From nobody@FreeBSD.org  Tue Jun 20 20:56:31 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6D19916A5F6
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Jun 2006 20:56:31 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0910E43D6E
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Jun 2006 20:56:31 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k5KKuUMP010805
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Jun 2006 20:56:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k5KKuUuo010804;
	Tue, 20 Jun 2006 20:56:30 GMT
	(envelope-from nobody)
Message-Id: <200606202056.k5KKuUuo010804@www.freebsd.org>
Date: Tue, 20 Jun 2006 20:56:30 GMT
From: "Eugene M. Kim" <freebsd.org@ab.ote.we.lv>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pam_ssh(8) waits for a wrong ssh-agent PID at a wrong time; leaves a zombie
X-Send-Pr-Version: www-2.3

>Number:         99217
>Category:       bin
>Synopsis:       [patch] pam_ssh(8) waits for a wrong ssh-agent PID at a wrong time; leaves a zombie
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 20 21:00:44 GMT 2006
>Closed-Date:    
>Last-Modified:  Fri Nov 24 19:50:07 GMT 2006
>Originator:     Eugene M. Kim
>Release:        7-current
>Organization:
>Environment:
FreeBSD seerajeane.astralblue.net 7.0-CURRENT FreeBSD 7.0-CURRENT #4: Sat Jun 17 13:46:23 PDT 2006     ab@seerajeane.astralblue.net:/home/FreeBSD/build/MAIN/obj/home/FreeBSD/build/MAIN/src/sys/PL-SEERAJEANE  i386
>Description:
When used as a session handler, pam_ssh(8) runs ssh-agent(1) with -s
flag upon session initialization, and reads various SSH_* environment
variable assignments from the agent's output.  Then, upon session close,
it kills the ssh-agent that it started earlier, then waitpid(2)-s for
the child (ssh-agent) process.

Problem #1: The ssh-agent child process that pam_ssh fork-execs exits
immediately after forking itself a new daemon process and printing out
SSH_* varaibles (SSH_AGENT_PID is the PID of this ssh-agent daemon
process, not the child process pam_ssh forked).  pam_ssh does not reap
this child in pam_ssh_start_agent(); the child becomes and remains as a
zombie until the pam_ssh host process exits and PID 1 adopts and reaps
the zombie.

Problem #2: pam_ssh incorrectly waitpid(SSH_AGENT_PID)-s upon session
close, which never succeeds because SSH_AGENT_PID is not for the child
process pam_ssh had forked earlier but for the ssh-agent daemon process
whose parent is PID 1.  It is sufficient just to kill SSH_AGENT_PID at
this point.

Problem #3: The session user may elect to kill $SSH_AGENT_PID when
he/she does not need the agent.  This causes kill(SSH_AGENT_PID) to
return ESRCH ("process not found") upon session close, which should be
handled gracefully.
>How-To-Repeat:
Enable pam_ssh in /etc/pam.d/login; login as an ordinary user at one of
the vtys; run "ps axl | grep defunct".
>Fix:
Apply the following patch from /usr:

-------------------------------- snip --------------------------------
--- src/lib/libpam/modules/pam_ssh/pam_ssh.c	Mon Sep 26 13:33:53 2005
+++ src/lib/libpam/modules/pam_ssh/pam_ssh.c.new	Tue May 16 00:04:25 2006
@@ -256,6 +256,7 @@
 pam_ssh_start_agent(pam_handle_t *pamh)
 {
 	int agent_pipe[2];
+	int status;
 	pid_t pid;
 	FILE *f;
 
@@ -294,6 +295,8 @@
 		return (PAM_SYSTEM_ERR);
 	pam_ssh_process_agent_output(pamh, f);
 	fclose(f);
+	if (waitpid(pid, &status, 0) == -1 && errno != ECHILD)
+		return (PAM_SYSTEM_ERR);
 
 	return (PAM_SUCCESS);
 }
@@ -402,7 +405,6 @@
 {
 	const char *ssh_agent_pid;
 	char *end;
-	int status;
 	pid_t pid;
 
 	if ((ssh_agent_pid = pam_getenv(pamh, "SSH_AGENT_PID")) == NULL) {
@@ -415,8 +417,7 @@
 		return (PAM_SESSION_ERR);
 	}
 	openpam_log(PAM_LOG_DEBUG, "killing ssh agent %d", (int)pid);
-	if (kill(pid, SIGTERM) == -1 ||
-	    (waitpid(pid, &status, 0) == -1 && errno != ECHILD))
+	if (kill(pid, SIGTERM) == -1 && errno != ESRCH)
 		return (PAM_SYSTEM_ERR);
 	return (PAM_SUCCESS);
 }
-------------------------------- snip --------------------------------
>Release-Note:
>Audit-Trail:

From: Stefan Thurner <thurners@nicsys.de>
To: bug-followup@FreeBSD.org, freebsd.org@ab.ote.we.lv
Cc:  
Subject: Re: bin/99217: [patch] pam_ssh(8) waits for a wrong ssh-agent PID
 at a wrong time; leaves a zombie
Date: Fri, 24 Nov 2006 20:42:43 +0100

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 Positive verified this patch on FreeBSD 6.2-PRERELEASE #0: Wed Nov 15
 22:26:31 CET 2006.
 
 best regards
 - -Stefan
 - --
 GPG-encrypted mail welcome! --> ID:E970FCBE
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (FreeBSD)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iD8DBQFFZ0szxNmQVulw/L4RAgNwAKDnCUnqdMVLKcR/kDYO+WRQCadBmQCguh3U
 U4ybMB6i6gQuzFt9vg2slgA=
 =lGvy
 -----END PGP SIGNATURE-----
>Unformatted:
