[Dovecot] About RH patches and 1.0beta8

Oliver Schulze L. oliver at samera.com.py
Tue Jun 20 03:17:30 EEST 2006 

Sorry about the delay,
here they are:

patch: dovecot-1.0.beta2-pam-tty.patch
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149673

dovecot-1.0.beta2-pam-setcred.patch
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146198

dovecot-1.0.beta2-mkcert-permissions.patch
just a chmod

Also, nice comments are in each patch, I attach the 3 patches

HTH
Oliver


Timo Sirainen wrote:
> On Fri, 2006-05-12 at 17:06 -0400, Oliver Schulze L. wrote:
>   
>> http://dl.atrpms.net/all/dovecot-1.0-0_10.99.beta7.el4.at.src.rpm
>>
>> patch: dovecot-1.0.beta2-mkcert-permissions.patch
>> calls 'chown root.root', is good to have the certs owned by root?
>>     
>
> I guess, but isn't mkcert.sh run as root normally anyway? And if user
> doesn't want to run it as root, chowning doesn't work anyway.
>
>   
>> patch: dovecot-1.0.beta2-pam-setcred.patch
>> is dissables the call to pam_setcred() because there is no other
>> call to pam_setcred() in order to release the resources
>>     
>
> I kept the functionality, but it's now enabled only if setcred=yes PAM
> option is given in passdb args.
>
>   
>> patch: dovecot-1.0.beta2-pam-tty.patch
>> it add a call to pam_set_item()
>>
>> I don't to attach the patches to the list, but I can if anyone could not
>> extract them from the .src.rpm
>>     
>
> I tried to figure out a while how to unpack it, but gave up. I could
> look at the pam_set_item() patch, and if someone knows what it's really
> useful for I'd like to know that too :)
>
>   

-- 
Oliver Schulze L.
<oliver at samera.com.py>

-------------- next part --------------
--- dovecot-1.0.beta2/doc/mkcert.sh.configfile	2006-01-16 21:14:54.000000000 +0100
+++ dovecot-1.0.beta2/doc/mkcert.sh	2006-01-26 14:28:38.000000000 +0100
@@ -29,6 +29,7 @@
 fi
 
 $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
-chmod 0600 $KEYFILE
+chown root:root $CERTFILE $KEYFILE
+chmod 0600 $CERTFILE $KEYFILE
 echo 
 $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
-------------- next part --------------
--- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-setcred	2006-01-30 11:04:01.000000000 +0100
+++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c	2006-01-30 11:05:39.000000000 +0100
@@ -185,14 +185,39 @@
 					 pam_strerror(pamh, status));
 		return status;
 	}
-
 #ifdef HAVE_PAM_SETCRED
+
+#if 0
+/*
+ * This is to fix a bug where dovecot was leaving a lot of temporary
+ * kerberos tickets around and filling up disk space.  If
+ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
+ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
+ * needs to be called to clean the ticket up. But the only reason to
+ * have a cached ticket on disk is if the service is going to perform
+ * some action during the session that requires access to the ticket
+ * for validation. This implies the pam session is being held open,
+ * which would be more typical pam usage. But the usage here is to
+ * close the pam session immediately after authenticating the user
+ * with pam_end, thus there is no benefit to creating the disk copy of
+ * the ticket. So rather than finding all the early returns before
+ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
+ * each it is more sensible to not create the ticket in the first
+ * place if we're not going to use it and thus not have to worry about
+ * the clean up. Note the way the code is currently structured, with
+ * an immediate call to pam_end() after authentication it implies the
+ * code probably won't work with a file system like AFS which uses the
+ * ticket for file system permissions, but restructuring the code for
+ * this case is beyond the needs of fixing the aforementioned bug.
+ * John Dennis <jdennis at redhat.com>
+ */
 	if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
 		*error = t_strdup_printf("pam_setcred() failed: %s",
 					 pam_strerror(pamh, status));
 		return status;
 	}
 #endif
+#endif
 
 	if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
 		*error = t_strdup_printf("pam_acct_mgmt() failed: %s",
-------------- next part --------------
--- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-tty	2006-01-30 11:02:05.000000000 +0100
+++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c	2006-01-30 11:03:08.000000000 +0100
@@ -256,6 +256,10 @@
 		if (host != NULL)
 			pam_set_item(pamh, PAM_RHOST, host);
 
+		/* fix bug 149673, need dummy TTY for pam_access,
+		   FIXME: should we check and report an error for PAM_TTY? */
+		pam_set_item(pamh, PAM_TTY, "dovecot");
+
 		status = pam_auth(request, pamh, &str);
 		if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) {
 			/* FIXME: check for PASSDB_RESULT_UNKNOWN_USER

More information about the dovecot mailing list