[Dovecot] PAM session closes too soon

Timo Sirainen tss at iki.fi
Sat Aug 16 13:30:15 EEST 2008


On Aug 16, 2008, at 12:59 PM, Lauri Alanko wrote:

> Except that it didn't, quite: pam_mount worked just fine and
> mounted the encrypted disk using the IMAP password... and then
> immediately unmounted it, since for some reason session=yes means
> that Dovecot closes the session _immediately_ after opening it.
>
> This seems just silly. If a PAM session is to be used, then it
> seems obvious to me that its length should be exactly the length
> of the IMAP session. I can't see any reason for the current
> behavior, except maybe that it was a bit simpler to code and is
> sufficient for pam_mkhomedir (and only that).

The session=yes documentation says it does that, which is why it's  
optional and disabled by default.

> Can this be fixed with reasonable effort?

I don't really see how. PAM code is in dovecot-auth which keeps track  
of sessions only as long as users are being authenticated. Changing  
that doesn't seem like a very good idea and could cause a lot of extra  
potential problems. Moving only the PAM session handling (or closing)  
code to post-login imap/pop3 process code could work, but is it  
possible?

> Also, for pam_mount to work correctly, there must not be any file
> descriptors open in the mounted file system when the session
> closes, as otherwise unmounting is impossible. Will dovecot
> release all fds into the mail and index files when the session
> ends, or can it be made to do so? (UTSL is an acceptable answer.)

If PAM session handling code was moved to imap/pop3 process then yes,  
the fds are all cleanly closed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080816/27d82cce/attachment.bin 


More information about the dovecot mailing list