[Bug 280440] tcpwrappers no longer works with spawning processes in openssh-portable

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280440] tcpwrappers no longer works with spawning processes in openssh-portable"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280440] tcpwrappers no longer works with spawning processes in openssh-portable"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280440] tcpwrappers no longer works with spawning processes in openssh-portable"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280440] tcpwrappers no longer works with spawning processes in openssh-portable"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280440] security/openssh-portable: tcpwrappers no longer works with spawning processes"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 280440] security/openssh-portable: tcpwrappers no longer works with spawning processes"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 25 Jul 2024 14:35:28 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280440

            Bug ID: 280440
           Summary: tcpwrappers no longer works with spawning processes in
                    openssh-portable
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: mike@sentex.net

We use tcpwrappers to geofence sshd connections. It stopped working with the
latest openssh portable.  Basic deny rules work, but spawn does not seem to
execute.  Looking at truss output (truss sshd -dddd ), one that works looks
like this

Server listening on 0.0.0.0 port 24.
write(2,"Server listening on 0.0.0.0 port"...,38) = 38 (0x26)
sigprocmask(SIG_SETMASK,{
SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
R1|SIGUSR2 },{ }) = 0 (0x0)
sigaction(SIGHUP,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL 0x0
ss_t }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
sigprocmask(SIG_SETMASK,{
SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
R1|SIGUSR2 },{ }) = 0 (0x0)
sigaction(SIGCHLD,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL 0x0
ss_t }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
sigprocmask(SIG_SETMASK,{
SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
R1|SIGUSR2 },{ }) = 0 (0x0)
sigaction(SIGTERM,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL
SA_RESTART ss_t }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
sigprocmask(SIG_SETMASK,{
SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUS
R1|SIGUSR2 },{ }) = 0 (0x0)
sigaction(SIGQUIT,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL
SA_RESTART ss_t }) = 0 (0x0)
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
getpid()                                         = 51585 (0xc981)
sigprocmask(SIG_BLOCK,{ SIGHUP|SIGQUIT|SIGTERM|SIGCHLD },{ }) = 0 (0x0)
__sysctl("kern.proc.args.-1",4,0x0,0x0,0x311856637000,96) = 0 (0x0)

ppoll({ 3/POLLIN 4/POLLIN },2,0x0,{ })           = 1 (0x1)
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
accept(4,{ AF_INET 192.1.124.126:48085 },0x311843efd870) = 5 (0x5)
getpeername(5,{ AF_INET 192.1.124.126:48085 },0x311843efd3cc) = 0 (0x0)
getsockname(5,{ AF_INET 64.7.148.55:24 },0x311843efd3cc) = 0 (0x0)
sigprocmask(SIG_BLOCK,0x0,{ })                   = 0 (0x0)
open("/etc/hosts.allow",O_RDONLY,0666)           = 6 (0x6)
fstat(6,{ mode=-rwxr-xr-x ,inode=80398,size=2796,blksize=32768 }) = 0 (0x0)
read(6,"\nsshd :  ALL : spawn  /usr/loca"...,32768) = 2796 (0xaec)
close(6)                                         = 0 (0x0)
fork()                                           = 4119 (0x1017)
wait4(-1,0x0,0x0,0x0)                            ERESTART
SIGNAL 20 (SIGCHLD) code=CLD_EXITED pid=4119 uid=0 status=0
sigprocmask(SIG_SETMASK,{
SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|SIGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHLD|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|SIGUSR1|SIGUSR2
},0x0) = 0 (0x0)
wait4(-1,{ EXITED,val=0 },WNOHANG,0x0)           = 4119 (0x1017)
wait4(-1,0x311843efc0cc,WNOHANG,0x0)             ERR#10 'No child processes'
sigreturn(0x311843efc100)                        EJUSTRETURN
wait4(-1,0x0,0x0,0x0)                            ERR#10 'No child processes'
sigprocmask(SIG_SETMASK,{ },0x0)                 = 0 (0x0)
fcntl(5,F_GETFL,)                                = 6 (0x6)
getpid()                                         = 51585 (0xc981)
debug1: fd 5 clearing O_NONBLOCK
write(2,"debug1: fd 5 clearing O_NONBLOCK"...,34) = 34 (0x22)
fcntl(5,F_SETFL,O_RDWR)                          = 0 (0x0)
pipe2(0x311843efdd88,0)                          = 0 (0x0)
socketpair(0x1,0x1,0x0,0x311843efdee8)           = 0 (0x0)
getpid()                                         = 51585 (0xc981)
debug1: Server will not fork when running in debugging mode.
write(2,"debug1: Server will not fork whe"...,62) = 62 (0x3e)
close(3)                                         = 0 (0x0)


Using 9.8p1 from the ports (July 6), it looks like this



getpid()                                         = 19884 (0x4dac)
debug3: server_process_channel_timeouts: setting 0 timeouts
write(2,"debug3: server_process_channel_t"...,61) = 61 (0x3d)
getpid()                                         = 19884 (0x4dac)
debug3: channel_clear_timeouts: clearing
write(2,"debug3: channel_clear_timeouts: "...,42) = 42 (0x2a)
setsockopt(4,SOL_SOCKET,SO_KEEPALIVE,0x820630044,4) = 0 (0x0)
getpid()                                         = 19884 (0x4dac)
getpeername(4,{ AF_INET 192.1.124.126:11150 },0x82062f85c) = 0 (0x0)
getsockname(4,{ AF_INET 64.7.148.55:24 },0x82062f85c) = 0 (0x0)
sigprocmask(SIG_BLOCK,0x0,{ })                   = 0 (0x0)
open("/etc/hosts.allow",O_RDONLY,0666)           = 5 (0x5)
fstat(5,{ mode=-rwxr-xr-x ,inode=80398,size=2796,blksize=32768 }) = 0 (0x0)
read(5,"\nsshd :  ALL : spawn  /usr/loca"...,32768) = 2796 (0xaec)
getpid()                                         = 19884 (0x4dac)
issetugid()                                      = 0 (0x0)
open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) = 6 (0x6)
fstat(6,{ mode=-rw-r--r-- ,inode=108909,size=65,blksize=32768 }) = 0 (0x0)
fstat(6,{ mode=-rw-r--r-- ,inode=108909,size=65,blksize=32768 }) = 0 (0x0)
read(6,"search sentex.ca\nnameserver 64."...,32768) = 65 (0x41)
read(6,0x828b05d00,32768)                        = 0 (0x0)
close(6)                                         = 0 (0x0)
issetugid()                                      = 0 (0x0)
open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666)       = 6 (0x6)
fstat(6,{ mode=-rw-r--r-- ,inode=80332,size=1229,blksize=32768 }) = 0 (0x0)
read(6,"# $FreeBSD: releng/11.1/etc/host"...,32768) = 1229 (0x4cd)
read(6,0x828b05d00,32768)                        = 0 (0x0)
close(6)                                         = 0 (0x0)

it sees the spawn line, but does not spawn the process which is a simple shell
script that does a geolookup and adds the IP to a pf table.

-- 
You are receiving this mail because:
You are the assignee for the bug.