[tpop3d-discuss] APOP from flat files
Chris Lightfoot
chris at ex-parrot.com
Thu, 6 Feb 2003 12:35:33 +0000
On Thu, Feb 06, 2003 at 12:17:58PM +0000, Paul Makepeace wrote:
> On Thu, Feb 06, 2003 at 10:47:44AM +0000, Chris Lightfoot wrote:
> > > After I sent you those patches I realised the system I'm doing this all
> > > for uses /etc/passwd to verify the user exists & divine their uid/gid,
> > > and then consults some other database (G?DBM as explained) for the
> > > passwords. This is qpopper's behaviour.
> > [...]
> > > So first obvious thing that occurs to me an APOP database directive that
> > > is possibly prefixed with something like exim's dbm; syntax.
> > >
> > > Thoughts?
> >
> > (a) that's horrid.
>
> What do you think is horrid?
>
> I thought this too admittedly, initially imbued with the concepts of
> tpop3d. But looking from outside, how else would one implement APOP with
> shell users?
A file in the user's home directory called ~/.mailauth, on
the basis that the password should be under the user's
sole control; there's no need for a bunch of privileged
tools to manage it. (For the same reason there's no reason
whatsoever for the crontab(1) suid mess -- you should have
a ~/.cron file and then crond could consist of a thing
which checked the permissions on everyone's ~/.cron and
su'd and ran their contents if necessary.)
But I suppose there are worse ways of approaching it.
> This is hardly a far fetched situation... In fact for most sites wanting
> APOP that are running off /etc/passwd this I bet this *is* the most
> likely situation.
Mmm.
I suppose that the correct way to approach this is to do
it all exim-style with substitutable functions for
database lookups, so that you could say something like:
(NB syntax is made-up and probably not consistent)
auth-methods: ${file:/etc/passwd[$user];$1, $3, $4, \
"{crypt}$2","bsd:/var/spool/mail/$1"} \
${file:/etc/passwd[$user];$1, $3, $4, \
"{plain}${dbmfile:/etc/apopdb[$user];$1}, \
"bsd:/var/spool/mail/$1"} \
${mysql:select local_part, uid, gid, pwhash from popboxes \
where local_part = ${mysql_escape:$local_part} \
and domain = ${mysql_escape:$domain}; \
$1, $2, $3, "bsd:$4"}
I don't think I'm prepared to implement this in the near
future, but it's worth thinking about.
--
``Knock hard. Life is deaf.''
(Arnold Wesker)