Yes, it's a bug. Most importantly: I don't think this is a security hole,
except maybe in some very specific installations. It only affects usernames
that are the same as one of the "extra fields" in userdb. Such user needs to
log in with a valid username and password before this happens. What happens is
that when userdb sets the extra field, it thinks it's replacing an existing
field and removes the username. So the username gets replaced by the next
field. This often does mean that the user can log in using a wrong username
(e.g. user is "uid=1000"), but there's really no way to set that to any
specific username. So users can't read each others' mails. But because the
username is different from expected, it could cause some confusion.
I was also a bit worried that it still could allow users to create such
accounts for some webmail providers, but pretty much all of them use
user@domain style account names, and those aren't affected. So practically no
possibility of this affecting anyone where admin doesn't explicitly create such
account.
I'll get this fixed when I have a bit of time. The fix isn't as easy as I'd
like and it affects a large part of the authentication..
On 14.12.2012, at 18.04, Jack Bates wrote:
> Dec 14 14:33:14 test2 dovecot: auth: Debug: master userdb out:
> USER#0112033451009#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
> Dec 14 14:37:25 test2 dovecot: auth: Debug: master userdb out:
> USER#011477757441#011home2#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home2#011mail_location=maildir:~/Maildir
> Dec 14 15:44:23 test2 dovecot: auth: Debug: master userdb out:
> USER#0113466592257#011uid=503#011gid=503#011home=/nfs/maildir/vmail/home#011mail_location=maildir:~/Maildir
>
> Looking at the proper home2 account, it appears that the username "home" is
> being left out. This is definitely an issue with auth userdb.
>
> This was on 2.1.12. I upgraded.
>
> Jack
>
> On 12/14/2012 10:00 AM, Jack Bates wrote:
>> Additional info by switching the home= and uid= settings in the config.
>>
>> userdb {
>> args = home=/nfs/maildir/vmail/%u uid=vmail gid=vmail
>> mail_location=maildir:~/Maildir
>> driver = static
>> }
>>
>> We got the effective id, but then home was unset and the user became the
>> home setting. lol
>>
>
