On Mi, 14 Sep 2011, Timo Sirainen wrote: > On 14.9.2011, at 14.40, Lutz Preßler wrote: > > > with imapc settings coming from userdb (individual configuration necessary) > > there exists a security problem if access to auth-userdb socket is given > > to normal (shell) users: > > So don't give it to them? :) Actually this should be pretty much solved with > v2.1 defaults. If the auth-userdb socket is 0666 root:root (default now), it > requires that the calling process either has root user/group privileges or > its uid matches the one returned by userdb, otherwise it won't return any > fields. I had to change that because of shared mailboxes and usage of %%h. Maybe one could return only home if uid does not match?
Lutz
