Sorry about the delay, here they are: patch: dovecot-1.0.beta2-pam-tty.patch https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149673 dovecot-1.0.beta2-pam-setcred.patch https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146198 dovecot-1.0.beta2-mkcert-permissions.patch just a chmod Also, nice comments are in each patch, I attach the 3 patches HTH Oliver Timo Sirainen wrote:
On Fri, 2006-05-12 at 17:06 -0400, Oliver Schulze L. wrote:
http://dl.atrpms.net/all/dovecot-1.0-0_10.99.beta7.el4.at.src.rpm
patch: dovecot-1.0.beta2-mkcert-permissions.patch calls 'chown root.root', is good to have the certs owned by root?
I guess, but isn't mkcert.sh run as root normally anyway? And if user doesn't want to run it as root, chowning doesn't work anyway.
patch: dovecot-1.0.beta2-pam-setcred.patch is dissables the call to pam_setcred() because there is no other call to pam_setcred() in order to release the resources
I kept the functionality, but it's now enabled only if setcred=yes PAM option is given in passdb args.
patch: dovecot-1.0.beta2-pam-tty.patch it add a call to pam_set_item()
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could look at the pam_set_item() patch, and if someone knows what it's really useful for I'd like to know that too :)
-- Oliver Schulze L. <oliver@samera.com.py> --- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100 +++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100 @@ -29,6 +29,7 @@ fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 -chmod 0600 $KEYFILE +chown root:root $CERTFILE $KEYFILE +chmod 0600 $CERTFILE $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 --- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-setcred 2006-01-30 11:04:01.000000000 +0100 +++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:05:39.000000000 +0100 @@ -185,14 +185,39 @@ pam_strerror(pamh, status)); return status; } - #ifdef HAVE_PAM_SETCRED + +#if 0 +/* + * This is to fix a bug where dovecot was leaving a lot of temporary + * kerberos tickets around and filling up disk space. If + * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the + * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also + * needs to be called to clean the ticket up. But the only reason to + * have a cached ticket on disk is if the service is going to perform + * some action during the session that requires access to the ticket + * for validation. This implies the pam session is being held open, + * which would be more typical pam usage. But the usage here is to + * close the pam session immediately after authenticating the user + * with pam_end, thus there is no benefit to creating the disk copy of + * the ticket. So rather than finding all the early returns before + * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to + * each it is more sensible to not create the ticket in the first + * place if we're not going to use it and thus not have to worry about + * the clean up. Note the way the code is currently structured, with + * an immediate call to pam_end() after authentication it implies the + * code probably won't work with a file system like AFS which uses the + * ticket for file system permissions, but restructuring the code for + * this case is beyond the needs of fixing the aforementioned bug. + * John Dennis <jdennis@redhat.com> + */ if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { *error = t_strdup_printf("pam_setcred() failed: %s", pam_strerror(pamh, status)); return status; } #endif +#endif if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { *error = t_strdup_printf("pam_acct_mgmt() failed: %s", --- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-tty 2006-01-30 11:02:05.000000000 +0100 +++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:03:08.000000000 +0100 @@ -256,6 +256,10 @@ if (host != NULL) pam_set_item(pamh, PAM_RHOST, host); + /* fix bug 149673, need dummy TTY for pam_access, + FIXME: should we check and report an error for PAM_TTY? */ + pam_set_item(pamh, PAM_TTY, "dovecot"); + status = pam_auth(request, pamh, &str); if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) { /* FIXME: check for PASSDB_RESULT_UNKNOWN_USER