dovecot/dovecot-pam-setcred.patch
2005-07-22 21:15:59 +00:00

51 lines
2.4 KiB
Diff

--- passdb-pam.c.pam-setcred 2005-01-30 02:52:53.000000000 -0500
+++ dovecot-0.99.14/src/auth/passdb-pam.c 2005-07-22 16:38:16.000000000 -0400
@@ -180,12 +180,37 @@
}
#ifdef HAVE_PAM_SETCRED
+#if 0
+/*
+ * This is to fix a bug where dovecot was leaving a lot of temporary
+ * kerberos tickets around and filling up disk space. If
+ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
+ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
+ * needs to be called to clean the ticket up. But the only reason to
+ * have a cached ticket on disk is if the service is going to perform
+ * some action during the session that requires access to the ticket
+ * for validation. This implies the pam session is being held open,
+ * which would be more typical pam usage. But the usage here is to
+ * close the pam session immediately after authenticating the user
+ * with pam_end, thus there is no benefit to creating the disk copy of
+ * the ticket. So rather than finding all the early returns before
+ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
+ * each it is more sensible to not create the ticket in the first
+ * place if we're not going to use it and thus not have to worry about
+ * the clean up. Note the way the code is currently structured, with
+ * an immediate call to pam_end() after authentication it implies the
+ * code probably won't work with a file system like AFS which uses the
+ * ticket for file system permissions, but restructuring the code for
+ * this case is beyond the needs of fixing the aforementioned bug.
+ * John Dennis <jdennis@redhat.com>
+ */
if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
*error = t_strdup_printf("pam_setcred(%s) failed: %s",
user, pam_strerror(pamh, status));
return status;
}
#endif
+#endif
if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
*error = t_strdup_printf("pam_acct_mgmt(%s) failed: %s",
@@ -228,6 +253,9 @@
str = t_strdup_printf("pam_start(%s) failed: %s",
user, pam_strerror(pamh, status));
} else {
+ /* fix bug 149673, need dummy TTY for pam_access */
+ /* FIXME: should we check and report an error for PAM_TTY? */
+ pam_set_item(pamh, PAM_TTY, "dovecot");
status = pam_auth(pamh, user, &str);
if ((status2 = pam_end(pamh, status)) == PAM_SUCCESS) {
/* FIXME: check for PASSDB_RESULT_UNKNOWN_USER