From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Jul 22 18:40:46 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAFBB16A4DA for ; Sat, 22 Jul 2006 18:40:46 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F9AB43D76 for ; Sat, 22 Jul 2006 18:40:23 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6MIeNLT091965 for ; Sat, 22 Jul 2006 18:40:23 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6MIeNgD091962; Sat, 22 Jul 2006 18:40:23 GMT (envelope-from gnats) Resent-Date: Sat, 22 Jul 2006 18:40:23 GMT Resent-Message-Id: <200607221840.k6MIeNgD091962@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Alex Samorukov" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A97FB16A4DE for ; Sat, 22 Jul 2006 18:39:00 +0000 (UTC) (envelope-from samm@os2.kiev.ua) Received: from el.volia.net (el.volia.net [82.144.192.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31FCF43D46 for ; Sat, 22 Jul 2006 18:38:59 +0000 (GMT) (envelope-from samm@os2.kiev.ua) Received: from ip.85.202.201.160.dyn.sub-4.broadband.voliacable.com ([85.202.201.160] helo=samm.local) by el.volia.net with esmtp (Exim 4.43 (FreeBSD)) id 1G4MNN-000MRs-MO for FreeBSD-gnats-submit@freebsd.org; Sat, 22 Jul 2006 21:38:58 +0300 Message-Id: <1153593565.45750@samm.local> Date: Sat, 22 Jul 2006 21:39:25 +0300 From: "Alex Samorukov" To: "FreeBSD gnats submit" X-Send-Pr-Version: gtk-send-pr 0.4.7 Cc: Subject: ports/100726: [security/sshit] - Running sshit for a period of time will reach system semaphore limit X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2006 18:40:46 -0000 >Number: 100726 >Category: ports >Synopsis: [security/sshit] - Running sshit for a period of time will reach system semaphore limit >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jul 22 18:40:22 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Alex Samorukov >Release: FreeBSD 6.1-RELEASE i386 >Organization: Shevchenko Didkovskiy and Partners >Environment: System: FreeBSD 6.1-RELEASE #2: Wed May 17 22:22:18 EEST 2006 root@samm.local:/usr/obj/usr/src/sys/SAMMKRNL >Description: (c) Rong-En Fan's, http://rafan.infor.org/patch/sshit.diff In the code, the author uses two level hash, and IPC::Shareable will create a share memory for those anonymouse object (the second level hash). Those share memory will not be removed when sshit exists or when the rule is removed. Running sshit for a period of time, the number of share memory and semaphore will reach the limit for one process, then sshit.pl can not get more share memory, thus it quits. The only solution is to manually remove all share memory and semaphore. This is somehow the limitation of using IPC::Shareable. To workaround this problem. The patch will removes associated firewall rules when syslogd closes the fd [1], and use IPC::Shareable->clean_up to remove all shm/sem created by this process. I also set 'destroy' to 1 so the shm tied to %list can be removed. The second hunk is to fix a typo for ipfw2. Due to this typo, ip in ipfw2's table cat not be removed. That means once blocked, the client is blocked until reboot or admin cleanup the table. [1] if any log files are rotated, newsyslog sends a HUP to syslogd, syslogd will close *all* current open fd and reopen them. At that time, the sshit.pl's stdin will be closed, thus the main program will exit. >How-To-Repeat: Restart syslogd 10-15 times and see result... >Fix: diff --new-file -u -r sshit.ori/Makefile sshit/Makefile --- sshit.ori/Makefile Sat Jul 22 21:11:30 2006 +++ sshit/Makefile Sat Jul 22 21:36:41 2006 @@ -7,6 +7,7 @@ PORTNAME= sshit PORTVERSION= 0.5 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://anp.ath.cx/sshit/ \ ${MASTER_SITE_LOCAL} diff --new-file -u -r sshit.ori/files/patch-sshit.pl sshit/files/patch-sshit.pl --- sshit.ori/files/patch-sshit.pl Thu Jan 1 03:00:00 1970 +++ sshit/files/patch-sshit.pl Sat Jul 22 21:16:23 2006 @@ -0,0 +1,41 @@ +--- sshit.pl.ori Sat Jul 22 21:12:56 2006 ++++ sshit.pl Sat Jul 22 21:15:18 2006 +@@ -232,7 +232,7 @@ + create => 1, + exclusive => 0, + mode => 0644, +- destroy => 0, ++ destroy => 1, + ); + + $handle = tie %list, 'IPC::Shareable', 'sshi', { %options }; +@@ -266,7 +266,7 @@ + { + system("$IPFW_CMD delete $list{$ip}{rulenr}"); + } elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) { +- system("$IPFW2_CMD table $IPFW_TABLE_NO delete $ip"); ++ system("$IPFW2_CMD table $IPFW2_TABLE_NO delete $ip"); + } elsif ($FIREWALL_TYPE =~ /^pf$/i) { + system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip"); + } +@@ -337,3 +337,20 @@ + } + } + } ++syslog(LOG_ERR, "fd closed. clean up"); ++foreach $ip (keys %list) { ++ if($FIREWALL_TYPE =~ /^ipfw$/i) ++ { ++ system("$IPFW_CMD delete $list{$ip}{rulenr}"); ++ } elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) { ++ system("$IPFW2_CMD table $IPFW2_TABLE_NO delete $ip"); ++ } elsif ($FIREWALL_TYPE =~ /^pf$/i) { ++ system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip"); ++ } ++ ##print "janitor removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n"; ++ syslog(LOG_ERR, "main removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n"); ++ delete($list{$ip}); ++} ++ ++# clear all SHM ++IPC::Shareable->clean_up; diff --new-file -u -r sshit.ori/patch-sshit.pl sshit/patch-sshit.pl --- sshit.ori/patch-sshit.pl Thu Jan 1 03:00:00 1970 +++ sshit/patch-sshit.pl Sat Jul 22 21:12:14 2006 @@ -0,0 +1,41 @@ +--- /usr/ports/security/sshit/work/sshit-0.5/sshit.pl Sat Dec 17 19:40:24 2005 ++++ sshit Sat Apr 29 08:39:06 2006 +@@ -232,7 +232,7 @@ + create => 1, + exclusive => 0, + mode => 0644, +- destroy => 0, ++ destroy => 1, + ); + + $handle = tie %list, 'IPC::Shareable', 'sshi', { %options }; +@@ -266,7 +266,7 @@ + { + system("$IPFW_CMD delete $list{$ip}{rulenr}"); + } elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) { +- system("$IPFW2_CMD table $IPFW_TABLE_NO delete $ip"); ++ system("$IPFW2_CMD table $IPFW2_TABLE_NO delete $ip"); + } elsif ($FIREWALL_TYPE =~ /^pf$/i) { + system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip"); + } +@@ -337,3 +337,20 @@ + } + } + } ++syslog(LOG_ERR, "fd closed. clean up"); ++foreach $ip (keys %list) { ++ if($FIREWALL_TYPE =~ /^ipfw$/i) ++ { ++ system("$IPFW_CMD delete $list{$ip}{rulenr}"); ++ } elsif ($FIREWALL_TYPE =~ /^ipfw2$/i) { ++ system("$IPFW2_CMD table $IPFW2_TABLE_NO delete $ip"); ++ } elsif ($FIREWALL_TYPE =~ /^pf$/i) { ++ system("$PFCTL_CMD -t $PF_TABLE -Tdelete $ip"); ++ } ++ ##print "janitor removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n"; ++ syslog(LOG_ERR, "main removed block rule $list{$ip}{rulenr} for $ip (reset time of $RESET_IP seconds reached)\n"); ++ delete($list{$ip}); ++} ++ ++# clear all SHM ++IPC::Shareable->clean_up; >Release-Note: >Audit-Trail: >Unformatted: