[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?

Timo Sirainen tss at iki.fi
Tue Jun 30 21:12:45 EEST 2009


On Jun 30, 2009, at 12:39 PM, Adam Megacz wrote:

>>> In particular, I'm trying to use dovecot with pam_krb5 (which
>>> associates a ticket cache to a specific pid) and pam_afs_session
>>> (which associates tokens to a specific process authentication  
>>> group --
>>> roughly equivalent to a process and all its descendents).
>
>> Is it possible to authenticate first in one process and then do
>> pam_setcred() in another?
>
> Only if one process is a parent of the other (or a parent of a parent,
> etc).  Or if they have a common parent which is unique to the
> connection (ie their common parent is not the parent of any other auth
> processes or connection-handling processes).

Doesn't sound doable then. Maybe reimplement the pam_* modules as  
Dovecot modules :)

> When dovecot is used in the mode where it forks a new authentication
> process for every connection, is the authentication process a child of
> the process which handles the rest of the connection, or vice versa?
> Or neither?

Neither. Only dovecot master process forks new processes. Being able  
to do authentication from login processes would pretty much destroy  
Dovecot's whole security model.


More information about the dovecot mailing list