From 458ac7a95277c22e53345886d98ec96264ff4ffb Mon Sep 17 00:00:00 2001 From: prockai Date: Mon, 30 Jan 2006 10:28:59 +0000 Subject: [PATCH] Forward port the pam-setcred patch (and split into two, as it had 2 unrelated changes in it, apparently). --- dovecot-1.0.beta2-pam-setcred.patch | 43 +++++++++++++++++++++++++++++ dovecot-1.0.beta2-pam-tty.patch | 13 +++++++++ dovecot.spec | 12 +++++--- 3 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 dovecot-1.0.beta2-pam-setcred.patch create mode 100644 dovecot-1.0.beta2-pam-tty.patch diff --git a/dovecot-1.0.beta2-pam-setcred.patch b/dovecot-1.0.beta2-pam-setcred.patch new file mode 100644 index 0000000..a6d660c --- /dev/null +++ b/dovecot-1.0.beta2-pam-setcred.patch @@ -0,0 +1,43 @@ +--- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-setcred 2006-01-30 11:04:01.000000000 +0100 ++++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:05:39.000000000 +0100 +@@ -185,14 +185,39 @@ + pam_strerror(pamh, status)); + return status; + } +- + #ifdef HAVE_PAM_SETCRED ++ ++#if 0 ++/* ++ * This is to fix a bug where dovecot was leaving a lot of temporary ++ * kerberos tickets around and filling up disk space. If ++ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the ++ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also ++ * needs to be called to clean the ticket up. But the only reason to ++ * have a cached ticket on disk is if the service is going to perform ++ * some action during the session that requires access to the ticket ++ * for validation. This implies the pam session is being held open, ++ * which would be more typical pam usage. But the usage here is to ++ * close the pam session immediately after authenticating the user ++ * with pam_end, thus there is no benefit to creating the disk copy of ++ * the ticket. So rather than finding all the early returns before ++ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to ++ * each it is more sensible to not create the ticket in the first ++ * place if we're not going to use it and thus not have to worry about ++ * the clean up. Note the way the code is currently structured, with ++ * an immediate call to pam_end() after authentication it implies the ++ * code probably won't work with a file system like AFS which uses the ++ * ticket for file system permissions, but restructuring the code for ++ * this case is beyond the needs of fixing the aforementioned bug. ++ * John Dennis ++ */ + if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + *error = t_strdup_printf("pam_setcred() failed: %s", + pam_strerror(pamh, status)); + return status; + } + #endif ++#endif + + if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { + *error = t_strdup_printf("pam_acct_mgmt() failed: %s", diff --git a/dovecot-1.0.beta2-pam-tty.patch b/dovecot-1.0.beta2-pam-tty.patch new file mode 100644 index 0000000..b08bcf0 --- /dev/null +++ b/dovecot-1.0.beta2-pam-tty.patch @@ -0,0 +1,13 @@ +--- ./dovecot-1.0.beta2/src/auth/passdb-pam.c.pam-tty 2006-01-30 11:02:05.000000000 +0100 ++++ ./dovecot-1.0.beta2/src/auth/passdb-pam.c 2006-01-30 11:03:08.000000000 +0100 +@@ -256,6 +256,10 @@ + if (host != NULL) + pam_set_item(pamh, PAM_RHOST, host); + ++ /* fix bug 149673, need dummy TTY for pam_access, ++ FIXME: should we check and report an error for PAM_TTY? */ ++ pam_set_item(pamh, PAM_TTY, "dovecot"); ++ + status = pam_auth(request, pamh, &str); + if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) { + /* FIXME: check for PASSDB_RESULT_UNKNOWN_USER diff --git a/dovecot.spec b/dovecot.spec index 17c712f..2356b25 100644 --- a/dovecot.spec +++ b/dovecot.spec @@ -20,8 +20,11 @@ Source7: dovecot-REDHAT-FAQ.txt Patch100: dovecot-conf.patch Patch101: dovecot-configfile.patch Patch102: dovecot-0.99-no-literal-plus-capability.patch -Patch103: dovecot-pam-setcred.patch -Patch104: dovecot-auth-log.patch +Patch103: dovecot-1.0.beta2-pam-tty.patch +Patch104: dovecot-1.0.beta2-pam-setcred.patch + +# XXX this patch needs review and forward porting +#Patch105: dovecot-auth-log.patch # Patches 500+ from upstream fixes URL: http://dovecot.procontrol.fi/ @@ -63,8 +66,9 @@ in either of maildir or mbox formats. #cp $RPM_BUILD_DIR/dovecot-%{upstream}/dovecot-example.conf $RPM_BUILD_DIR/${RPM_PACKAGE_NAME}-%{upstream}/dovecot.conf %patch101 -p1 -b .configfile #%patch102 -p1 -b .no-literal-plus-capability -#%patch103 -p1 -b .pam-setcred -#%patch104 -p1 -b .auth-log +%patch103 -p2 -b .pam-tty +%patch104 -p2 -b .pam-setcred +#%patch105 -p1 -b .auth-log %build rm -f ./configure