fix bug #146198, clean up temp kerberos tickets

2005-02-02 22:02:10 +00:00 · 2005-02-02 22:02:10 +00:00 · daf6971323
commit daf6971323
parent c749286388
2 changed files with 49 additions and 1 deletions
--- a/dovecot-pam-setcred.patch
+++ b/dovecot-pam-setcred.patch
@ -0,0 +1,40 @@
+--- dovecot-0.99.13.orig/src/auth/passdb-pam.c	2004-12-19 00:25:15.000000000 -0500
+++ dovecot-0.99.13/src/auth/passdb-pam.c	2005-02-02 16:18:59.177660000 -0500
+@@ -180,12 +180,37 @@
+ 	}
+ 
+ #ifdef HAVE_PAM_SETCRED
+#if 0
+/*
+ * This is to fix a bug where dovecot was leaving a lot of temporary
+ * kerberos tickets around and filling up disk space.  If
+ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
+ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
+ * needs to be called to clean the ticket up. But the only reason to
+ * have a cached ticket on disk is if the service is going to perform
+ * some action during the session that requires access to the ticket
+ * for validation. This implies the pam session is being held open,
+ * which would be more typical pam usage. But the usage here is to
+ * close the pam session immediately after authenticating the user
+ * with pam_end, thus there is no benefit to creating the disk copy of
+ * the ticket. So rather than finding all the early returns before
+ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
+ * each it is more sensible to not create the ticket in the first
+ * place if we're not going to use it and thus not have to worry about
+ * the clean up. Note the way the code is currently structured, with
+ * an immediate call to pam_end() after authentication it implies the
+ * code probably won't work with a file system like AFS which uses the
+ * ticket for file system permissions, but restructuring the code for
+ * this case is beyond the needs of fixing the aforementioned bug.
+ * John Dennis <jdennis@redhat.com>
+ */
+ 	if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
+ 		*error = t_strdup_printf("pam_setcred(%s) failed: %s",
+ 					 user, pam_strerror(pamh, status));
+ 		return status;
+ 	}
+ #endif
+#endif
+ 
+ 	if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
+ 		*error = t_strdup_printf("pam_acct_mgmt(%s) failed: %s",
--- a/dovecot.spec
+++ b/dovecot.spec
@ -1,7 +1,7 @@
 Summary: Dovecot Secure imap server
 Name: dovecot
 Version: 0.99.13
-Release: 3.devel
+Release: 4.devel
 License: LGPL
 Group: System Environment/Daemons

@ -19,6 +19,7 @@ Source7: dovecot-REDHAT-FAQ.txt
 Patch100: dovecot-conf.patch
 Patch101: dovecot-configfile.patch
 Patch102: dovecot-0.99-no-literal-plus-capability.patch
+Patch103: dovecot-pam-setcred.patch

 # Patches 500+ from upstream fixes
 URL: http://dovecot.procontrol.fi/
@ -28,6 +29,9 @@ BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
 BuildRequires: zlib-devel
+# gettext-devel is needed for running autoconf because of the
+# presence of AM_ICONV
+BuildRequires: gettext-devel
 Prereq: openssl, /sbin/chkconfig, /usr/sbin/useradd

 %if %{build_postgres}
@ -57,6 +61,7 @@ in either of maildir or mbox formats.
 cp $RPM_BUILD_DIR/${RPM_PACKAGE_NAME}-${RPM_PACKAGE_VERSION}/dovecot-example.conf $RPM_BUILD_DIR/${RPM_PACKAGE_NAME}-${RPM_PACKAGE_VERSION}/dovecot.conf
 %patch101 -p1 -b .configfile
 %patch102 -p1 -b .no-literal-plus-capability
+%patch103 -p1 -b .pam-setcred

 %build
 rm -f ./configure
@ -159,6 +164,9 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Wed Feb  2 2005 John Dennis <jdennis@redhat.com> - 0.99.13-4.devel
+- fix bug #146198, clean up temp kerberos tickets
+
 * Mon Jan 17 2005 John Dennis <jdennis@redhat.com> 0.99.13-3.devel
 - fix bug #145214, force mbox_locks to fcntl only
 - fix bug #145241, remove prereq on postgres and mysql, allow rpm auto