pam application doesn't release sockets

Evgeny Tarasov etarasov.ekb at gmail.com
Thu Jan 27 18:11:44 UTC 2011 

Thank you for your response, Pavel !
> Sockets? Most of those open descriptors are *pipes*.
That's right. There is a socket and few pipes open for each 
authentication attempt.
> What have you got in your /etc/pam.d/check_user?
> Those two (significant) lines? Anything else?
Actually, the file contains
auth include system-auth
account include system-auth

And there is /etc/pam.d/system-auth (default in fedora 13) :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond 
quiet use_uid
session required pam_unix.so

I filled /etc/pam.d/check_user as it described in source comments and 
now the program works much more better! There is no any open sockets, 
pipes or other unwanted descriptors.
So I have another question:
How to properly configure pam authentication for a program in the same 
way as in a system? Regardless of whether it is pam_ldap or pam_unix.
> Find out what opens those descriptors. Run your progrem under strace.
> Run it under gdb and set a breakpoint at pipe() (or socket()?)
I'm not very experienced in linux programming, so I'll try to do this later.
Another challenge I'll try to solve is find the cause of memory leak 
(valgrind --leak-check=full):
==20782==
==20782== HEAP SUMMARY:
==20782== in use at exit: 34 bytes in 2 blocks
==20782== total heap usage: 20,170 allocs, 20,168 frees, 7,355,050 bytes 
allocated
==20782==
==20782== 34 bytes in 2 blocks are definitely lost in loss record 1 of 1
==20782== at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==20782== by 0xA8107E: local_strdup (in /lib/ld-2.12.2.so)
==20782== by 0xA842CB: _dl_map_object (in /lib/ld-2.12.2.so)
==20782== by 0xA8EE5D: dl_open_worker (in /lib/ld-2.12.2.so)
==20782== by 0xA8A975: _dl_catch_error (in /lib/ld-2.12.2.so)
==20782== by 0xA8E945: _dl_open (in /lib/ld-2.12.2.so)
==20782== by 0xC57C3A: dlopen_doit (in /lib/libdl-2.12.2.so)
==20782== by 0xA8A975: _dl_catch_error (in /lib/ld-2.12.2.so)
==20782== by 0xC5803B: _dlerror_run (in /lib/libdl-2.12.2.so)
==20782== by 0xC57B70: dlopen@@GLIBC_2.1 (in /lib/libdl-2.12.2.so)
==20782== by 0x712143C: ??? (in /lib/libfreebl3.so)
==20782== by 0x712255F: NSSLOW_Init (in /lib/libfreebl3.so)
==20782==
==20782== LEAK SUMMARY:
==20782== definitely lost: 34 bytes in 2 blocks
==20782== indirectly lost: 0 bytes in 0 blocks
==20782== possibly lost: 0 bytes in 0 blocks
==20782== still reachable: 0 bytes in 0 blocks
==20782== suppressed: 0 bytes in 0 blocks
==20782==

Best regards, Evgeny Tarasov

More information about the Pam-list mailing list