Change Download Preference

Current Preference
Change Preference to:

CA ControlMinder 12.8 - CumulativeFix-1 (CF1) Endpoints FIXLIST

No.  Severity Module Problem summary Package OS Cause of the problem Conditions Solution or workaround Reproduction steps
1 3 Unix endpoint user mode Fixes an issue where seosd core dumps due to signal 6 (abort). This behavior occurs when a system command "reboot" is issued. AN01831 Unix all seosd takes a long time to shutdown and the system issue another signal 6 to seosd.     1.cp /opt/CA/AccessControl/samples/system.init/LINUX/S95seos /opt/CA/AccessControl/bin 2. chmod +x /opt/CA/AccessControl/bin/S95seos 3. ln -s /opt/CA/AccessControl/bin/S95seos /etc/rc5.d/S95seos 4. start up ControlMinder and then issue the command "reboot". 5. When the system come back up, please check for core dump in / or /opt/CA/AccessControl/bin. Note that you may not be able to reproduce the problem. The problem can be reproduced only if seosd got a lot of cleanup to do in the client's environment
2 2 Unix endpoint user mode Fixes an issue where seosd produces a core dump during reboot AN02078 Unix all   Any 12.5 SP5 GA with patch that includes changes by AC125SP50555 or 12.5 SP5 CR1 will have this problem. Add check to make sure not to free already freed memory. Install 12.5 SP5 CR1. Run AC. Execute reboot.
3 3 Unix endpoint user mode Fixes an issue where login session terminates when scrolling a file in Vi if the keyboard logger is enabled AN02108 Unix all negative length as parameter to call read() KBL enabled and kbl_output_limit=10   AIX 6.1 seos.ini: kbl_enabled = yes kbl_output_limit = 10 AC=^ eu root audit(interactive) login as root # vi /opt/CA/AccessControl/seos.ini scroll opened file down EXPECTED: can scroll as long as you wish ACTUAL: login session terminates, Connection to ... closed by foreign host.
4 3 Unix endpoint user mode Fixes an issue where in case the file time stamp was changed, the oldest file cannot be retrieved AN02134 Unix all   the time stamp of the seos.audit backup files are changed. This is why seosd is not able to find the oldest file created correctly. make sure the backup files are not touched by any other processes. set the following tokens. BackUp_Date = daily audit_max_files = 3 (or any number you would like to) 1. cd /opt/CA/AccessControl/log 2. cp seos.audit.bak.30-Mar-2014-09:44:32 seos.audit.bak.31-Mar-2014-09:44:32 3. cp seos.audit.bak.30-Mar-2014-09:44:32 seos.audit.bak.01-Apr-2014-09:44:32 Now, we have three back up files. audit_max_files is set to 3. if seos.audit is renamed in the next day, then the oldest backup file will be deleted. According to the name extension, 30-Mar-2014-09:44:32 is the oldest file, and this file should be deleted in the next day when seos.audit is renamed to the backup file. However, if we shutdown CM and then run "touch seos.audit.bak.30-Mar-2014-09:44:32", the file seos.audit.bak.30-Mar-2014-09:44:32 is not the oldest file anymore. this file will not be deleted when seos.audit is rolled to the backup file.
5 2 Unix endpoint user mode Fixes an issue on Zlinux where AgentManager and ReportAgent generate error when loading Java shared libraries and AN01812 LINUX s390 Created LD_LIBARARY_PATH does not include path to   modify condition to include checking s390x machine type. ./ start Observed: /opt/CA/AccessControlShared/bin/ReportAgent: error while loading shared libraries: cannot open shared object file: No such file or directory
6 3 Win endpoint user mode Fixes an issue where CA ControlMinder fails to fetch hosts from DNS on AIX 6.1 and higher AN02091 AIX Commands "nslookup -ls" and "host -l" are not supported on AIX 6.1   Implement "dig" command to fetch list of hosts from DNS server AIX 6.1 Install CM # dig DNS_server Domain_Name axfr // for example: dig axfr if not-empty hosts list then may continue testing # sebuildla -h # sebuildla -H EXPECTED fetched list of hosts
7 3 UNAB Adapt UNAB to recent changes on RHEL for nss_uxauth data exchange  AN02092 LINUX all        
8 3 Unix endpoint user mode Fixes an issue where the watchdog attempts to kill seosd process on restart. As a result the SMF service enters into "maintenance" mode after restart and both SMF and watchdog attempt to restart seosd AN02080 Unix all     in saferoute check returned error, if error is SEOSSFR_E_NOSERV then do not kill seosd  
9 2 Unix endpoint kernel mode Fixes an issue where a spurious /etc/os-release file causes SEOS_load to fail AN02081 LINUX x64 Spurious /etc/os-release file being incorrectly parsed by RHEL 5.x with added /etc/os-release file   On a rhel 5.10 X64 system: 1. Ensure SOES kernel module is unloaded - SEOS_load -u 1. add a /etc/os-release file which just contains the text "redhat". 2. execute SEOS_load to load the seos kernel module CM should load and run (previously SEOS_load was detecting the OS as Debian)
10 2 Unix endpoint user mode Fixes an issue where sepass does not work for local users when UNAB is installed AN01934 Unix all       On a machine where both ControlMinder endpoint and UNAB are installed Create a User from the native
#useradd test111
#passwd -r files test111
6.Now Use Sepass to change the Password for local user when UNAB is installed and running.
bash-3.00# sepass test111
CA ControlMinder sepass v12.80.0.1675 - Password replacement
Copyright (c) 2013 CA. All rights reserved.
Changing password for test111
Enter your password:
Enter new password:
Verify new password:
Permission denied
Local password updated successfully.
7.Now Login with Local user with the new changed Password
Login is sucessfully done.
11 3 Unix endpoint kernel mode Fixes an issue where the keyboard logger fails to work properly on the Solaris internal zone. AN01829 Unix all CM initializes global structure "SEOS_kbl_info_t KBL_info" only when starting CM in global zone. The CM uses this global structure also in internal zones. CM does not run in Solaris global zone Create per-zone KBL_info, this structure keeps "cmdlog" binary description and initializes it when starting CM in zone  
12 2 Unix endpoint kernel mode Fixes an issue where on Solaris 10, the Solaris 10 zone with a long path name causes system crash.  AN01861 Solaris Sparc Attempt to write 1028 bytes string in buffer of 1024 bytes Solaris 10 zone with long path name Check the length of result of adding zone name to path name. Do not exceed buffer length MAXPATHLEN=1024 Solaris 10 internal zone, Create file such that total path length is 1020 bytes in internal zone. Start CM in global and internal zone. Try access this file from internal and from global zone. ------------ The CM path resolving tried to add zone prefix to long path and ended up with heap corruption error.
13 3 Unix endpoint user mode Fixes an issue where the Selang connection to the remote host fails when using AN01868 LINUX s390 encryption layer fails decrypt data ACCIPHER layer load shared libraries for encryption. The function _unscramble() in expect input parameter for buffer size as 'int*' while ACCIPHER layer sends 'long*'. On zLinux int is 4 bytes while long is 8 bytes. As result called function returns invalid buffer size value (extremely big value) and ACCIPHER layer returns an error. using in case of failed decryption check size of returned buffer size, if it is very big number most likely function expect pointer to 'int'. Call decryption again with new parameter 'int*' Host 1: * Solaris 10 + CM 2.6sp1 (or any other version) * set ^=CM=^/lib/libcrypt -=^ /opt/CA/AccessControl/lib/ * start CM Host 2: * Linux s390x + CM 12.6sp2 * set ^=CM=^/lib/libcrypt -=^ /opt/CA/AccessControl/lib/ * Start CM ------------------------- on Host 1 run selang and try AC=^ host EXPECTED: Successfully connected INFO: Target host's version is 12.62-0 (000)
14 3 Unix endpoint user mode Fixes an issue with seagent where a corrupted seos.audit file with an empty space fails to retrieve events. As a result, the number of records seen through the Enterprise Management UI is different than the number of records seen  through "seaudit -a". AN01883 Unix all    a corrupted seos.audit to see the problem.   Get a corrupted seos.audit where there is a big space in seos.audit are empty. Connect to this box from Endpoint management WEB UI and then click on Audit Event to show all the reords. The problem is the number of records you see in Web UI and the number of records in "seaudit -a" are different. It means there are some records are missing.
15 3 Unix endpoint user mode Fixes a problem where selogrd exits unexpectedly when it fails to read the seos.audit file locked by seosd.  AN01153 Unix all While seosd sends logs to a long seos.audit file It locks the file seos.audit . When selogrd tries to open the file seos.audit, it failed. seosd locks the file seos.audit for too long. If selogrd couldn't open the file, it will go to sleep for 10 seconds and then try to open the file again.  
16 3 Unix endpoint user mode Fixes an issue where on certain AIX systems a user fails to update the password for a user with username longer than 8 characters. AN01527 AIX it is the AIX system's own API don't support username that is more than 8 characters. The problem happens on AIX only.   Please pick uaser whose username is more than 8 characters. AC=^eu longusername01 password(12345) vi /etc/security/passwd The password is not udpated.
17 3 Unix endpoint user mode Fixes an issue where the command “logout fails” when the keyboard logger is enabled. AN01613 Unix all       reproduced however error is different
1. install CM
2. seos.ini kbl_enabled=yes
3. logon to the system
4. # logout 3004-064 You must be the login user.
18 1 UNAB Fixes UNAB issue where an account with a hash character (#) in the password fails to customize the rpm package for registration during the package installation. AN02073 Unix all        
19 3 Unix endpoint user mode Fixes an issue where a new shell (new process) wrongly executes a new setuid. AN02082 Unix all a new shell execute setuid to root. old_sesu is set to no and we'll have to have the OS that works in a way that a new shell execute setuid to root.    
20 2 Unix endpoint kernel mode Fixes an issue with HOST class denials.
Consider that all the connections are by default denied and a specific port for a particular IP address is enabled. Given this case, if a telnet executes on the same port with a different IP address, the CA ControlMinder will deny the connection leaving a sock entry half opened. After a while, the OS file decryptor table would be full and the server would crash.
AN02064 Unix all The problem is that the original accept system call has already created a new file descriptor for the connected socket when SEOS decides to deny the connection. The existing code terminates the socket but fails to close the file descriptor. As a result, a valid file descriptor is pointing to an invalid socket. Depending on the plaform, it could result in panic or memory leak. When incoming connection is denied. Close the file descriptor and it will automatically clean up the socket. 1. Install CM. 1a. (Optional for Solaris 10 and up or HP-UX 11.23 and up only) Make sure to use the syscall network interception method. Set the following token in seos.ini: SEOS_use_streams = no SEOS_network_intercept_type = 2 2. Start CM. 3. Activate the HOST class. 4. Add the following selang rules: chres ADMIN("HOSTNET") audit(failure) defaccess(none) editres HOSTNET("all") audit(failure) owner(nobody) mask( match( chres UACC("HOSTNET") authorize HOSTNET("all") access(r) service(22) authorize HOSTNET("all") access(none) service(*) NOTE: With the last rule, all TCP services except SSH will be blocked. Using "sshd -p 22033" is simply to track file table of a daemon more easily, better than inetd. 5a. For Linux and HP-UX, start a second sshd daemon monitoring a different port. /usr/sbin/sshd -p 22033 5b. For Solaris, start a second sshd daemon monitoring a different port. /usr/lib/ssh/sshd -p 22033 6. Try to connect to this second sshd daemon from another host. ssh -p 22033 this_host 7. Verify in the audit log that this connection is denied. 8. Identify the PID of this second sshd daemon. ps -ef | grep sshd | grep "-p 22033" 9a. For Linux and HP-UX, list this PID's files. lsof -p second_sshd_pid You will see a file of sock with "can't identify protocol" for each failed connection attempt. 9b. For Solaris, list this PID's files may cause system to panic. pfiles secodn_sshd_pid
21 3 Unix endpoint user mode Fixes an issue where the created user name is not resolved to name when the user is not in Look aside DB. AN02071 Unix all in 64 bit is communicating with a 32 bits seosd. The data structure is not matched when data is transmitted from 64 bit to 32 bit. We can reproduce problem only if we install x32 bit version of CM on a Linux X64 bits. the user is created by a native tool and the user is never added to ladb. These are the two conditions to reproduce the problem. We need to either apply the fix seosd or please make sure to add the user in ladb. 1. Install 12.8 on Linux X64 bit system. However, the 12.8 version is in x32 bits. 2. x64 bit of the is in used, it is in /lib64/security. 3. run useradd to create a user and create a passwd for the user. Note the user is not in ladb 4. login the user for the first time and then run "sewhoami -a", there are two user name in sewhoami -a instead of one. 
22 2 Win endpoint user mode Fixes a problem where "N PROCESS" audit logs for killing ControlMinder processes are not filtered with "PROCESS;*;*;*;Kill;*" in audit.cfg AN02047 Windows all       1. set "PROCESS;*;*;*;Kill;*" in audit.cfg 2. kill seosd.exe from taskmanager 3. following audit log is recorded. 08 Apr 2014 15:53:29 N PROCESS Administrator Kill 600 10 \device\harddiskvolume2\program files\ca\accesscontrol\bin\seosd.exe C:\Windows\system32\taskmgr.exe Additional information: When set "PROCESS;*;*;*;*;*" in audit.cfg, above audit log is filtered. Same symptom is observed when killing seosagent.exe and seoswd.exe.
23 3 Unix endpoint user mode Fixes an issue where ftp login fails on HP 11.11 because SEOS_load -u successfully unload SEOS_syscall, but token HPUX11_SeOS_Syscall_number is still set in seos.ini.  AN02059 HPUX PA-RISC HPUX11_SeOS_Syscall_number is still set in seos.ini when SEOS_syscall is unloaded. it is on hpux11.11 only. apply the fix SEOS_load or remove HPUX11_SeOS_Syscall_number manually from seos.ini. 1. Install ControlMinder on HPUX11.11. 2. start up ControlMinder. 2. secons -sk 3. SEOS_load -u 4. vi seos.ini and look for HPUX11_SeOS_Syscall_number, if this token is removed (not there), then it works. If HPUX11_SeOS_Syscall_number is still set in seos.ini, then it is not working. 5. ftp into this box, if there is no problem to login, then it works.
24 3 Unix endpoint user mode Fixes policyfetcher problem that produced core file.  AN02042 Unix all NULL pointer access   Verify string pointer before usage  
25 3 Unix endpoint user mode Fixes an issue where user is able to login despite DENY audit record AN02022 Unix all pam_seos is optional in PAM configuration. return value from pam_seos is ignored on Linux PAM loginappl This package defines new token in seos.ini [pam_seos] pam_deny_login_kill=yes With the default value "yes" the CM will kill "denied" process. Setting token to "no" makes CM return "deny" to which returns PAM_PERM_DENIED to the service. In such case admin should also change "optional" to "required" in /etc/pam.d/system-auth On Linux: AC=^ er loginappl VFTP loginflags(PAM, nograce) AC=^ er terminal 123.234.567.89 defaccess(n) owner(nobody) ---- From the terminal (IP defined above in terminal rule) do "ftp tet_host" EXPECTED: login fails ACTUAL: login succeeded
26 3 Unix endpoint kernel mode Fixes a performance issue where CPU load enlarge when ControlMinder is up AN02030 LINUX all frequent access to kernel tables when verifying file access to /proc Problem occurred on machine of 128 CPUs  check token proc_bypass in kernel and return immediate ALLOW when SEOS_proc_bypass=1 and accessing /proc  
27 2 Win endpoint user mode Fixes an issue where the Watchdog thread monitoring ControlMinder services crashes. Setting the registry value GenerateMemDump = 0 in HKEY_LOCAL_MACHINESOFTWAREComputerAssociatesAccessControlAccessControl does not disable process dump generation. Also, 'secons -i' prints the wrong values of virtual memory size and handles in "CA ControlMinder memory utilization statistics” section.

AN01984 windows all It's caused by openning process with PROCESS_QUERY_LIMITED_INFORMATION access mask on Win2003.   Open monitored process with access right PROCESS_QUERY_INFORMATION. Add validation of values of VirtualMemorySize and HandlesCount and generating process dump depending on GenerateMemDump value. Install CM enpoint on Win 2003 with services ReportAgent, Task Delegation, advanced policy management. Start CM and wait near 15 min for generating DMP files in AccessControlbin
28 2 Unix endpoint kernel mode Fixes an issue where CentOS 6.5 was not properly identified, creating an incorrect link for SEOS_syscall
AN01989 LINUX all is not detecting the OS correctly and SEOS_syscall is linked incorrectly on CentOS 6.5      
29 3 Unix endpoint user mode Fixes an issue where clear text password got saved in KBL audit log AN01980 Unix all cmdlog send all typed input to audit log   modify cmdlog to hide text after prompt "Password:" Enable KBL Create user AC=^ eu test audit(interactive) Login as 'test' % su Password: **** seaudit -kbl -sid 28327 -cmd ==^ SessionCmd: shows clear text password
30 2 Unix endpoint user mode Fixes an issue where ControlMinder fails to start when system has 8000 processes AN01982 Unix all The seosd allocates initial process table of 8000 entries when starting. If there are not space in table to keep all processes, the seosd re-allocates table to bigger size. The function OLD_ProcServer_add_entry() saved entry pointer 'p' to previous table, then table was reallocated, but function used an old pointer and crashed. System has more than 8000 alive processes Change OLD_ProcServer_add_entry(), save original process table entry in local store, use that saved entry later when copying data to new entry. Run on the test system more than 8000 processes in total. Start CM -------- EXPECTS: successful start
31 3 Unix endpoint user mode Fixes an issue where seosd is killed by watchdog, while reading lookaside DB. AN01965 Unix all watchdog killed seosd; the seosd was reading ladb and acquiring or waiting file lock; it is not clear what happened to lock, the seosd was patched by TC61368 and there was not saved not stripped version of binary, unable to read core   Try check if file lock is available before requesting lock when accessing ladb from seosd.  
32 3 Unix endpoint user mode Fixes an issue where GUI stopped working when running SEOS_load -u AN01947 LINUX x64 command in unload exit script /etc/init.d/messagebus stop   do not call /etc/init.d/messagebus stop on Linux RH RH 6.4 run SEOS_load -u ==^ Xserver stopped
33 3 Unix endpoint user mode Fixes an issue where Terminal rule is ignored when Lookaside DB is disabled AN01906 Unix all The seosd fails find host name in hosts cache, result is usage of IP address Function uxcache_gethostbyaddr() returns NULL for any host use_lookaside=no in seos.ini Host cache entirely remade. seos.ini use_lookaside = no terminal_search_order = name Create two DM rules for the same host, one rule with name, another with host IP AC=^ nr TERMINAL defaccess(READ) owner('nobody') AC=^ nr TERMINAL defaccess(none) owner('nobody') Try login to server FROM ==^ EXPECTED: access allowed by first terminal rule ==^ ACTUAL: connection closed, decision made by IP rule
34 3 Unix endpoint user mode Fixes an issue where FTP login records occasionally show wrong remote host IP. When LOGINAPPL for FTP is set PAMLOGIN there is wrong IP address in the audit file AN01881 Unix all The CM is missing PAM flag for VFTP loginappl and skips PAM login handling. The CM fetches IP address from kernel for vftpd process and returns IP of different connection (the kernel takes address from first available socket of process). The seosd saves one last login flag in RT tables when updating LOGINAPPL rule, while it should add all flags to login table entry. using Add all flags to RT login program entry. Was reproduced on S1 Linux Oracle RH 6.4 1. Start CM on Linux 2. edit LOGINAPPL rule er loginappl VFTP loginflags(PAMLogin nograce) 3. SSH to Linux from another system (on reproduction used Windows 4. On Linux restart ftp using "service vsptpd restart" 5. connect ftp from 3rd system to Linux (reproduction used Windows 6. On Linux run seaudit -a 21 Feb 2014 05:13:17 P LOGIN root 59 2 SSH 21 Feb 2014 05:14:24 P LOGIN root 54 2 VFTP -------- The CM saved FTP record with IP address of 1st Windows when connecting from 2nd Windows.
35 3 Unix endpoint kernel mode Fixes an issue where changed kernel symbol after kernel upgrade, cases SEOS_load to fail AN01864 LINUX x64 symbol version does not match kernel upgrade SUSE 10SP2, x86_64, kernel link SEOS_syscall to next OSMIC level - SEOS_syscall.100SUSEcX86_64.MP.ko Linux SUSE 10 SP2 x86_64 SEOS_load SEOS_load: SEOS_syscall isn't loaded
36 3 Unix endpoint user mode Fixes an issue where on Enterprise Management Linux box, seagent core dumps once in a while due to connections with a NULL ACCIPHER handle.  AN01840 Unix all The ACCIPHER handle is NULL. There is connection to seagent with a NULL ACCIPHER. We need to apply the fix seagent. Install ENTM on a linux box, seagent core dumps once a while. If you turn on the debug log for seagent, we can see that there are connections with a NULL ACCIPHER handle. The reason it cores, it is because the handle is NULL.
37 2 Win endpoint kernel mode Fixes an issue where due to logical error while some user accesses share folder, audit log replaces one user with another, in spite there is no access rights for the other user  AN01827 windows all CM  has  thread  attributes  cache used for storing impersonation information per thread. In context of work with the cache  , function that updates  cache content  with  new  data  (new  user SID) performed cache   entry   update   prior   to   removing  the invalidated  cache  entry,  so  this update created window of opportunity for another thread to  assume identity of wrong user  and created the issue.  The fix removed the update  as obsolete that  prevents from opportunity to make wrong impersonation   Fixed update table  
38 3 Unix endpoint kernel mode Fixes an issue where ftruncate call fails to truncate file to size over 4GB AN01834 AIX   Calling ftruncate to set the file length to more than 4GB long. Change the data type to off_t. Create a program that calls ftruncate to create a file and truncate its size to over 4GB long. Start AC. Run this test program. It will create a file of (intended_size - 4GB) long. (Please make sure that ulimite for file size is set to unlimited.)
39 2 Unix endpoint kernel mode Fixes an issue where system crash while kernel process server function SEOS_procserver_list_len() AN01811 Unix all another process KBL cmdlog calls AC_ProcGetOrigArg0() and kernel function SEOS_procserver_getArg0(). This kernel procserver function called alloc while keeping spinlock when scheduler removed this process from cpu. -------- stack trace: ID: 12060 TASK: ffff81010d2b7100 CPU: 1 COMMAND: "AC" #0 [ffff81001bb75c78] schedule at ffffffff80062f90 #1 [ffff81001bb75d50] __cond_resched at ffffffff800900c8 #2 [ffff81001bb75d60] cond_resched at ffffffff800630c5 #3 [ffff81001bb75d70] __kmalloc at ffffffff800de725 #4 [ffff81001bb75d90] eAC_calloc at ffffffff886c5008 [seos] #5 [ffff81001bb75dc0] SEOS_procserver_getArg0 at ffffffff886c281c [seos] #6 [ffff81001bb75e00] _SEOS_syscall_ at ffffffff886a41f6 [seos]   Do not call blockable alloc() while holding spinlock.  
40 3 Unix endpoint user mode Fixes an issue where sesu - user01 got denied when old_sesu is set to no in seos.ini. This is because setuid from /bin/su is not allowed AN01803 Unix all /bin/su also make setuid calls. change old_sesu to no. The workaround is to code a SURROGATE rules to allow the setuid calls. on Aix, vi seos.ini and change old_sesu to no. Please login as user tt01 and then run "sesu - tt02", the command will get denied.
41 2 Unix endpoint kernel mode Fixes an issue where Kernel module fails to load with SLES 10sp2 kernel running in SLES 10sp3 system AN01765 LINUX all AC is using /etc/SuSE-release file to detect if SLES 10 sp2 or sp3 AC should be using uname -r to detect kernel version AC kernel module fails to load Install modified Install SLES 10 sp3 (kernel Revert kernel to SLES 10 sp2 kernel AC fails to load
42 2 Unix endpoint kernel mode Fixes an issue where a coexistence problem caused a panic working with Symantic sisip kernel module AN01766 LINUX x64        
43 2 Win endpoint user mode Fixes an issue where TERMINAL generic rules with wildcards (* ?) do not work properly AN01775 Windows all     Added search TERMINAL objects matched client host name or IP in generic resource table ( objects with wildcards ). On CM endpoint A: 1. Stop CM and specify TerminalSearchOrder = name,RDPIP in HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\SeOSD 2. Create user tuser. 3. Verify RDP login to A from host B for tuser. 4. Start CM 5. Create CM user tuser. eu tuser owner(nobody) 6. Create TERMINAL rule for IP of host B using wildcard like: er terminal(130.119.179.*) owner(nobody) defaccess(none) and check RDP connection from B. Expected result: Denied login Actual result: Permit login
44 3 Unix endpoint user mode Fixes an issue where  process /usr/sbin/saslauthd has growing number of opened file descriptors AN01750 Unix all does not close open socket Problem discovered on RH 6.0, applies to all platfroms close socket if PUPM connection fails in pam_create_socket_client_handle() Support S1 created reproduction environment server On this server do: ------------------- # ps -ef | grep saslauthd root 20004 1 0 Oct28 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1 # ls -l /proc/20004/fd (mark number of opened files) # telnet localhost 110 USER tanma07 +OK Name is a valid mailbox PASS tanma07 +OK Mailbox locked and ready QUIT +OK # ls -l /proc/20004/fd ==^ shows one more opened socket