/[smeserver]/rpms/dovecot/sme7/dovecot-1.0.rc2-pam-setcred.patch
ViewVC logotype

Annotation of /rpms/dovecot/sme7/dovecot-1.0.rc2-pam-setcred.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Jun 12 15:07:20 2007 UTC (17 years ago) by slords
Branch: MAIN
CVS Tags: dovecot-1_0-1_2_rc15_el4_sme, dovecot-1_0_7-2_el4_sme, HEAD
Import on branch sme7 of package dovecot-1.0-1.2.rc15.el4.sme.src.rpm

1 slords 1.1 --- dovecot-1.0.rc2/src/auth/passdb-pam.c.pam-setcred 2006-07-13 11:59:00.000000000 +0200
2     +++ dovecot-1.0.rc2/src/auth/passdb-pam.c 2006-07-13 12:03:41.000000000 +0200
3     @@ -187,6 +187,30 @@
4     }
5    
6     #ifdef HAVE_PAM_SETCRED
7     +#if 0
8     +/*
9     + * This is to fix a bug where dovecot was leaving a lot of temporary
10     + * kerberos tickets around and filling up disk space. If
11     + * pam_setcred(pamh, PAM_ESTABLISH_CRED) is called, which creates the
12     + * ticket, then a matching pam_setcred(pamh, PAM_DELETE_CRED) also
13     + * needs to be called to clean the ticket up. But the only reason to
14     + * have a cached ticket on disk is if the service is going to perform
15     + * some action during the session that requires access to the ticket
16     + * for validation. This implies the pam session is being held open,
17     + * which would be more typical pam usage. But the usage here is to
18     + * close the pam session immediately after authenticating the user
19     + * with pam_end, thus there is no benefit to creating the disk copy of
20     + * the ticket. So rather than finding all the early returns before
21     + * pam_end is invoked and adding pam_setcred(pamh, PAM_DELETE_CRED) to
22     + * each it is more sensible to not create the ticket in the first
23     + * place if we're not going to use it and thus not have to worry about
24     + * the clean up. Note the way the code is currently structured, with
25     + * an immediate call to pam_end() after authentication it implies the
26     + * code probably won't work with a file system like AFS which uses the
27     + * ticket for file system permissions, but restructuring the code for
28     + * this case is beyond the needs of fixing the aforementioned bug.
29     + * John Dennis <jdennis@redhat.com>
30     + */
31     if (module->pam_setcred) {
32     if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) !=
33     PAM_SUCCESS) {
34     @@ -196,6 +220,7 @@
35     }
36     }
37     #endif
38     +#endif
39    
40     if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
41     *error = t_strdup_printf("pam_acct_mgmt() failed: %s",

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed