I've found the problem...
authlib/authpam.c doesn't call pam_acct_mgmt meaning that no check is
performed if the user should actually be permitted access. This also
means that the problem lies with courier-authdaemon rather than
courier-imap(-ssl).
For an explanation of pam_acct_mgmt, see:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html
"This function is typically called after the user has been
authenticated. It establishes whether the user's account is healthy.
That is to say, whether the user's account is still active and whether
the user is permitted to gain access to the system at this time."
also the example app at:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-8.html
I've included a patch which fixes the problem by restoring the
pam_acct_mgmt call. I've built courier-authdaemon with this patch
applied and verified that it does indeed fix the problem and it seems to
have no side effects.
I hope that a fixed version can be included in sarge as soon as possible
since this could potentially be a security issue (e.g. if the account
has been disabled, access would still be granted).
Re,
David Härdeman
--- courier-0.47/authlib/authpam.c.old 2005-10-27 20:12:40.000000000 +0200
+++ courier-0.47/authlib/authpam.c 2005-10-27 22:04:34.000000000 +0200
@@ -124,13 +124,14 @@
if (retval != PAM_SUCCESS) dprintf("pam_setcred failed, result
%d", retval);
}
#endif
+#endif
if (retval == PAM_SUCCESS)
{
retval=pam_acct_mgmt(*pamh, 0);
if (retval != PAM_SUCCESS) dprintf("pam_acct_mgmt failed,
result %d", retval);
}
-#endif
+
if (retval == PAM_SUCCESS)
dprintf("dopam successful");
