On Aug 16, 2008, at 12:59 PM, Lauri Alanko wrote:
> Except that it didn't, quite: pam_mount worked just fine and
> mounted the encrypted disk using the IMAP password... and then
> immediately unmounted it, since for some reason session=yes means
> that Dovecot closes the session _immediately_ after opening it.
>
> This seems just silly. If a PAM session is to be used, then it
> seems obvious to me that its length should be exactly the length
> of the IMAP session. I can't see any reason for the current
> behavior, except maybe that it was a bit simpler to code and is
> sufficient for pam_mkhomedir (and only that).
The session=yes documentation says it does that, which is why it's
optional and disabled by default.
> Can this be fixed with reasonable effort?
I don't really see how. PAM code is in dovecot-auth which keeps track
of sessions only as long as users are being authenticated. Changing
that doesn't seem like a very good idea and could cause a lot of extra
potential problems. Moving only the PAM session handling (or closing)
code to post-login imap/pop3 process code could work, but is it
possible?
> Also, for pam_mount to work correctly, there must not be any file
> descriptors open in the mounted file system when the session
> closes, as otherwise unmounting is impossible. Will dovecot
> release all fds into the mail and index files when the session
> ends, or can it be made to do so? (UTSL is an acceptable answer.)
If PAM session handling code was moved to imap/pop3 process then yes,
the fds are all cleanly closed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20080816/27d82cce/attachment-0002.bin>