porting CCAPI to UNIX
Nicolas Williams
Nicolas.Williams at sun.com
Tue May 8 13:01:16 EDT 2007
On Tue, May 08, 2007 at 12:46:19PM -0400, Ken Hornstein wrote:
> >Watch out: closefrom(3C) on Solaris uses fdwalk(3C), which readdirs
> >/proc/self/fd/ to find open file descriptors. I.e., lowering the fildes
> >limits does not protect file descriptors > the fildes limit against
> >closefrom(3C).
>
> I know about closefrom(), but so far it hasn't yet been a problem. The
> real killers are the user's shell; right now the shells we use don't
> seem to care. I don't expect to get away with this forever ... but if
> a vendor produces a better credential cache I have no problem switching
> to it; for example, I expect I will eventually switch to something that
> uses the Linux kernel keyrings. We actually got SGI to patch their
> csh so it wouldn't close the magic descriptor.
You could use PAGs where available. On Solaris task IDs come closest.
> >Also, how do you track which fildes is the magic fildes? Do you just
> >add 1 to the fildes limit?
>
> KRB5CCNAME (which is set by login/telnetd/whatever) looks like this: PIPE:1023.
So you still depend on env vars.
More information about the krbdev
mailing list