On Thu, 2010-10-14 at 09:55 +0100, Ed W wrote: > > Is there any way to make Dovecot use the same username/password for > > database access as userdb and passdb queries? Specifying the password > > with -p doesn't seem like a good idea, so I'm wondering if it can be > > handled by Dovecot directly. > If your risk is that the user compromises the login process and can see > the login script
BTW. That's not enough. The login process is chrooted to nearly empty directory and can't read anything. To read the post-login script the user would have to compromise imap/pop3 process (which is more likely anyway, because they're more complex). But that could also be prevented by not giving that process read access to the script. I think more problematic is that the -p password shows up in ps list. That can be avoided by placing the script to MySQL's config file. http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html
