[maildb-devel] DB authentication

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

For you DBAs out there... is there a common way to do this? (I think this
is an easy question, but I managed to confuse myself earlier today and
want to run in by you guys to ensure that I'm not crazy)

We've talked about user authentication before, and we decided to leave it
as the responsibility of the IMAP daemon.  This allows the possibility of
a bunch of different schemes, like passwd/shadow, pam, LDAP, etc.  i.e.:
it's not our problem.  I think this is the Right Thing.  I'm talking about
different authentication -- authentication to the database.

My question is: how do we authenticate to the database?

There's [at least] two different places where a process will need to be
executed on the server to insert a message into maildb: mail.local and a
server-side user filtering agent (e.g., procmail).  Let's look at
mail.local, although they both essentially come down to the same issue.

At some point, the MTA is going to invoke mail.local on the server to
actually deliver the message to the backing store (remember that UW IMAP
provides a mail.local replacement that will be able to write to the
maildb).  This mail.local process has to be able to connect to the
[MySQL|Postgres|whatever] database, authenticate, and then do its thing.

How do we do that?

Do we just put a 0400 file somewhere on the local filesystem that only
root and the mail.local user (probably "mail" or "daemon" or ...?) can
read that contains th DB username and password?  The only other way that I
can think of would be to compile the DB username/pw in the mail.local
executable, but that might make it vulnerable to "strings mail.local", or
something along those lines.  Is there a standard way to do this kind of
thing?  We're not trying to protect from root in this case -- we're only
trying to protect from other users (right?) -- so I'm thinking that a 0400
file might not be totally evil (one way to think of it: it's no less
secure than 0600 /var/spool/mail/* mbox files).

For the procmail issue, whatever process is launched (perhaps a variant of
mail.local) will likely be launched under the UID of the recipient user.
So will this executable need to be setuid to the mail user?  Or is that
asking for trouble?

Thoughts?

-- 
{+} Jeff Squyres
{+} jsq...@os...
{+} Research Associate, Open Systems Lab, Indiana University
{+} http://www.osl.iu.edu/