On Mon, 2009-06-29 at 13:32 -0700, Adam Megacz wrote:
Hello. I'm wondering how one would go about configuring dovecot to invoke pam_setcred() from the same process as (or a parent process of) the process which eventually reads the user's mail off the disk.
Not easily. PAM lookups are done by dovecot-auth process, which is completely different from the eventual imap/pop3 process.
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication group -- roughly equivalent to a process and all its descendents).
Is it possible to authenticate first in one process and then do pam_setcred() in another? Then you could create e.g. a mail_executable wrapper or Dovecot plugin that calls pam_setcred() before dropping privileges.