James Morris wrote:

On Fri, 14 Nov 2003, Russell Coker wrote:

We can do one of three things:
1)  dontaudit system_chkpwd_t inetd_t:fd use;
2)  Change sshd to use fcntl() before doing any PAM stuff.
3)  Put code in pam_unix.so to close all file handles after the fork().

Which do you think is best?  2 seems most correct to me, but may be most 
difficult to get accepted upstream.


Yes, 2 seems correct to me as well, what objections would they have 
upstream?


- James

I still think the safest thing is to manual close all sockets, since this prevents the case where someone has opened a socket accidently since you don't know where pam is going to be used. The time it takes to run 0-max open file descriptors is tiny.

Dan