On some (most? all?) SysV based systems with STREAMS based ptys,
sshd could acquire a controlling terminal during pty setup when
it pushed the "ptem" module, due to what is probably a bug in
the STREAMS driver that's old enough to vote. Because it was the
privileged sshd's controlling terminal, it was not available for
the user's session, which ended up without one. This is known to
affect at least Solaris <=10, derivatives such as OpenIndiana and
several other SysV systems. See bz#245 for the backstory.
In the we past worked around that by not calling setsid in the
privileged sshd child, which meant it was not a session or process
group leader. This solved controlling terminal problem because sshd
was not eligble to acquire one, but had other side effects such as
not cleaning up helper subprocesses in the SIGALRM handler since it
was not PG leader. Recent cleanups in the signal handler uncovered
this, resulting in the LoginGraceTime timer not cleaning up privsep
unprivileged processes.
This change moves the workaround into the STREAMS pty allocation code,
by allocating a sacrificial pty to act as sshd's controlling terminal
before allocating user ptys, so those are still available for users'
sessions.
On the down side:
- this will waste a pty per ssh connection on affected platforms.
On the up side:
- it makes the process group behaviour consistent between platforms.
- it puts the workaround nearest the code that actually causes the
problem and competely out of the mainline code.
- the workaround is only activated if you use the STREAMS code. If,
say, Solaris 11 has the bug but also a working openpty() it doesn't
matter that we defined SSHD_ACQUIRES_CTTY.
- the workaround is only activated when the fist pty is allocated,
ie in the post-auth privsep monitor. This means there's no risk
of fd leaks to the unprivileged processes, and there's no effect on
sessions that do not allocate a pty.
Based on analysis and work by djm@, ok djm@
The Cygwin-specific pattern match code has a bug. It checks
the size_t value returned by mbstowcs for being < 0. The right
thing to do is to check against (size_t) -1. Fix that.
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Correct handling of select(2) exceptfds. These should only be consulted
for POLLPRI flagged pfds and not unconditionally converted to POLLERR.
with and ok dtucker@
Darwin's poll(2) implementation is broken. For character-special
devices like /dev/null, it returns POLLNVAL when polled with
POLLIN.
Apparently this is Apple bug 3710161, which is AFAIK not public,
but a websearch will find other OSS projects rediscovering it
periodically since it was first identified in 2005 (!!)
The main change is that Niels Provos kindly agreed to rescind the
BSD license advertising clause, shifting them to the 3-term BSD
license.
This was the last thing in OpenSSH that used the advertising clause.
glibc's closefrom implementation does not work in a chroot when the kernel
does not have close_range. It tries to read from /proc/self/fd and when
that fails dies with an assertion of sorts. Instead, call close_range
ourselves from our compat code and fall back if that fails. bz#3349,
with william.wilson at canonical.com and fweimer at redhat.com.
HP-UX 10.x has a getline() implementation in libc that does not behave
as we expect so don't use it. With correction from Thorsten Glaser and
typo fix from Larkin Nickle.
Users of MD5-hashed password should arrange for ./configure to link
against libxcrypt or similar. Though it would be better to avoid use
of MD5 password hashing entirely, it's arguably worse than DEScrypt.
feedback and ok dtucker@
If we have to increase nfds because startup_pipe[0] is above any of the
descriptors passed in the fd_sets, we also need to add 1 to nfds since
select takes highest FD number plus one. bz#3345 from yaroslav.kuzmin
at vmssoftware.com.
On the second and subsequent calls to pselect the notify_pipe was not
added to the select readset, opening up a race that om G. Christensen
discovered on multiprocessor Solaris <=9 systems.
Also reinitialize notify_pipe if the pid changes. This will prevent a
parent and child from using the same FD, although this is not an issue
in the current structure it might be in future.
On platforms where closefrom returns void (eg glibc>=2.34) the prototype
for closefrom in its compat tests would cause compile errors. Remove
this and have the tests pull in the compat headers in the same way as
the main code. bz#3336.
This is basically the existing notify_pipe kludge from serverloop.c
moved behind a pselect interface. It works by installing a signal
handler that writes to a pipe that the select is watching, then calls
the original handler.
The select call in serverloop will become pselect soon, at which point the
kludge will be removed from thereand will only exist in the compat layer.
Original code by markus, help from djm.
In -portable, defines.h ensures that these are defined, so redefining
potentially causes a warning. We don't just delete it to make any
future code syncs a little but easier. bz#3293.
This ensures that the macros in log.h are defined in the case where
either of --with-solaris-projects or --with-solaris-privs are used
without --with-solaris-contracts. bz#3278.
FreeBSD has login_getpwclass() that does some special magic for
UID=0. Prefer this to login_getclass() as its easier to emulate
the former with the latter.
Based on FreeBSD PR 37416 via Ed Maste; ok dtucker@
Darren Tucker
Corinna Vinschen
Damien Miller
Tim Rice
David Carlier