Adam Megacz
2009-Jun-29 20:32 UTC
[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?
Hello. I'm wondering how one would go about configuring dovecot to invoke pam_setcred() from the same process as (or a parent process of) the process which eventually reads the user's mail off the disk. This is required for pam modules that set kernel-level credentials which are later used to access the user's mail files. In particular, I'm trying to use dovecot with pam_krb5 (which associates a ticket cache to a specific pid) and pam_afs_session (which associates tokens to a specific process authentication group -- roughly equivalent to a process and all its descendents). Thanks, - a
Timo Sirainen
2009-Jun-30 15:00 UTC
[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?
On Mon, 2009-06-29 at 13:32 -0700, Adam Megacz wrote:> Hello. I'm wondering how one would go about configuring dovecot to > invoke pam_setcred() from the same process as (or a parent process of) > the process which eventually reads the user's mail off the disk.Not easily. PAM lookups are done by dovecot-auth process, which is completely different from the eventual imap/pop3 process.> In particular, I'm trying to use dovecot with pam_krb5 (which > associates a ticket cache to a specific pid) and pam_afs_session > (which associates tokens to a specific process authentication group -- > roughly equivalent to a process and all its descendents).Is it possible to authenticate first in one process and then do pam_setcred() in another? Then you could create e.g. a mail_executable wrapper or Dovecot plugin that calls pam_setcred() before dropping privileges. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090630/a11fe289/attachment-0002.bin>
Adam Megacz
2009-Jun-30 16:39 UTC
[Dovecot] configure dovecot to invoke pam_setcred() from the same process that accesses ~/Maildir?
Timo Sirainen <tss at iki.fi> writes:> Not easily. PAM lookups are done by dovecot-auth process, which is > completely different from the eventual imap/pop3 process.Yes, I know... I find that most unfortunate. This design creates security problems when the machine where the files are stored does not unconditionally trust the machine running dovecot (as, for example, in NFS).>> In particular, I'm trying to use dovecot with pam_krb5 (which >> associates a ticket cache to a specific pid) and pam_afs_session >> (which associates tokens to a specific process authentication group -- >> roughly equivalent to a process and all its descendents).> Is it possible to authenticate first in one process and then do > pam_setcred() in another?Only if one process is a parent of the other (or a parent of a parent, etc). Or if they have a common parent which is unique to the connection (ie their common parent is not the parent of any other auth processes or connection-handling processes). When dovecot is used in the mode where it forks a new authentication process for every connection, is the authentication process a child of the process which handles the rest of the connection, or vice versa? Or neither? Thanks, - a