file handle exhaustion with openvpn and pam_ldap
Andreas Metzler
ametzler at downhill.at.eu.org
Tue Oct 27 20:10:53 CET 2009
On 2009-10-26 Werner Koch <wk at gnupg.org> wrote:
> On Mon, 26 Oct 2009 13:17, ametzler at downhill.at.eu.org said:
> > * This issue cannot be fixed in gcrypt itself (and therefore will not
> > be fixed).
> Well, this is fix not that easy. The open file descriptor is just one
> sign thatthe process has not really be terminated. Sure, it is possible
> to do that but it is quite some work for a rare use case.
> > * The way dlopen works on $OS would need to be changed (I guess on
> > Linux this would be glibc.)
> Frankly, I doubt that this will be possible on Unix. A process is a
> fundamental resource and tweaking it to behave similar to an independant
> process but not really is a bit weird.
Hello,
thanks for the clarification. So it is basically the other way round
than I understood it. The issue *might* be fixed in libgcrypt, but is
hard.
"but it is quite some work for a rare use case"
It possibly breaks every pam or nsswitch modules that uses GnuTLS. In
Debian this includes some of the popular ones (e.g. samba, ldap
postgresql). I do not claim that pam/nss is a brilliant design
especially due to dlopen problems like this one but it is not that
unpopular.
cu andreas
More information about the Gcrypt-devel
mailing list