Thoughts on initial ticket acquisition/verification on Sun (slightly OT)

Russ Allbery rra at
Fri Nov 18 00:26:12 EST 2005

Frank Cusack <fcusack at> writes:
> Frank Cusack <fcusack at> wrote:
>> Frank Cusack <fcusack at> wrote:

>>> It seems unlikely to me that Sun LDAP 5.2 uses a fork/exec model, so
>>> you should verify that the Sun LDAP 5.2 server does not leak these
>>> before going the PAM route.  Running the LDAP server with libumem
>>> might be able to show leaks.

>> But come to think of it, the PAM functionality must already be present
>> and therefore tested, so it seems like it should be ok.

> And I just looked at Solaris 10 PAM source and I see it's fine.  I guess
> it's just my module that is leaky.

It is, unfortunately, extremely difficult to avoid all leaks in PAM and
still work everywhere.  There are places where, if you free memory that
you have to free to avoid leaks on some platforms or software packages,
you get crashes and double frees on other platforms or software packages.
The PAM specification never nailed the interface down in sufficient
detail and not everyone implements quite the same specification.

Russ Allbery (rra at             <>

More information about the krbdev mailing list