All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel J Walsh <dwalsh@redhat.com>
To: James Morris <jmorris@redhat.com>
Cc: Russell Coker <russell@coker.com.au>, SE Linux <selinux@tycho.nsa.gov>
Subject: Re: unix_chkpwd
Date: Fri, 14 Nov 2003 11:57:09 -0500	[thread overview]
Message-ID: <3FB50965.4030207@redhat.com> (raw)
In-Reply-To: <Xine.LNX.4.44.0311140823320.21499-100000@thoron.boston.redhat.com>

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

James Morris wrote:

>On Fri, 14 Nov 2003, Russell Coker wrote:
>
>  
>
>>We can do one of three things:
>>1)  dontaudit system_chkpwd_t inetd_t:fd use;
>>2)  Change sshd to use fcntl() before doing any PAM stuff.
>>3)  Put code in pam_unix.so to close all file handles after the fork().
>>
>>Which do you think is best?  2 seems most correct to me, but may be most 
>>difficult to get accepted upstream.
>>    
>>
>
>Yes, 2 seems correct to me as well, what objections would they have 
>upstream?
>
>
>- James
>  
>

I still think the safest thing is to manual close all sockets, since 
this prevents the case where someone has opened a socket accidently 
since you don't know where pam is going to be used.  The time it takes 
to run 0-max open file descriptors is tiny.

Dan

[-- Attachment #2: Type: text/html, Size: 1231 bytes --]

      reply	other threads:[~2003-11-14 16:57 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-14  8:01 unix_chkpwd Russell Coker
2003-11-14 12:38 ` unix_chkpwd Stephen C. Tweedie
2003-11-14 21:59   ` unix_chkpwd Russell Coker
2003-11-14 23:46     ` unix_chkpwd Stephen C. Tweedie
2003-11-14 13:24 ` unix_chkpwd James Morris
2003-11-14 16:57   ` Daniel J Walsh [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3FB50965.4030207@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=jmorris@redhat.com \
    --cc=russell@coker.com.au \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.