Bug 1564348 - PAM authentication no longer working with dovecot 2.3.1 (patch included)
Summary: PAM authentication no longer working with dovecot 2.3.1 (patch included)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dovecot
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-06 03:16 UTC by Helmut K. C. Tessarek
Modified: 2018-08-14 08:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-13 15:46:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
%patch11 for spec file (727 bytes, patch)
2018-04-06 03:16 UTC, Helmut K. C. Tessarek 		no flags Details | Diff
View All

Description Helmut K. C. Tessarek 2018-04-06 03:16:31 UTC 
Created attachment 1417937 [details]
%patch11 for spec file

After upgrading to 2.3.x, PAM authentication stopped working:

Error in system's security log:

PAM audit_log_acct_message() failed: Operation not permitted

Error in dovecot.log:

auth-worker(*REMOVED*): Info: pam(*REMOVED*): pam_authenticate() failed: System error

Removing NoNewPrivileges=true and adding CAP_AUDIT_WRITE to CapabilityBoundingSet fixes this error.

It seems the option NoNewPrivileges=true is not only a problem for apparmor, but also for PAM.

see also: https://github.com/dovecot/core/pull/71

I've attached a patch that can be used as %patch11 in the spec file.
Comment 1 Michal Hlavinka 2018-08-13 15:46:54 UTC 
this change should be already included
Comment 2 Helmut K. C. Tessarek 2018-08-13 15:57:21 UTC 
No, it isn't. At least not in 2.3.1. They finally fixed that in 2.3.2.
Comment 3 Michal Hlavinka 2018-08-14 08:11:27 UTC 
rawhide contains dovecot 2.3.2.1
Note You need to log in before you can comment on or make changes to this bug.