A security alert on a PAM Server Control endpoint has led to concerns over how the endpoint uses the tripAccept utility. This KB explains the usage of tripAccept, what events would trigger it, and its impact on other processes on a server.

The tripAccept utility is designed to trip or awake processes that call the accept system call to listen to incoming network connections.  The tripAccept utility is used only in two scenarios: one at PAMSC startup and the other at PAMSC shutdown.

(1) PAMSC startup - When starting up, there might be network service processes listening to incoming network connection requests.  This means the first incoming connection request received by each listening process after PAMSC has started will not be intercepted by PAMSC.  To resolve this potential security concern, PAMSC will scan the host system and identify those processes and their ports. The tripAccept utility will be used to awake these processes, so the next requests will be intercepted.

(2) PAMSC shutdown - When shutting down PAMSC, there could still be processes calling the accept system call that have already intercepted by PAMSC.  If left without checking, it will prevent the PAMSC kernel module from unloading.  Again the tripAccept utility is run to awake these processes, so they will not be in the intercepted state.

The tripAccept utility does not have any side effect to the listening processes.  These listening processes are usually running in a loop calling the accept system call for any incoming network connections.  tripAccept simulates a connection request to the listening process.  As soon as the connection is established, it will terminate the connection and the listening process will return to listening mode.