openssh bugs - Jul 2008 - [Bug 1487] New: Race condition between monitor and unprivileged child in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1487

           Summary: Race condition between monitor and unprivileged child
                    in sshd
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.0p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: godji at 300penguins.org


In the v2 protocol, after a connection, the accepting process forks in
privsep_preauth(). The parent executes monitor_child_preauth() to allow
certain privsep requests necessary for authentication. The unprivileged
child runs do_ssh2_kex() followed by do_authentication2().

If KEX is fast enough, do_authentication2() runs before the monitor has
a 
chance to permit the necessary requests (MONITOR_REQ_PWNAM in
articular), 
and therefore authentication fails on the server with:

monitor_read: unpermitted request 6

Damien Miller proposed setting up a pipe shared between the monitor and
child, and making the child wait until the monitor end closes, which
it should do after permitting the monitor calls.

I believe the pipe close (granting permission to continue) should be at
the end of monitor.c:mm_answer_sign, right after the line:

monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);

Of course, I could be wrong. On the other hand, I have not been able to
figure out where to place the pipe read (waiting for permission) call.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1487

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
Actually, I don't see this race at all. The monitor is completely
synchronous - the only way i can see that REQ_PWNAM is refused is if
the KEX skipped a step. IIRC you were using a custom KEX, so you are
probably attempting an illegal transaction in the monitor state
machine.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1487

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:43
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.