[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?
Hello. I'm wondering how one would go about configuring dovecot to invoke pam_setcred() from the same process as (or a parent process of) the process which eventually reads the user's mail off the disk. This is required for pam modules that set kernel-level credentials which are later used to access the user's mail files.
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication group -- roughly equivalent to a process and all its descendents).
Thanks,
- a
On Mon, 2009-06-29 at 13:32 -0700, Adam Megacz wrote:
Hello. I'm wondering how one would go about configuring dovecot to invoke pam_setcred() from the same process as (or a parent process of) the process which eventually reads the user's mail off the disk.
Not easily. PAM lookups are done by dovecot-auth process, which is completely different from the eventual imap/pop3 process.
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication group -- roughly equivalent to a process and all its descendents).
Is it possible to authenticate first in one process and then do pam_setcred() in another? Then you could create e.g. a mail_executable wrapper or Dovecot plugin that calls pam_setcred() before dropping privileges.
Timo Sirainen tss@iki.fi writes:
Not easily. PAM lookups are done by dovecot-auth process, which is completely different from the eventual imap/pop3 process.
Yes, I know... I find that most unfortunate. This design creates security problems when the machine where the files are stored does not unconditionally trust the machine running dovecot (as, for example, in NFS).
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication group -- roughly equivalent to a process and all its descendents).
Is it possible to authenticate first in one process and then do pam_setcred() in another?
Only if one process is a parent of the other (or a parent of a parent, etc). Or if they have a common parent which is unique to the connection (ie their common parent is not the parent of any other auth processes or connection-handling processes).
When dovecot is used in the mode where it forks a new authentication process for every connection, is the authentication process a child of the process which handles the rest of the connection, or vice versa? Or neither?
Thanks,
- a
On Jun 30, 2009, at 12:39 PM, Adam Megacz wrote:
In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication
group -- roughly equivalent to a process and all its descendents).Is it possible to authenticate first in one process and then do pam_setcred() in another?
Only if one process is a parent of the other (or a parent of a parent, etc). Or if they have a common parent which is unique to the connection (ie their common parent is not the parent of any other auth processes or connection-handling processes).
Doesn't sound doable then. Maybe reimplement the pam_* modules as
Dovecot modules :)
When dovecot is used in the mode where it forks a new authentication process for every connection, is the authentication process a child of the process which handles the rest of the connection, or vice versa? Or neither?
Neither. Only dovecot master process forks new processes. Being able
to do authentication from login processes would pretty much destroy
Dovecot's whole security model.
participants (2)
-
Adam Megacz
-
Timo Sirainen