On most systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we can't
run the test. bz#3398.
call, and terminate sshd if ppoll() returns errno==EINVAL
avoids spin in ppoll when MaxStartups > RLIMIT_NOFILE, reported by
Daniel Micay
feedback/ok deraadt
OpenBSD-Commit-ID: dbab1c24993ac977ec24d83283b8b7528f7c2c15
do_readdir and do_stat paths since the underlying functions now take a const
char *. Patch from vapier at gentoo.org.
OpenBSD-Commit-ID: 9e4d964dbfb0ed683a2a2900711b88e7f1c0297b
These have too many false positives in -Werror tests on the github CI
since we often provide empty stub functions for functionality not needed
for particular configurations.
Should fix sandbox violations on (some? at least i386 and armhf) 32bit
Linux platforms. Patch from chutzpahu at gentoo.org and cjwatson at
debian.org via bz#3396.
POSIX specifies that poll() shall fail if "nfds argument is greater
than {OPEN_MAX}". The setrlimit sandbox sets this to effectively zero
so this causes poll() to fail in the preauth privsep process.
This is likely the underlying cause for the previously observed similar
behaviour of select() on plaforms where it is implement in userspace on
top of poll().
leading slashes. Fixes test failure when user's home dir is / which is
possible in some portable configurations.
OpenBSD-Regress-ID: 53b8c53734f8893806961475c7106397f98d9f63
On some (most? all?) SysV based systems with STREAMS based ptys,
sshd could acquire a controlling terminal during pty setup when
it pushed the "ptem" module, due to what is probably a bug in
the STREAMS driver that's old enough to vote. Because it was the
privileged sshd's controlling terminal, it was not available for
the user's session, which ended up without one. This is known to
affect at least Solaris <=10, derivatives such as OpenIndiana and
several other SysV systems. See bz#245 for the backstory.
In the we past worked around that by not calling setsid in the
privileged sshd child, which meant it was not a session or process
group leader. This solved controlling terminal problem because sshd
was not eligble to acquire one, but had other side effects such as
not cleaning up helper subprocesses in the SIGALRM handler since it
was not PG leader. Recent cleanups in the signal handler uncovered
this, resulting in the LoginGraceTime timer not cleaning up privsep
unprivileged processes.
This change moves the workaround into the STREAMS pty allocation code,
by allocating a sacrificial pty to act as sshd's controlling terminal
before allocating user ptys, so those are still available for users'
sessions.
On the down side:
- this will waste a pty per ssh connection on affected platforms.
On the up side:
- it makes the process group behaviour consistent between platforms.
- it puts the workaround nearest the code that actually causes the
problem and competely out of the mainline code.
- the workaround is only activated if you use the STREAMS code. If,
say, Solaris 11 has the bug but also a working openpty() it doesn't
matter that we defined SSHD_ACQUIRES_CTTY.
- the workaround is only activated when the fist pty is allocated,
ie in the post-auth privsep monitor. This means there's no risk
of fd leaks to the unprivileged processes, and there's no effect on
sessions that do not allocate a pty.
Based on analysis and work by djm@, ok djm@
Darren Tucker
djm@openbsd.org
naddy@openbsd.org
dtucker@openbsd.org
Colin Watson
deraadt@openbsd.org
Damien Miller