Dear folks,

After updating some of our servers to CentOS 6.8, we’ve noticed that the ones using pam_sss.so for authentication, appear to be suffering from a leak of sorts.

On these systems, the /var partition is running out of disk space, and we eventually noticed that it’s because of deleted, but still open files like these:

httpd 1081 apache 8r REG 253,2 6406312
6199 /var/lib/sss/mc/group (deleted)
sshd 1609 root 3r REG 253,2 8406312
431 /var/lib/sss/mc/passwd (deleted)
mysqld 2018 mysql 4r REG 253,2 10406312
436 /var/lib/sss/mc/initgroups (deleted)

Each time any process uses pam in some way, it’s opening these cache files in /var/lib/sss/mc, but not closing them, and they’re accumulating. The reason they’re accumulating is that the initgroups, group and password file are frequently refreshed (by sssd), and so each open() call to them looks at a new file.

We traced the sshd process, and noticed this:

open(“/var/lib/sss/mc/passwd”, O_RDONLY|O_CLOEXEC) = 3

But there is no matching “close(3)” call anywhere (all other files opened have a matching close() system call).

Has anyone else seen this issue, and does anyone know a quick solution to this?

Regards, Anand