Sorry about the delay,
here they are:
patch: dovecot-1.0.beta2-pam-tty.patch
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149673
dovecot-1.0.beta2-pam-setcred.patch
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146198
dovecot-1.0.beta2-mkcert-permissions.patch
just a chmod
Also, nice comments are in each patch, I attach the 3 patches
HTH
Oliver
Timo Sirainen wrote:
On Fri, 2006-05-12 at 17:06 -0400, Oliver Schulze L. wrote:
http://dl.atrpms.net/all/dovecot-1.0-0_10.99.beta7.el4.at.src.rpm
patch: dovecot-1.0.beta2-mkcert-permissions.patch
calls 'chown root.root', is good to have the certs owned by root?
I guess, but isn't mkcert.sh run as root normally anyway? And if user
doesn't want to run it as root, chowning doesn't work anyway.
patch: dovecot-1.0.beta2-pam-setcred.patch
is dissables the call to pam_setcred() because there is no other
call to pam_setcred() in order to release the resources
I kept the functionality, but it's now enabled only if setcred=yes PAM
option is given in passdb args.
patch: dovecot-1.0.beta2-pam-tty.patch
it add a call to pam_set_item()
I don't to attach the patches to the list, but I can if anyone could not
extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could
look at the pam_set_item() patch, and if someone knows what it's really
useful for I'd like to know that too :)
--
Oliver Schulze L.
--- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100
+++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100
@@ -29,6 +29,7 @@
fi
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
-chmod 0600 $KEYFILE
+chown root:root $CERTFILE $KEYFILE
+chmod 0600 $CERTFILE $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
--- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-setcred 2006-01-30 11:04:01.000000000 +0100
+++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:05:39.000000000 +0100
@@ -185,14 +185,39 @@
pam_strerror(pamh, status));
return status;
}
-
#ifdef HAVE_PAM_SETCRED
+
+#if 0
+/*
+ * This is to fix a bug where dovecot was leaving a lot of temporary
+ * kerberos tickets around and filling up disk space. If
+ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
+ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
+ * needs to be called to clean the ticket up. But the only reason to
+ * have a cached ticket on disk is if the service is going to perform
+ * some action during the session that requires access to the ticket
+ * for validation. This implies the pam session is being held open,
+ * which would be more typical pam usage. But the usage here is to
+ * close the pam session immediately after authenticating the user
+ * with pam_end, thus there is no benefit to creating the disk copy of
+ * the ticket. So rather than finding all the early returns before
+ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
+ * each it is more sensible to not create the ticket in the first
+ * place if we're not going to use it and thus not have to worry about
+ * the clean up. Note the way the code is currently structured, with
+ * an immediate call to pam_end() after authentication it implies the
+ * code probably won't work with a file system like AFS which uses the
+ * ticket for file system permissions, but restructuring the code for
+ * this case is beyond the needs of fixing the aforementioned bug.
+ * John Dennis
+ */
if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
*error = t_strdup_printf("pam_setcred() failed: %s",
pam_strerror(pamh, status));
return status;
}
#endif
+#endif
if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
*error = t_strdup_printf("pam_acct_mgmt() failed: %s",
--- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-tty 2006-01-30 11:02:05.000000000 +0100
+++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:03:08.000000000 +0100
@@ -256,6 +256,10 @@
if (host != NULL)
pam_set_item(pamh, PAM_RHOST, host);
+ /* fix bug 149673, need dummy TTY for pam_access,
+ FIXME: should we check and report an error for PAM_TTY? */
+ pam_set_item(pamh, PAM_TTY, "dovecot");
+
status = pam_auth(request, pamh, &str);
if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) {
/* FIXME: check for PASSDB_RESULT_UNKNOWN_USER