diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c --- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 +++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200 @@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti if (child == 0) { int i; struct rlimit rlim; + int dummyfds[2]; static char *envp[] = { NULL }; char *args[] = { NULL, NULL, NULL, NULL, NULL }; + /* replace std file descriptors with a dummy pipe */ + if (pipe(dummyfds) == 0) { + dup2(dummyfds[0], STDIN_FILENO); + dup2(dummyfds[1], STDOUT_FILENO); + dup2(dummyfds[1], STDERR_FILENO); + } + if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { if (rlim.rlim_max >= MAX_FD_NO) rlim.rlim_max = MAX_FD_NO; - for (i=0; i < (int)rlim.rlim_max; i++) { + for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { close(i); } } diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c --- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 +++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200 @@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t /* reopen stdout as pipe */ dup2(fds[1], STDOUT_FILENO); + /* and replace also the stdin, stderr so we do not exec the helper with + tty as stdin, it will not read anything from there anyway */ + dup2(fds[0], STDIN_FILENO); + dup2(fds[1], STDERR_FILENO); /* XXX - should really tidy up PAM here too */ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { if (rlim.rlim_max >= MAX_FD_NO) rlim.rlim_max = MAX_FD_NO; - for (i=0; i < (int)rlim.rlim_max; i++) { - if (i != STDOUT_FILENO) { - close(i); - } + for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); } } diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c --- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 +++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200 @@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h /* reopen stdin as pipe */ dup2(fds[0], STDIN_FILENO); + /* and replace also the stdout/err as the helper will + not write anything there */ + dup2(fds[1], STDOUT_FILENO); + dup2(fds[1], STDERR_FILENO); if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { if (rlim.rlim_max >= MAX_FD_NO) rlim.rlim_max = MAX_FD_NO; - for (i=0; i < (int)rlim.rlim_max; i++) { - if (i != STDIN_FILENO) - close(i); + for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); } } diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c --- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 +++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200 @@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h /* reopen stdin as pipe */ dup2(fds[0], STDIN_FILENO); + /* and replace also the stdout/err as the helper will + not write anything there */ + dup2(fds[1], STDOUT_FILENO); + dup2(fds[1], STDERR_FILENO); if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { if (rlim.rlim_max >= MAX_FD_NO) rlim.rlim_max = MAX_FD_NO; - for (i=0; i < (int)rlim.rlim_max; i++) { - if (i != STDIN_FILENO) - close(i); + for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); } }