file handle exhaustion with openvpn and pam_ldap

Andreas Metzler ametzler at
Tue Oct 27 20:10:53 CET 2009

On 2009-10-26 Werner Koch <wk at> wrote:
> On Mon, 26 Oct 2009 13:17, ametzler at said:

> > * This issue cannot be fixed in gcrypt itself (and therefore will not
> >   be fixed).

> Well, this is fix not that easy.  The open file descriptor is just one
> sign thatthe process has not really be terminated.  Sure, it is possible
> to do that but it is quite some work for a rare use case.

> > * The way dlopen works on $OS would need to be changed (I guess on
> >   Linux this would be glibc.)

> Frankly, I doubt that this will be possible on Unix.  A process is a
> fundamental resource and tweaking it to behave similar to an independant
> process but not really is a bit weird.


thanks for the clarification. So it is basically the other way round
than I understood it. The issue *might* be fixed in libgcrypt, but is

"but it is quite some work for a rare use case"

It possibly breaks every pam or nsswitch modules that uses GnuTLS. In
Debian this includes some of the popular ones (e.g. samba, ldap
postgresql). I do not claim that pam/nss is a brilliant design
especially due to dlopen problems like this one but it is not that

cu andreas

More information about the Gcrypt-devel mailing list