porting CCAPI to UNIX
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue May 8 12:46:19 EDT 2007
>Watch out: closefrom(3C) on Solaris uses fdwalk(3C), which readdirs
>/proc/self/fd/ to find open file descriptors. I.e., lowering the fildes
>limits does not protect file descriptors > the fildes limit against
>closefrom(3C).
I know about closefrom(), but so far it hasn't yet been a problem. The
real killers are the user's shell; right now the shells we use don't
seem to care. I don't expect to get away with this forever ... but if
a vendor produces a better credential cache I have no problem switching
to it; for example, I expect I will eventually switch to something that
uses the Linux kernel keyrings. We actually got SGI to patch their
csh so it wouldn't close the magic descriptor.
>Also, how do you track which fildes is the magic fildes? Do you just
>add 1 to the fildes limit?
KRB5CCNAME (which is set by login/telnetd/whatever) looks like this: PIPE:1023.
--Ken
More information about the krbdev
mailing list