auth_unix

[Patrick Radtke]

I have a question about the

--with-auth=unix    method for authorization.

I would assume that a user would only be authorized to access mailboxes 
that the user has rights to if the user has a unix account in the first 
place.

e.g. If there are 2 mailboxes  'box1' with acls 'testuser lrswipcda' 
and mailbox 'box2' with acls 'anyone lrswipcda'.
If testuser has no unix account I would not expect him to see box1 
(since no unix account == no authorization), but be able to see box2

 From my testing, these does not seem to be the case.

testuser has no unix account but can still access all mailboxes that 
have a acl with his name.

It appears that --with-auth=unix is good for doing authorization with 
group acls.

in the code I would have assumed if  ( from auth_unix.c,  method struct 
auth_state *auth_newstate(const char *identifier) )
getpwnam(identifier) returned null (the unix account does not exist)

then *newstate should remain null, and the login would only be 
authorized for anyone, anonymous acl stuff



I have read a bunch of post about doing ldap filters with saslauthd or 
pam_ldap to control who has access, but I'd prefer using the 
--with-auth mechanism for various reasons (one of which is we prefer 
running salsauthd -a kerberos5)

Is the behavior I see from -with-auth=unix the intended and desired 
behavior?

does -with-auth-pts with -with-pts=ldap behave the same as 
--with-auth=unix? i.e. If user can login he is authorized to view his 
own mailbox regardless of wether he exist according to the 
authorization mechanism?
or if there is no user matching user in ldap, will it fail and not let 
them login (acceptable for our use)?

cyrus-imapd-2.2.12

thanks,

Patrick Radtke

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html