From owner-freebsd-bugs@FreeBSD.ORG  Tue Jun 20 21:00:49 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED4D916A47C
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 20 Jun 2006 21:00:49 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0F43543D45
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 20 Jun 2006 21:00:45 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5KL0iPo097763
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 20 Jun 2006 21:00:44 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5KL0ii4097762;
	Tue, 20 Jun 2006 21:00:44 GMT (envelope-from gnats)
Resent-Date: Tue, 20 Jun 2006 21:00:44 GMT
Resent-Message-Id: <200606202100.k5KL0ii4097762@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Eugene M. Kim" <freebsd.org@ab.ote.we.lv>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6D19916A5F6
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 20 Jun 2006 20:56:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0910E43D6E
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 20 Jun 2006 20:56:31 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k5KKuUMP010805
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Jun 2006 20:56:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k5KKuUuo010804;
	Tue, 20 Jun 2006 20:56:30 GMT (envelope-from nobody)
Message-Id: <200606202056.k5KKuUuo010804@www.freebsd.org>
Date: Tue, 20 Jun 2006 20:56:30 GMT
From: "Eugene M. Kim" <freebsd.org@ab.ote.we.lv>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: bin/99217: pam_ssh(8) waits for a wrong ssh-agent PID at a wrong
	time; leaves a zombie
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2006 21:00:50 -0000


>Number:         99217
>Category:       bin
>Synopsis:       pam_ssh(8) waits for a wrong ssh-agent PID at a wrong time; leaves a zombie
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 20 21:00:44 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Eugene M. Kim
>Release:        7-current
>Organization:
>Environment:
FreeBSD seerajeane.astralblue.net 7.0-CURRENT FreeBSD 7.0-CURRENT #4: Sat Jun 17 13:46:23 PDT 2006     ab@seerajeane.astralblue.net:/home/FreeBSD/build/MAIN/obj/home/FreeBSD/build/MAIN/src/sys/PL-SEERAJEANE  i386
>Description:
When used as a session handler, pam_ssh(8) runs ssh-agent(1) with -s
flag upon session initialization, and reads various SSH_* environment
variable assignments from the agent's output.  Then, upon session close,
it kills the ssh-agent that it started earlier, then waitpid(2)-s for
the child (ssh-agent) process.

Problem #1: The ssh-agent child process that pam_ssh fork-execs exits
immediately after forking itself a new daemon process and printing out
SSH_* varaibles (SSH_AGENT_PID is the PID of this ssh-agent daemon
process, not the child process pam_ssh forked).  pam_ssh does not reap
this child in pam_ssh_start_agent(); the child becomes and remains as a
zombie until the pam_ssh host process exits and PID 1 adopts and reaps
the zombie.

Problem #2: pam_ssh incorrectly waitpid(SSH_AGENT_PID)-s upon session
close, which never succeeds because SSH_AGENT_PID is not for the child
process pam_ssh had forked earlier but for the ssh-agent daemon process
whose parent is PID 1.  It is sufficient just to kill SSH_AGENT_PID at
this point.

Problem #3: The session user may elect to kill $SSH_AGENT_PID when
he/she does not need the agent.  This causes kill(SSH_AGENT_PID) to
return ESRCH ("process not found") upon session close, which should be
handled gracefully.
>How-To-Repeat:
Enable pam_ssh in /etc/pam.d/login; login as an ordinary user at one of
the vtys; run "ps axl | grep defunct".
>Fix:
Apply the following patch from /usr:

-------------------------------- snip --------------------------------
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c	Mon Sep 26 13:33:53 2005
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c.new	Tue May 16 00:04:25 2006
@@ -256,6 +256,7 @@
 pam_ssh_start_agent(pam_handle_t *pamh)
 {
 	int agent_pipe[2];
+	int status;
 	pid_t pid;
 	FILE *f;
 
@@ -294,6 +295,8 @@
 		return (PAM_SYSTEM_ERR);
 	pam_ssh_process_agent_output(pamh, f);
 	fclose(f);
+	if (waitpid(pid, &status, 0) == -1 && errno != ECHILD)
+		return (PAM_SYSTEM_ERR);
 
 	return (PAM_SUCCESS);
 }
@@ -402,7 +405,6 @@
 {
 	const char *ssh_agent_pid;
 	char *end;
-	int status;
 	pid_t pid;
 
 	if ((ssh_agent_pid = pam_getenv(pamh, "SSH_AGENT_PID")) == NULL) {
@@ -415,8 +417,7 @@
 		return (PAM_SESSION_ERR);
 	}
 	openpam_log(PAM_LOG_DEBUG, "killing ssh agent %d", (int)pid);
-	if (kill(pid, SIGTERM) == -1 ||
-	    (waitpid(pid, &status, 0) == -1 && errno != ECHILD))
+	if (kill(pid, SIGTERM) == -1 && errno != ESRCH)
 		return (PAM_SYSTEM_ERR);
 	return (PAM_SUCCESS);
 }
-------------------------------- snip --------------------------------
>Release-Note:
>Audit-Trail:
>Unformatted: