porting CCAPI to UNIX

Nicolas Williams Nicolas.Williams at sun.com
Tue May 8 13:01:16 EDT 2007

On Tue, May 08, 2007 at 12:46:19PM -0400, Ken Hornstein wrote:
> >Watch out:  closefrom(3C) on Solaris uses fdwalk(3C), which readdirs
> >/proc/self/fd/ to find open file descriptors.  I.e., lowering the fildes
> >limits does not protect file descriptors > the fildes limit against
> >closefrom(3C).
> I know about closefrom(), but so far it hasn't yet been a problem.  The
> real killers are the user's shell; right now the shells we use don't
> seem to care.  I don't expect to get away with this forever ... but if
> a vendor produces a better credential cache I have no problem switching
> to it; for example, I expect I will eventually switch to something that
> uses the Linux kernel keyrings.  We actually got SGI to patch their
> csh so it wouldn't close the magic descriptor.

You could use PAGs where available.  On Solaris task IDs come closest.

> >Also, how do you track which fildes is the magic fildes?  Do you just
> >add 1 to the fildes limit?
> KRB5CCNAME (which is set by login/telnetd/whatever) looks like this: PIPE:1023.

So you still depend on env vars.

More information about the krbdev mailing list