On Sat, Nov 20, 2010 at 03:33:31PM -0500, Simo Sorce wrote: > > Had some spare time today and wanted to fix this issue. > > The attached patch instruments nss and pam clients to use a pthread > mutex to prevent multiple threads from stomping on each other. > > The patch is quite simple and basic testing seem to show no issues. > It may be worth of back-porting to older versions.
I think the mutexes cover too much code here, especially for PAM. The PAM client does not use any global variables except the file handle to to PAM responder of sssd. I would be enough to just protect the I/O to sssd with the mutex to avoid other threads getting the response of a request from a different thread. I here I would suggest that we reduce the socket timeout considerably to avoid long delays if a request gets stuck in sssd. We might be able to avoid mutexes here completely by introducing request ids, but this can be seen as an enhancement for a future version. Protecting a whole PAM task like authentication with a mutex can lead to DOS situation when a user logs into a threaded application with his username but "forgets" to enter his password immediately because the phone is ringing. For NSS it might also be sufficient to protect the I/O to sssd. Netgroups do not use a global variable to save the context and for passwd and groups I think the global variables are not really protected. E.g. while one thread is running a loop with getpwent() calls a second thread can sneak in between in the calls and call setpwent() and resets the global variable. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
