auth_unix

Igor Brezac igor at ipass.net
Tue Apr 5 14:32:00 EDT 2005 

On Tue, 5 Apr 2005, Patrick Radtke wrote:

> I have a question about the
>
> --with-auth=unix    method for authorization.
>
> I would assume that a user would only be authorized to access mailboxes that 
> the user has rights to if the user has a unix account in the first place.
>
> e.g. If there are 2 mailboxes  'box1' with acls 'testuser lrswipcda' and 
> mailbox 'box2' with acls 'anyone lrswipcda'.
> If testuser has no unix account I would not expect him to see box1 (since no 
> unix account == no authorization), but be able to see box2
>
> From my testing, these does not seem to be the case.
>
> testuser has no unix account but can still access all mailboxes that have a 
> acl with his name.
>
> It appears that --with-auth=unix is good for doing authorization with group 
> acls.
>
> in the code I would have assumed if  ( from auth_unix.c,  method struct 
> auth_state *auth_newstate(const char *identifier) )
> getpwnam(identifier) returned null (the unix account does not exist)
>
> then *newstate should remain null, and the login would only be authorized for 
> anyone, anonymous acl stuff
>

And testuser would not be able to login.

getpwnam() is used to fetch groups only.

>
> I have read a bunch of post about doing ldap filters with saslauthd or 
> pam_ldap to control who has access, but I'd prefer using the --with-auth 
> mechanism for various reasons (one of which is we prefer running salsauthd -a 
> kerberos5)
>
> Is the behavior I see from -with-auth=unix the intended and desired behavior?

Yes.

> does -with-auth-pts with -with-pts=ldap behave the same as --with-auth=unix? 
> i.e. If user can login he is authorized to view his own mailbox regardless of 
> wether he exist according to the authorization mechanism?
> or if there is no user matching user in ldap, will it fail and not let them 
> login (acceptable for our use)?

The later; an identifier (userid) has to exist in ldap for user to login. 
I guess you can argue that unix authorization module should work this way.

Since you use kerberos5 you can use the krb5 authorization mech, but then 
you lose group functionality.

You might want to fetch cvs version, authorization module can now be 
specified at runtime.

-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list