dovecot/sme7/dovecot-1.0.rc2-pam-setcred.patch

--- dovecot-1.0.rc2/src/auth/passdb-pam.c.pam-setcred   2006-07-13 11:59:00.000000000 +0200
+++ dovecot-1.0.rc2/src/auth/passdb-pam.c       2006-07-13 12:03:41.000000000 +0200
@@ -187,6 +187,30 @@
        }
 
 #ifdef HAVE_PAM_SETCRED
+#if 0
+/*
+ * This is to fix a bug where dovecot was leaving a lot of temporary
+ * kerberos tickets around and filling up disk space.  If
+ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
+ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
+ * needs to be called to clean the ticket up. But the only reason to
+ * have a cached ticket on disk is if the service is going to perform
+ * some action during the session that requires access to the ticket
+ * for validation. This implies the pam session is being held open,
+ * which would be more typical pam usage. But the usage here is to
+ * close the pam session immediately after authenticating the user
+ * with pam_end, thus there is no benefit to creating the disk copy of
+ * the ticket. So rather than finding all the early returns before
+ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
+ * each it is more sensible to not create the ticket in the first
+ * place if we're not going to use it and thus not have to worry about
+ * the clean up. Note the way the code is currently structured, with
+ * an immediate call to pam_end() after authentication it implies the
+ * code probably won't work with a file system like AFS which uses the
+ * ticket for file system permissions, but restructuring the code for
+ * this case is beyond the needs of fixing the aforementioned bug.
+ * John Dennis <jdennis@redhat.com>
+ */
        if (module->pam_setcred) {
                if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) !=
                    PAM_SUCCESS) {
@@ -196,6 +220,7 @@
                }
        }
 #endif
+#endif
 
        if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
                *error = t_strdup_printf("pam_acct_mgmt() failed: %s",
1	slords	1.1	--- dovecot-1.0.rc2/src/auth/passdb-pam.c.pam-setcred 2006-07-13 11:59:00.000000000 +0200
2			+++ dovecot-1.0.rc2/src/auth/passdb-pam.c 2006-07-13 12:03:41.000000000 +0200
3			@@ -187,6 +187,30 @@
4			}
5
6			#ifdef HAVE_PAM_SETCRED
7			+#if 0
8			+/*
9			+ * This is to fix a bug where dovecot was leaving a lot of temporary
10			+ * kerberos tickets around and filling up disk space. If
11			+ * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
12			+ * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
13			+ * needs to be called to clean the ticket up. But the only reason to
14			+ * have a cached ticket on disk is if the service is going to perform
15			+ * some action during the session that requires access to the ticket
16			+ * for validation. This implies the pam session is being held open,
17			+ * which would be more typical pam usage. But the usage here is to
18			+ * close the pam session immediately after authenticating the user
19			+ * with pam_end, thus there is no benefit to creating the disk copy of
20			+ * the ticket. So rather than finding all the early returns before
21			+ * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
22			+ * each it is more sensible to not create the ticket in the first
23			+ * place if we're not going to use it and thus not have to worry about
24			+ * the clean up. Note the way the code is currently structured, with
25			+ * an immediate call to pam_end() after authentication it implies the
26			+ * code probably won't work with a file system like AFS which uses the
27			+ * ticket for file system permissions, but restructuring the code for
28			+ * this case is beyond the needs of fixing the aforementioned bug.
29			+ * John Dennis <jdennis@redhat.com>
30			+ */
31			if (module->pam_setcred) {
32			if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) !=
33			PAM_SUCCESS) {
34			@@ -196,6 +220,7 @@
35			}
36			}
37			#endif
38			+#endif
39
40			if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
41			*error = t_strdup_printf("pam_acct_mgmt() failed: %s",