a9ef7f8676
pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts Drop tallylog and pam_tally documentation pam_faillock: Support local_users_only option pam_lastlog: Do not display failed attempts with PAM_SILENT flag pam_lastlog: Support unlimited option to override fsize limit pam_unix: Log if user authenticated without password pam_tty_audit: Improve manual page Optimize closing fds when spawning helpers Fix duplicate password verification in pam_authtok_verify()
71 lines
1.9 KiB
Diff
71 lines
1.9 KiB
Diff
diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c
|
|
--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing 2017-02-10 11:10:15.000000000 +0100
|
|
+++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c 2019-10-16 16:07:31.259021159 +0200
|
|
@@ -10,6 +10,7 @@
|
|
#include <fcntl.h>
|
|
#include <syslog.h>
|
|
#include <sys/resource.h>
|
|
+#include <dirent.h>
|
|
|
|
/*
|
|
* Creates a pipe, closes its write end, redirects fd to its read end.
|
|
@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa
|
|
static void
|
|
close_fds(void)
|
|
{
|
|
+ DIR *dir = NULL;
|
|
+ struct dirent *dent;
|
|
+ int dfd = -1;
|
|
+ int fd;
|
|
+ struct rlimit rlim;
|
|
+
|
|
/*
|
|
* An arbitrary upper limit for the maximum file descriptor number
|
|
* returned by RLIMIT_NOFILE.
|
|
*/
|
|
- const int MAX_FD_NO = 65535;
|
|
+ const unsigned int MAX_FD_NO = 65535;
|
|
|
|
/* The lower limit is the same as for _POSIX_OPEN_MAX. */
|
|
- const int MIN_FD_NO = 20;
|
|
+ const unsigned int MIN_FD_NO = 20;
|
|
|
|
- int fd;
|
|
- struct rlimit rlim;
|
|
-
|
|
- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
|
- fd = MAX_FD_NO;
|
|
- else if (rlim.rlim_max < MIN_FD_NO)
|
|
- fd = MIN_FD_NO;
|
|
- else
|
|
- fd = rlim.rlim_max - 1;
|
|
+ /* If /proc is mounted, we can optimize which fd can be closed. */
|
|
+ if ((dir = opendir("/proc/self/fd")) != NULL) {
|
|
+ if ((dfd = dirfd(dir)) >= 0) {
|
|
+ while ((dent = readdir(dir)) != NULL) {
|
|
+ fd = atoi(dent->d_name);
|
|
+ if (fd > STDERR_FILENO && fd != dfd)
|
|
+ close(fd);
|
|
+ }
|
|
+ }
|
|
+ closedir(dir);
|
|
+ }
|
|
+
|
|
+ /* If /proc isn't available, fallback to the previous behavior. */
|
|
+ if (dfd < 0) {
|
|
+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
|
+ fd = MAX_FD_NO;
|
|
+ else if (rlim.rlim_max < MIN_FD_NO)
|
|
+ fd = MIN_FD_NO;
|
|
+ else
|
|
+ fd = rlim.rlim_max - 1;
|
|
|
|
- for (; fd > STDERR_FILENO; --fd)
|
|
- close(fd);
|
|
+ for (; fd > STDERR_FILENO; --fd)
|
|
+ close(fd);
|
|
+ }
|
|
}
|
|
|
|
int
|