On 1.2.2013, at 0.35, Ben Morrow <b...@morrow.me.uk> wrote: > I am running Dovecot with system users (userdb passwd), but some of > those users don't have shell accounts on the IMAP server so their shell > on that machine is set to /usr/sbin/nologin. Currently I am using > maildirs and this is not a problem, but I am in the process of switching > to dbox which means I will need a cronjob running 'doveadm purge -A'. > > During testing I found that those users with a 'nologin' shell are not > included in the list returned by the userdb iterator, and that the > iterator doesn't honour the first/last_valid_uid settings. This > inconsistency seems undesirable, so the attached patch > > - makes lookup perform the same checks as iteration,
Hmmh. You could also just have them aliased to other users, so this wouldn't be necessary.. > - makes the 'nologin' check configurable, > - adds a new optional check that the user owns their home directory. These settings are passwd-specific, so they would have to something like: userdb { driver = passwd args = check-nologin=n check-home=y } > The last check was the one performed by qmail, and seems to me to be a > more reliable 'is this a real user' check than a nologin shell. It also performs disk I/O, slowing down the lookup. > If this patch is applied, the release notes for the next release should > probably mention that system users with a 'nologin' shell will no longer > be allowed to log in to IMAP until the 'auth_check_nologin' setting is > changed from true to false. The default will in any case be the same as it is now. > Also, there seem to be two first/last_valid_uid settings: > first_valid_uid itself, which is honoured by the storage subsystem, and > auth_first_valid_uid, which is honoured by the 'passwd' userdb. Is this > intentional? Nope, that's a bug. Fixed that in v2.2: http://hg.dovecot.org/dovecot-2.2/rev/18661d1d6ed0