From dba7903ba7fc04bc331004b0453938c116be3663 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Oct 11 2012 12:11:56 +0000
Subject: PAM: close socket fd with pam_set_data


https://fedorahosted.org/sssd/ticket/1569

---

diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 1ef3ba1..a4d523c 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -794,6 +794,12 @@ errno_t check_server_cred(int sockfd)
 #endif
     return 0;
 }
+
+int *sss_pam_get_socket(void)
+{
+    return &sss_cli_sd;
+}
+
 int sss_pam_make_request(enum sss_cli_command cmd,
                       struct sss_cli_req_data *rd,
                       uint8_t **repbuf, size_t *replen,
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index efbc48b..90d4c0a 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -54,6 +54,7 @@
 #define FLAGS_USE_AUTHTOK    (1 << 2)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
+#define FD_DESTRUCTOR "pam_sss:fd_destructor"
 
 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
 #define PW_RESET_MSG_MAX_SIZE 4096
@@ -122,6 +123,24 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
     ptr = NULL;
 }
 
+static void close_fd(pam_handle_t *pamh, void *ptr, int err)
+{
+    int fd = *((int *) ptr);
+
+    if (err & PAM_DATA_REPLACE) {
+        /* Nothing to do */
+        return;
+    }
+
+    if (fd == -1) {
+        /* fd not yet initialized */
+        return;
+    }
+
+    D(("Closing the fd"));
+    close(fd);
+}
+
 static size_t add_authtok_item(enum pam_item_type type,
                                enum sss_authtok_type authtok_type,
                                const char *tok, const size_t size,
@@ -1058,6 +1077,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
                             enum sss_cli_command task, bool quiet_mode)
 {
     int ret;
+    int sret;
     int errnop;
     struct sss_cli_req_data rd;
     uint8_t *buf = NULL;
@@ -1078,6 +1098,11 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
     errnop = 0;
     ret = sss_pam_make_request(task, &rd, &repbuf, &replen, &errnop);
 
+    sret = pam_set_data(pamh, FD_DESTRUCTOR, sss_pam_get_socket(), close_fd);
+    if (sret != PAM_SUCCESS) {
+        D(("pam_set_data failed, client might leaks fds"));
+    }
+
     if (ret != PAM_SUCCESS) {
         if (errnop != 0) {
             logger(pamh, LOG_ERR, "Request to sssd failed. %s", ssscli_err2string(errnop));
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index f60bd99..f3cb44a 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -481,6 +481,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
                                      struct sss_cli_req_data *rd,
                                      uint8_t **repbuf, size_t *replen,
                                      int *errnop);
+int *sss_pam_get_socket(void);
+
 int sss_pac_make_request(enum sss_cli_command cmd,
                          struct sss_cli_req_data *rd,
                          uint8_t **repbuf, size_t *replen,