bugzilla-daemon at mindrot.org
2004-May-21 03:08 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #600 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2004-05-21 13:08 -------
Created an attachment (id=639)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=639&action=view)
Signal PAM "thread" if SIGCHLD is caused by the privsep slave exitting
Colin Watson pointed out that this may correspond to a Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248125
It appears that what is happening is that the client exits, breaking the TCP
connection. When that happens, the privsep slave exits too, which causes a
SIGCHLD to be delivered to the monitor. The monitor then attempts to waitpid()
on the PAM "thread" which is still alive and blissfully unaware of a
problem
(because nobody told it to die). That waitpid hangs the monitor's cleanup.
The attached patch tests adds a test for this case to the signal handler to
shoot the PAM thread itself if it has to. It the same as the one I sent to
the Debian bug except it resets SIGCHLD to prevent reentering the signal
handler when the second process exits.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-21 03:09 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Component|sshd |PAM support
OS/Version|Linux |All
Version|3.8p1 |3.8.1p1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-21 03:26 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #639| |ok
Status| |
------- Additional Comments From djm at mindrot.org 2004-05-21 13:26 -------
(From update of attachment 639)
Looks sane to me.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-24 02:00 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |822
nThis| |
------- Additional Comments From dtucker at zip.com.au 2004-05-24 12:00 -------
Thanks, patch id #639 has just been committed (to both HEAD and 3.8.1 branch).
William, could you please try either the patch or a snapshot[1] and confirm
whether or not the problem is fixed for you?
[1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its
mirrors.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-May-30 11:06 UTC
[Bug 839] Privilege Separation + PAM locks users out
http://bugzilla.mindrot.org/show_bug.cgi?id=839
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From dtucker at zip.com.au 2004-05-30 21:06 -------
Mario Holbe reports that the patch has been applied to Debian (unstable) and
fixes the problem for him.
I think this is now fixed, so I'm resolving this bug. If you can reproduce
your
problem with either a current snapshot or 3.8.1p1 with patch id #639 then please
reopen this bug.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.