Comments (6)
CGo dependency: libpam
Maybe there is a pure Go PAM implementation out there? libpam is very annoying to use.
maddy needs to access the shadow database (/etc/shadow) on configurations using the local database
We don't need that with PAM. We only need that for #21.
from maddy.
We don't need that with PAM. We only need that for #21.
From pam_unix.so(8):
A helper binary, unix_chkpwd(8), is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like xlock(1) to work without being setuid-root.
Ok, didn't know. Perhaps, can we use it for #21 too?
UPD: No, we shouldn't.
The interface of the helper - command line options, and input/output data format are internal to the pam_unix module and it should not be called directly from applications.
from maddy.
Oh, unix_chkpwd works only for current user so it is not useful for us. We need root to access /etc/shadow.
from maddy.
So, what I think should be done.
Create a separate binary called maddy-pam-helper.
When started it reads two \0-terminated lines on stdin (username and password) and sets exit status depending on authentication success.
Generally, when installed to the system, this binary should setuid root (or given CAP_DAC_READ_SEARCH capability on Linux) and be only executable by a group that maddy server runs under (user group "maddy"?).
from maddy.
Oh, right. RIP, we need root either way.
from maddy.
https://github.com/foxcpp/maddy/tree/pam
from maddy.
Related Issues (20)
- unknown config block: local_tls HOT 6
- IMAP LOGIN get "01 NO Authentication disabled" withou any error log on the server side HOT 4
- Add support for inwx dns-01 challenge
- Feature request: Single Sign On (SSO) support HOT 2
- auth_map: unknown module or global directive HOT 2
- Add support for delegating DNS-01 challenge to a different domain HOT 1
- Link to DNS configuration on Docker tutorial page is broken HOT 1
- 'SEARCH UNSEEN' doesn't return unseen messages
- Fails to import config from file using absolute path HOT 1
- maddy.email is down HOT 1
- Empty "From" address results in rejection (5.1.7 Malformed address) HOT 1
- Documentation Typo in 'Multiple domains configuration'
- Certificate subject names checked when `min_tls_level` is `encrypted` HOT 1
- Maddy systemd service tries to start before network interfaces are up
- Fail check with go test or test/run.sh HOT 2
- Gandi dns-01 challenge fail: 400 Absolute rrset_name must end with mydomain.org HOT 8
- Quarantined message discarded HOT 3
- Bug report: empty smtp.mailfrom on Delivery Status Notification (DSN) HOT 5
- No usable MXs when sending to IPv6-only domain
- Feature request - replace_rcpt sql_query {} should handle multiple results HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from maddy.