Date: Wed, 06 Mar 2019 06:13:47 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 236312] blacklist issues, related to base sshd Message-ID: <bug-236312-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D236312 Bug ID: 236312 Summary: blacklist issues, related to base sshd Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: cem@freebsd.org I wrote a bit more about it here: https://lists.freebsd.org/pipermail/freebsd-bugs/2019-February/087172.html The salient parts are: 1. blacklistd in FreeBSD has the novel BAD_USER signal (added in fork from NetBSD). It ignores this signal entirely. It should not. (sshd notifies about this signal in multiple locations.) A conservative and easy fix here would be to treat it the same as an AUTHFAIL. 2. I believe I was mistaken about CLOEXEC and confused the distinction betw= een exec and fork. CLOFORK would, indeed, be problematic. CLOEXEC is ok. 3. sendmsg() failure handling and retry is probably broken in a capability environment or chroot/jail. Hope blacklistd started before your daemon! 4. libblacklist is probably initialized later than it should be in FreeBSD sshd. 5. FreeBSD sshd is missing a catch-all notify in cleanup_exit() on code 255. I wanted to file a bug to track these issues before I forgot. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-236312-227>