From b7a37362d332421f085ef5ab1fa24681289e7065 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 11 Sep 2024 08:00:00 +0000 Subject: pam_filter: close unused file descriptors When creating a socket pipe for communication between the parent and the child process, each of these two processes should keep just one of these socket pipe descriptors. --- modules/pam_filter/pam_filter.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c index 3b0913dd..84d59303 100644 --- a/modules/pam_filter/pam_filter.c +++ b/modules/pam_filter/pam_filter.c @@ -370,7 +370,8 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, } } else { - /* nothing to do for a simple stream socket */ + /* nothing else to do for a simple stream socket */ + close(fd[0]); } @@ -405,6 +406,9 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, return PAM_SUCCESS; } + if (!aterminal) + close(fd[1]); + /* Clear out passwords... there is a security problem here in * that this process never executes pam_end. Consequently, any * other sensitive data in this process is *not* explicitly -- cgit v1.2.3