[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?
Timo Sirainen
tss at iki.fi
Tue Jun 30 21:12:45 EEST 2009
On Jun 30, 2009, at 12:39 PM, Adam Megacz wrote:
>>> In particular, I'm trying to use dovecot with pam_krb5 (which
>>> associates a ticket cache to a specific pid) and pam_afs_session
>>> (which associates tokens to a specific process authentication
>>> group --
>>> roughly equivalent to a process and all its descendents).
>
>> Is it possible to authenticate first in one process and then do
>> pam_setcred() in another?
>
> Only if one process is a parent of the other (or a parent of a parent,
> etc). Or if they have a common parent which is unique to the
> connection (ie their common parent is not the parent of any other auth
> processes or connection-handling processes).
Doesn't sound doable then. Maybe reimplement the pam_* modules as
Dovecot modules :)
> When dovecot is used in the mode where it forks a new authentication
> process for every connection, is the authentication process a child of
> the process which handles the rest of the connection, or vice versa?
> Or neither?
Neither. Only dovecot master process forks new processes. Being able
to do authentication from login processes would pretty much destroy
Dovecot's whole security model.
More information about the dovecot
mailing list