bugzilla-daemon at bugzilla.mindrot.org
2008-Jul-12 11:52 UTC
[Bug 1487] New: Race condition between monitor and unprivileged child in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=1487 Summary: Race condition between monitor and unprivileged child in sshd Classification: Unclassified Product: Portable OpenSSH Version: 5.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: godji at 300penguins.org In the v2 protocol, after a connection, the accepting process forks in privsep_preauth(). The parent executes monitor_child_preauth() to allow certain privsep requests necessary for authentication. The unprivileged child runs do_ssh2_kex() followed by do_authentication2(). If KEX is fast enough, do_authentication2() runs before the monitor has a chance to permit the necessary requests (MONITOR_REQ_PWNAM in articular), and therefore authentication fails on the server with: monitor_read: unpermitted request 6 Damien Miller proposed setting up a pipe shared between the monitor and child, and making the child wait until the monitor end closes, which it should do after permitting the monitor calls. I believe the pipe close (granting permission to continue) should be at the end of monitor.c:mm_answer_sign, right after the line: monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); Of course, I could be wrong. On the other hand, I have not been able to figure out where to place the pipe read (waiting for permission) call. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-25 11:26 UTC
[Bug 1487] Race condition between monitor and unprivileged child in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=1487 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |WORKSFORME --- Comment #1 from Damien Miller <djm at mindrot.org> --- Actually, I don't see this race at all. The monitor is completely synchronous - the only way i can see that REQ_PWNAM is refused is if the KEX skipped a step. IIRC you were using a custom KEX, so you are probably attempting an illegal transaction in the monitor state machine. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24 01:33 UTC
[Bug 1487] Race condition between monitor and unprivileged child in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=1487 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:43 EST --- Move resolved bugs to CLOSED after 5.7 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.