porting CCAPI to UNIX

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue May 8 12:46:19 EDT 2007

>Watch out:  closefrom(3C) on Solaris uses fdwalk(3C), which readdirs
>/proc/self/fd/ to find open file descriptors.  I.e., lowering the fildes
>limits does not protect file descriptors > the fildes limit against

I know about closefrom(), but so far it hasn't yet been a problem.  The
real killers are the user's shell; right now the shells we use don't
seem to care.  I don't expect to get away with this forever ... but if
a vendor produces a better credential cache I have no problem switching
to it; for example, I expect I will eventually switch to something that
uses the Linux kernel keyrings.  We actually got SGI to patch their
csh so it wouldn't close the magic descriptor.

>Also, how do you track which fildes is the magic fildes?  Do you just
>add 1 to the fildes limit?

KRB5CCNAME (which is set by login/telnetd/whatever) looks like this: PIPE:1023.


More information about the krbdev mailing list