[Dovecot] PAM session closes too soon
Hi.
I'm trying to keep most of my data encrypted when possible, only keeping the decryption key in memory (and thus vulnerable to local attacks) when I'm actually using my data. In practice, this means using pam_mount to mount my home directory from an encrypted device.
It almost looked like I could get this to work with mail as well, even when read via IMAP from a remote client: I placed my mail in the encrypted home directory, added pam_mount to /etc/pam.d/dovecot, and set session=yes in Dovecot's PAM configuration.
Except that it didn't, quite: pam_mount worked just fine and mounted the encrypted disk using the IMAP password... and then immediately unmounted it, since for some reason session=yes means that Dovecot closes the session _immediately_ after opening it.
This seems just silly. If a PAM session is to be used, then it seems obvious to me that its length should be exactly the length of the IMAP session. I can't see any reason for the current behavior, except maybe that it was a bit simpler to code and is sufficient for pam_mkhomedir (and only that).
Can this be fixed with reasonable effort?
Also, for pam_mount to work correctly, there must not be any file descriptors open in the mounted file system when the session closes, as otherwise unmounting is impossible. Will dovecot release all fds into the mail and index files when the session ends, or can it be made to do so? (UTSL is an acceptable answer.)
Thanks in advance.
Lauri Alanko la@iki.fi
On Aug 16, 2008, at 12:59 PM, Lauri Alanko wrote:
Except that it didn't, quite: pam_mount worked just fine and mounted the encrypted disk using the IMAP password... and then immediately unmounted it, since for some reason session=yes means that Dovecot closes the session _immediately_ after opening it.
This seems just silly. If a PAM session is to be used, then it seems obvious to me that its length should be exactly the length of the IMAP session. I can't see any reason for the current behavior, except maybe that it was a bit simpler to code and is sufficient for pam_mkhomedir (and only that).
The session=yes documentation says it does that, which is why it's
optional and disabled by default.
Can this be fixed with reasonable effort?
I don't really see how. PAM code is in dovecot-auth which keeps track
of sessions only as long as users are being authenticated. Changing
that doesn't seem like a very good idea and could cause a lot of extra
potential problems. Moving only the PAM session handling (or closing)
code to post-login imap/pop3 process code could work, but is it
possible?
Also, for pam_mount to work correctly, there must not be any file descriptors open in the mounted file system when the session closes, as otherwise unmounting is impossible. Will dovecot release all fds into the mail and index files when the session ends, or can it be made to do so? (UTSL is an acceptable answer.)
If PAM session handling code was moved to imap/pop3 process then yes,
the fds are all cleanly closed.
participants (2)
-
Lauri Alanko
-
Timo Sirainen