On Aug 16, 2008, at 12:59 PM, Lauri Alanko wrote:
Except that it didn't, quite: pam_mount worked just fine and mounted the encrypted disk using the IMAP password... and then immediately unmounted it, since for some reason session=yes means that Dovecot closes the session _immediately_ after opening it.
This seems just silly. If a PAM session is to be used, then it seems obvious to me that its length should be exactly the length of the IMAP session. I can't see any reason for the current behavior, except maybe that it was a bit simpler to code and is sufficient for pam_mkhomedir (and only that).
The session=yes documentation says it does that, which is why it's
optional and disabled by default.
Can this be fixed with reasonable effort?
I don't really see how. PAM code is in dovecot-auth which keeps track
of sessions only as long as users are being authenticated. Changing
that doesn't seem like a very good idea and could cause a lot of extra
potential problems. Moving only the PAM session handling (or closing)
code to post-login imap/pop3 process code could work, but is it
possible?
Also, for pam_mount to work correctly, there must not be any file descriptors open in the mounted file system when the session closes, as otherwise unmounting is impossible. Will dovecot release all fds into the mail and index files when the session ends, or can it be made to do so? (UTSL is an acceptable answer.)
If PAM session handling code was moved to imap/pop3 process then yes,
the fds are all cleanly closed.