[tpop3d-discuss] APOP from flat files

Chris Lightfoot chris at ex-parrot.com
Thu, 6 Feb 2003 12:35:33 +0000 

On Thu, Feb 06, 2003 at 12:17:58PM +0000, Paul Makepeace wrote:
> On Thu, Feb 06, 2003 at 10:47:44AM +0000, Chris Lightfoot wrote:
> > > After I sent you those patches I realised the system I'm doing this all
> > > for uses /etc/passwd to verify the user exists & divine their uid/gid,
> > > and then consults some other database (G?DBM as explained) for the
> > > passwords. This is qpopper's behaviour.
> >     [...]
> > > So first obvious thing that occurs to me an APOP database directive that
> > > is possibly prefixed with something like exim's dbm; syntax.
> > > 
> > > Thoughts?
> > 
> > (a) that's horrid.
> 
> What do you think is horrid?
> 
> I thought this too admittedly, initially imbued with the concepts of
> tpop3d. But looking from outside, how else would one implement APOP with
> shell users?

A file in the user's home directory called ~/.mailauth, on
the basis that the password should be under the user's
sole control; there's no need for a bunch of privileged
tools to manage it. (For the same reason there's no reason
whatsoever for the crontab(1) suid mess -- you should have
a ~/.cron file and then crond could consist of a thing
which checked the permissions on everyone's ~/.cron and
su'd and ran their contents if necessary.)

But I suppose there are worse ways of approaching it.

> This is hardly a far fetched situation... In fact for most sites wanting
> APOP that are running off /etc/passwd this I bet this *is* the most
> likely situation.

Mmm.

I suppose that the correct way to approach this is to do
it all exim-style with substitutable functions for
database lookups, so that you could say something like:
(NB syntax is made-up and probably not consistent)

    auth-methods: ${file:/etc/passwd[$user];$1, $3, $4,                 \
                            "{crypt}$2","bsd:/var/spool/mail/$1"}       \
                  ${file:/etc/passwd[$user];$1, $3, $4,                 \
                            "{plain}${dbmfile:/etc/apopdb[$user];$1},   \
                            "bsd:/var/spool/mail/$1"}                   \
                  ${mysql:select local_part, uid, gid, pwhash from popboxes \
                            where local_part = ${mysql_escape:$local_part}  \
                              and domain = ${mysql_escape:$domain};         \
                              $1, $2, $3, "bsd:$4"}

I don't think I'm prepared to implement this in the near
future, but it's worth thinking about.

-- 
``Knock hard. Life is deaf.''
  (Arnold Wesker)