Thoughts on initial ticket acquisition/verification on Sun (slightly OT)
rra at stanford.edu
Fri Nov 18 00:26:12 EST 2005
Frank Cusack <fcusack at fcusack.com> writes:
> Frank Cusack <fcusack at fcusack.com> wrote:
>> Frank Cusack <fcusack at fcusack.com> wrote:
>>> It seems unlikely to me that Sun LDAP 5.2 uses a fork/exec model, so
>>> you should verify that the Sun LDAP 5.2 server does not leak these
>>> before going the PAM route. Running the LDAP server with libumem
>>> might be able to show leaks.
>> But come to think of it, the PAM functionality must already be present
>> and therefore tested, so it seems like it should be ok.
> And I just looked at Solaris 10 PAM source and I see it's fine. I guess
> it's just my module that is leaky.
It is, unfortunately, extremely difficult to avoid all leaks in PAM and
still work everywhere. There are places where, if you free memory that
you have to free to avoid leaks on some platforms or software packages,
you get crashes and double frees on other platforms or software packages.
The PAM specification never nailed the interface down in sufficient
detail and not everyone implements quite the same specification.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev