Re: Cyrus debianized?

To: Toens Bueker <toens.bueker@e-trend.de>
Cc: Debian Developers' List <debian-devel@lists.debian.org>
Subject: Re: Cyrus debianized?
From: Marek Habersack <grendel@vip.net.pl>
Date: Thu, 25 Nov 1999 21:47:22 +0100
Message-id: <19991125214722.A18227@vip.net.pl>
Reply-to: grendel@vip.net.pl
In-reply-to: <19991125204115.H5338@e-trend.de>; from toens.bueker@e-trend.de on Thu, Nov 25, 1999 at 08:41:15PM +0100
References: <19991123103734.C22383@vip.net.pl> <19991123182551.A1288@energetic.uct.ac.za> <19991123173727.B4641@vip.net.pl> <19991125204115.H5338@e-trend.de>

* Toens Bueker said:
> Marek Habersack <grendel@vip.net.pl> wrote:
> 
> > > This is Cyrus 1.5.x BTW, not 1.6 (1.6 needs the SASL stuff which
> > > seems to be very broken in places). Sadly 1.5.x doesn't support
> > > PAM (but 1.6 does and when it's stable, I'll package it).
> > SASL is a PITA - the pwcheck stuff doesn't work without much tweaking, I
> > didn't even got PAM to work - it refuses to authenticate when cyrus runs
> > with the 'cyrus' user's ID, and cyrus refuses to run as root. The sasldb
> > auth doesn't work as well.
> 
> Could you elaborate on this? 
Of course. I have set up a virtual server in a chrooted tree. The server is
supposed to host accounts which can be accessed only from specific places
and only using IMAP. Now, I tried to setup cyrus + SASL to use the
PAM authentication but alas, PAM only refuses to authenticate the logged in
user, because of "authentication failure; (uid=999) -> someuser for imap
service". At first I thought the problem lies somewhere in a way which the
chrooted PAM libraries look for the user's authentication data, but other
PAMified services, like POP3 server, work flawlessly - as long as they run
initially as root. When cyrus is configured (by setting the SUID bit) to run
as root, it refuses to start because "cyrus cannot run as root" - which is a
good security measure unless it prevents the daemon from working... Now, I
don't know what to lay the blame on - is it Cyrus or is it PAM that needs
fixing? Either way, I decided to drop PAM and started to test other
authentication possibilities using SASL - sasldb (didn't work - despite the
existence of the sasldb database file the library refused to authenticate
the user), then pwcheck daemon (it didn't compile at all - seems the source
is unmaintained. I had to edit the sources of both Makefiles and the program
itself to make it compile and link. Nevertheless, the effort was futile -
the pwcheck-based authentication also doesn't work). 
I decided to give up and look at some other imapd server - namely Courier
which compiles without problems, and seems to run ok (testing it right now)
- not to mention it's GPL-ed.
Ah, another note about imapd servers - the UW imapd refused to run in a
chroot jail as well...
 
> We run Cyrus 1.6.13 with sasl-5.1.0, libpam-0.69 and
My versions are, respectively, 1.6.19, 1.5.11, 0.71

> shadow-password. The only problem seems to be 'feedcyrus',
> which we cannot get to cooperate. Everything else works
> fine. Actually we didn't have to tweak anything.
I can get cyrus as far as it comes to authentication... Which is not very
useful...
 
> This is on a potato-machine.
As well

marek

Attachment: pgpi9Lw8aUJcC.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Cyrus debianized?
  - From: Nick Cabatoff <ncc@cs.mcgill.ca>

References:
- Cyrus debianized?
  - From: Marek Habersack <grendel@vip.net.pl>
- Re: Cyrus debianized?
  - From: Michael-John Turner <mj@energetic.uct.ac.za>
- Re: Cyrus debianized?
  - From: Marek Habersack <grendel@vip.net.pl>
- Re: Cyrus debianized?
  - From: Toens Bueker <toens.bueker@e-trend.de>

Prev by Date: Re: ITP: ssd
Next by Date: ITP: id3tool
Previous by thread: Re: Cyrus debianized?
Next by thread: Re: Cyrus debianized?
Index(es):
- Date
- Thread