openssh bugs - May 2015 - [Bug 2394] New: Provide a global configuration option to disable ControlPersist

https://bugzilla.mindrot.org/show_bug.cgi?id=2394

            Bug ID: 2394
           Summary: Provide a global configuration option to disable
                    ControlPersist
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2616
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2616&action=edit
proposed patch

+++ This bug was cloned from Red Hat Bugzilla ? Bug 1218351 +++

The new ControlPersist feature undesireably closes fds that are loaded
by an adhoc LD_PRELOAD application.

Customer would like to be able to remove the ControlPersist feature set
by providing a global configuration option.  This will allow ssh to act
as it did before and not interfere with customer adhoc LD_PRELOAD app.

e.g.
 if( options.controlpersist != 0 ){ closefrom(STDERR_FILENO+1) }

How reproducible:
Write app that opens some FDS
use the export LD_PRELOAD on ssh execution of a scripted session
when session exists see if FDS from the LD_PRELOAD app did too

Actual results:
fds closed

Expected results:
with ControlPersist disable option, fds from LD_PRELOAD do not close on
ssh session close

+++ Jakub Jelen +++
This will be probably fixed by checking ControlPersist configuration
option and not closing the additional file descriptors if it is
disabled.

This solution shouldn't have any drawback and should allow users happy
hacking. Yes, LD_PRELOAD can be dangerous, but I believe they know what
are doing.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2394

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2616|0                           |1
        is obsolete|                            |

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 2622
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2622&action=edit
possible solution

Sorry. That patch was nonsense. At that time, there is options variable
still empty. It would require to take the block under reading
configuration files and parsing commandline options. But at that time,
there is possible that there is opened -E logfile which we can't close
and reopen. This is not a problem with syslog.

* We do not open config file until we open log file (which makes sense)
* We should close hanging file descriptors before we open log file
(which is file descriptor)
dependency hell ...

This would require some more changes in upstream. Proposing to move
this check further and reopen log, if required.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2394

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Cleaning up. After realistic consideration I understand that this is
not a good idea, it doesn't make much sense and there should be
different solution on the other side. Thank you for all your inputs.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2394

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.