[Dovecot] About RH patches and 1.0beta8
Hi, I just started building dovecot 1.0beta8 on RHEL4.3 based on atrpm.net .spec file.
I noted that 3 patches are included in the .src.rpm and wanted to discuss them. I'm interested in knowing if those patches are relevant to all dovecot users and if they can be applied to dovecot.
From: http://dl.atrpms.net/all/dovecot-1.0-0_10.99.beta7.el4.at.src.rpm
patch: dovecot-1.0.beta2-mkcert-permissions.patch calls 'chown root.root', is good to have the certs owned by root?
patch: dovecot-1.0.beta2-pam-setcred.patch is dissables the call to pam_setcred() because there is no other call to pam_setcred() in order to release the resources
patch: dovecot-1.0.beta2-pam-tty.patch it add a call to pam_set_item()
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
Many thanks Oliver
-- Oliver Schulze L. <oliver@samera.com.py>
On Fri, 2006-05-12 at 17:06 -0400, Oliver Schulze L. wrote:
http://dl.atrpms.net/all/dovecot-1.0-0_10.99.beta7.el4.at.src.rpm
patch: dovecot-1.0.beta2-mkcert-permissions.patch calls 'chown root.root', is good to have the certs owned by root?
I guess, but isn't mkcert.sh run as root normally anyway? And if user doesn't want to run it as root, chowning doesn't work anyway.
patch: dovecot-1.0.beta2-pam-setcred.patch is dissables the call to pam_setcred() because there is no other call to pam_setcred() in order to release the resources
I kept the functionality, but it's now enabled only if setcred=yes PAM option is given in passdb args.
patch: dovecot-1.0.beta2-pam-tty.patch it add a call to pam_set_item()
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could look at the pam_set_item() patch, and if someone knows what it's really useful for I'd like to know that too :)
Timo Sirainen wrote:
On Fri, 2006-05-12 at 17:06 -0400, Oliver Schulze L. wrote:
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could look at the pam_set_item() patch, and if someone knows what it's really useful for I'd like to know that too :)
Unpacking of an .src.rpm can be done trough rpm2cpio, e.g.:
$ mkdir dovecot && cd dovecot $ rpm2cpio ../dovecot-xyz.src.rpm | cpio -i
rpm2cpio comes with the rpm package, at least on RedHat distributions.
Best Regards Michael Paesold
Hi,
Timo Sirainen escribió:
patch: dovecot-1.0.beta2-pam-tty.patch it add a call to pam_set_item()
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could look at the pam_set_item() patch, and if someone knows what it's really useful for I'd like to know that too :)
Those patches look like the same shipped with FC5 rpm, which you can find on fedora's cvs server.
http://cvs.fedora.redhat.com/viewcvs/rpms/dovecot/FC-5/
Right now they are using: dovecot-1.0.beta2-pam-tty.patch dovecot-1.0.beta2-pam-setcred.patch dovecot-1.0.beta2-mkcert-permissions.patch
Regards,
Angel Marin http://anmar.eu.org/
Hi,
On Sun, Jun 11, 2006 at 09:22:04PM +0300, Timo Sirainen wrote:
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could look at the pam_set_item() patch, and if someone knows what it's really useful for I'd like to know that too :)
You can pull the Red Hat/Fedora Core specific patches in raw form from
http://cvs.fedora.redhat.com/viewcvs/rpms/dovecot/FC-5/
-- Axel.Thimm at ATrpms.net
Sorry about the delay, here they are: patch: dovecot-1.0.beta2-pam-tty.patch https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=149673 dovecot-1.0.beta2-pam-setcred.patch https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146198 dovecot-1.0.beta2-mkcert-permissions.patch just a chmod Also, nice comments are in each patch, I attach the 3 patches HTH Oliver Timo Sirainen wrote:
On Fri, 2006-05-12 at 17:06 -0400, Oliver Schulze L. wrote:
http://dl.atrpms.net/all/dovecot-1.0-0_10.99.beta7.el4.at.src.rpm
patch: dovecot-1.0.beta2-mkcert-permissions.patch calls 'chown root.root', is good to have the certs owned by root?
I guess, but isn't mkcert.sh run as root normally anyway? And if user doesn't want to run it as root, chowning doesn't work anyway.
patch: dovecot-1.0.beta2-pam-setcred.patch is dissables the call to pam_setcred() because there is no other call to pam_setcred() in order to release the resources
I kept the functionality, but it's now enabled only if setcred=yes PAM option is given in passdb args.
patch: dovecot-1.0.beta2-pam-tty.patch it add a call to pam_set_item()
I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm
I tried to figure out a while how to unpack it, but gave up. I could look at the pam_set_item() patch, and if someone knows what it's really useful for I'd like to know that too :)
-- Oliver Schulze L. <oliver@samera.com.py> --- dovecot-1.0.beta2/doc/mkcert.sh.configfile 2006-01-16 21:14:54.000000000 +0100 +++ dovecot-1.0.beta2/doc/mkcert.sh 2006-01-26 14:28:38.000000000 +0100 @@ -29,6 +29,7 @@ fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 -chmod 0600 $KEYFILE +chown root:root $CERTFILE $KEYFILE +chmod 0600 $CERTFILE $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 --- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-setcred 2006-01-30 11:04:01.000000000 +0100 +++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:05:39.000000000 +0100 @@ -185,14 +185,39 @@ pam_strerror(pamh, status)); return status; } - #ifdef HAVE_PAM_SETCRED + +#if 0 +/* + * This is to fix a bug where dovecot was leaving a lot of temporary + * kerberos tickets around and filling up disk space. If + * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the + * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also + * needs to be called to clean the ticket up. But the only reason to + * have a cached ticket on disk is if the service is going to perform + * some action during the session that requires access to the ticket + * for validation. This implies the pam session is being held open, + * which would be more typical pam usage. But the usage here is to + * close the pam session immediately after authenticating the user + * with pam_end, thus there is no benefit to creating the disk copy of + * the ticket. So rather than finding all the early returns before + * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to + * each it is more sensible to not create the ticket in the first + * place if we're not going to use it and thus not have to worry about + * the clean up. Note the way the code is currently structured, with + * an immediate call to pam_end() after authentication it implies the + * code probably won't work with a file system like AFS which uses the + * ticket for file system permissions, but restructuring the code for + * this case is beyond the needs of fixing the aforementioned bug. + * John Dennis <jdennis@redhat.com> + */ if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { *error = t_strdup_printf("pam_setcred() failed: %s", pam_strerror(pamh, status)); return status; } #endif +#endif if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { *error = t_strdup_printf("pam_acct_mgmt() failed: %s", --- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-tty 2006-01-30 11:02:05.000000000 +0100 +++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:03:08.000000000 +0100 @@ -256,6 +256,10 @@ if (host != NULL) pam_set_item(pamh, PAM_RHOST, host); + /* fix bug 149673, need dummy TTY for pam_access, + FIXME: should we check and report an error for PAM_TTY? */ + pam_set_item(pamh, PAM_TTY, "dovecot"); + status = pam_auth(request, pamh, &str); if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) { /* FIXME: check for PASSDB_RESULT_UNKNOWN_USER
participants (5)
-
Angel Marin
-
Axel Thimm
-
Michael Paesold
-
Oliver Schulze L.
-
Timo Sirainen