Learn more about these different git repos.
Other Git URLs
(Received on sssd-devel@lists.fedoraproject.org from Jan Engelhardt)
I am noticing an fd leak with the /usr/lib/sssd/sssd_pam helper program (affected versions: 1.4.1--1.5.11). As is usual with weird bugs, this happens on one machine while it does not on another, but it at least it is reproducible on the one :) What I observe is that for every authentication attempt (may either fail or success), an fd is left behind::
sssd-1.5.1-43.el6
Every time
File descriptors are left behind.
File descriptors should be closed when no longer in use.
17:25 mailsrv:/proc/31491/fd # ls -l [...] lrwx------ 1 root root 64 Jul 28 17:25 42 -> socket:[228511] lrwx------ 1 root root 64 Jul 28 17:25 43 -> socket:[227514] lrwx------ 1 root root 64 Jul 28 17:25 44 -> socket:[228537] lrwx------ 1 root root 64 Jul 28 17:21 5 -> anon_inode:[eventpoll] lrwx------ 1 root root 64 Jul 28 17:21 6 -> anon_inode:[eventpoll] lr-x------ 1 root root 64 Jul 28 17:21 7 -> pipe:[213086] lrwx------ 1 root root 64 Jul 28 17:21 76 -> socket:[220069] l-wx------ 1 root root 64 Jul 28 17:21 8 -> pipe:[213086] lrwx------ 1 root root 64 Jul 28 17:21 88 -> socket:[221781] lrwx------ 1 root root 64 Jul 28 17:21 9 -> anon_inode:[eventpoll] 17:25 mailsrv:/proc/31491/fd # su - jengelh 17:25 mailsrv:~ > su - jengelh Passord: 17:25 mailsrv:~ > logout 17:25 mailsrv:~ > logout 17:25 mailsrv:/proc/31491/fd # ls -l [...] lrwx------ 1 root root 64 Jul 28 17:25 42 -> socket:[228511] lrwx------ 1 root root 64 Jul 28 17:25 43 -> socket:[227514] lrwx------ 1 root root 64 Jul 28 17:25 44 -> socket:[228537] lrwx------ 1 root root 64 Jul 28 17:25 46 -> socket:[227688] [...]
Furthermore, this new socket has no complementary process to have the other end of socket:[227688] open (anymore):
17:30 mailsrv:/proc # ls -l */fd/* | grep socket:.227688 ls: cannot access 7175/fd/3: No such file or directory ls: cannot access self/fd/255: No such file or directory lrwx------ 1 root root 64 Jul 28 17:25 31491/fd/46 -> socket:[227688]
lsof(8) tells us the name part of the socket for reference:
sssd_pam 31491 root 46u unix 0xffff88001083a840 0t0 227688 /var/lib/sss/pipes/private/pam
Fields changed
summary: sssd_pam.so leaks file descriptors => sssd_pam leaks file descriptors
We saw the same thing on the gnome.org mailserver.
saslauthd was configured to use pam. sssd_pam was using up fds until it would hit the max open file limit and sssd would freak out. It is effectively an authentication DoS.
Our hackorific solution was to modify some mail maintenance scripts to restart sssd and saslauthd every so often when we could no longer login (modified via puppetd).
owner: somebody => simo status: new => assigned
patch: 0 => 1
Fixed by: - 336879a (master) - c57b206 (sssd-1-5)
resolution: => fixed status: assigned => closed
rhbz: 726475 => [https://bugzilla.redhat.com/show_bug.cgi?id=726475 726475]
Metadata Update from @sgallagh: - Issue assigned to simo - Issue set to the milestone: SSSD 1.5.12
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1984
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.