On 04/23/2012 01:08 PM, Sam Varshavchik wrote:
> Stefan Hornburg (Racke) writes:
>> I received a Debian bug report from Russ Albery on Courier's authlib.
>> Maybe someone can shed a light on this, as I have very little understanding
>> of PAM internals and authlib.
> Heh, although it may very well be that a call to pam_end() is needed, the very next thing that happens is an exit().
> If some resource is leaking, even though the process has terminated, that's a bug or a design flaw in the way that the PAM library goes about doing its business. Any process can get SIGKILLed at any time; one cannot depend on a tapdance routine always finishing its script.
OK, Russ answered to that:
The assumption that all resources allocated by a PAM module can be made
process resources is unfortunately not correct (as much as I wish that it
were). Due to a variety of reasons mostly related to how OpenSSH works
with privilege separation enabled, any Kerberos PAM module has to stash
the initial tickets in an external resource outside of the PAM library
data because the PAM library data is not preserved by OpenSSH between the
auth step and the session step. (Mine uses a temporary disk ticket cache;
Red Hat's uses a shared memory segment.) That external resource won't be
cleaned up properly without a pam_end call.
The lack of pam_end will also affect other PAM modules that change
external system state, such as pam_mount, although they're probably less
likely to be called in the context of Courier.
Of course, if there's a better way of handling the PAM authentication
inside ssh with privilege separation such that the temporary disk ticket
cache isn't required, I'm all ears -- I've always considered it a bit of a
hack (although less of one than using shared memory segments), and I'd
love to replace it with something else. I've just never been able to find
a better solution.