> Real world example is nss_ldap / pam_ldap -- these needs open socket to > ldap server. That socket is cached. And because they can not trust that > application does not have closed file description of them, they check it with > getpeername + getsockname (at least it did when I looked code on > some years ago.) > > ( opening socket again includes using starttls and authentication .. so it > is > quite some overhead )
And if the fd was closed because of a security transition in the application hiding it and caching it from the application might then lead to a security hole. Alan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
