Bug 727041

Summary: sssd_pam leaks file descriptors.
Product: Red Hat Enterprise Linux 6 Reporter: RHEL Program Management <pm-rhel>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.1CC: benl, dpal, grajaiya, jeffschroeder, jgalipea, jwest, kbanerje, msvoboda, pm-eus, prc, sgallagh
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-34.el6_1.3 Doc Type: Bug Fix
Doc Text:
Previously, SSSD did not properly close its PAM sockets after an authentication attempt, which eventually resulted in process resource exhaustion and a denial of service situation. The code has been modified to fix this issue, and file descriptors are now properly released when they are no longer in use.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-10 10:25:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 726475, 748855    
Bug Blocks:    

Description RHEL Program Management 2011-08-01 06:46:25 UTC 
This bug has been copied from bug #726475 and has been proposed
to be backported to 6.1 z-stream (EUS).
Comment 5 Kaushik Banerjee 2011-08-05 09:22:52 UTC 
Using the reproducer from https://bugzilla.redhat.com/show_bug.cgi?id=725281

With sssd-1.5.1-34.el6_1.2:
# ./check_user2 -s system-auth -n 2000 user8
Password: 
Error in "pam_authenticate": Module is unknown
Authentication failure for user "user8" in loop 767


With sssd-1.5.1-34.el6_1.3:
# ./check_user2 -s system-auth -n 2000 user8
Password: 
User "user8" authenticated successfully 2000 times


Verified in version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 34.el6_1.3                    Build Date: Fri 05 Aug 2011 01:39:11 AM IST
Install Date: Fri 05 Aug 2011 02:22:03 PM IST      Build Host: x86-006.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-34.el6_1.3.src.rpm
Size        : 3463891                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 6 Miroslav Svoboda 2011-08-10 09:11:42 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SSSD did not properly close its PAM sockets after an authentication attempt, which eventually resulted in process resource exhaustion and a denial of service situation. The code has been modified to fix this issue, and file descriptors are now properly released when they are no longer in use.
Comment 7 errata-xmlrpc 2011-08-10 10:25:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1143.html