[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?
Adam Megacz
megacz at hcoop.net
Tue Jun 30 19:39:26 EEST 2009
Timo Sirainen <tss at iki.fi> writes:
> Not easily. PAM lookups are done by dovecot-auth process, which is
> completely different from the eventual imap/pop3 process.
Yes, I know... I find that most unfortunate. This design creates
security problems when the machine where the files are stored does not
unconditionally trust the machine running dovecot (as, for example, in
NFS).
>> In particular, I'm trying to use dovecot with pam_krb5 (which
>> associates a ticket cache to a specific pid) and pam_afs_session
>> (which associates tokens to a specific process authentication group --
>> roughly equivalent to a process and all its descendents).
> Is it possible to authenticate first in one process and then do
> pam_setcred() in another?
Only if one process is a parent of the other (or a parent of a parent,
etc). Or if they have a common parent which is unique to the
connection (ie their common parent is not the parent of any other auth
processes or connection-handling processes).
When dovecot is used in the mode where it forks a new authentication
process for every connection, is the authentication process a child of
the process which handles the rest of the connection, or vice versa?
Or neither?
Thanks,
- a
More information about the dovecot
mailing list