>> >
>> > 2) checkpassword-reply checks if USERDB environment is set. If it is,
>> > return exit code 2 instead of 0.
>> >
>> > 3) userdb-checkpassword.c's success exit code is 2. exit code 0 would
>> > produce failure.
>> >
>> > Hmm. Or perhaps instead of USERDB change the AUTHORIZED environment's
>> > value to something else.
>> 
>> 1) I fully agree that it is a very good idea that, if AUTHORIZED is set
>>    checkpassword-reply should return something != 0 at success and
>>    userdb-checkpassword should expect this very value.
>> 
>>    I'll implement that.
>> 
>> 2) I don't understand why the checkpassword program[0] should change the
>>    environment in any way.
>
> The idea was that if there's a checkpassword script that handles only
> userdb lookups and it's tried to be used as passdb checkpassword, it
> would fail because checkpassword-reply sees AUTHORIZED=2 environment,
> which would cause it to return 2 which would cause passdb checkpassword
> to fail the authentication.

I understand the idea now, but see above: we need the (userdb only)
checkpassword script to follow our rules anyway, so instead of doing
magic to the environment and checking for this in checkpassword-reply it
should be sufficient for the script to fail if AUTHORIZED wasn't set.

Or am I missing something?

cheers
sascha
-- 
Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20081020/0dde29a9/attachment.bin 


More information about the dovecot mailing list