FreeBSD Errata Notice FreeBSD-EN-24:17.pam_xdg
As a user logs in, if the per user XDGRUNTIMEDIR directory already exists, a file descriptor to that directory is leaked in the calling process. This leaked directory file descriptor is inherited by all descendant processes that do not explicitly close it. In particular, it prevents an administrator from using jexec(8) or launching a new jail via jail(8), as both commands use the jailattach(2) system call which fails with EPERM if the calling process has an open directory in its file descriptor table, as a security measure to prevent jail escape. This file descriptor leak is normally harmless from a security standpoint as the XDGRUNTIME_DIR directory's content is usually readable and modifiable only by its owner and its group.