From nobody Thu Jul 25 14:35:28 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WVD281MkHz5S8Pq for ; Thu, 25 Jul 2024 14:35:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WVD276nkVz4YpY for ; Thu, 25 Jul 2024 14:35:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1721918128; a=rsa-sha256; cv=none; b=lFLFsI1ZJvnnWRaEzHsaGsRNMs3tq25imtVM7hKF/c5REfI2qvG41w4KsHP9VAHvgTCqE5 yunV1X7fF0E/DzhOBtnVBWNi9XJrByjcyRaLnWIE7qRhh423Uud8/Hgs8Wsm0gsV6ouJm8 mVrbZpBYlOe5lNjVzwrs56/bLicnkP21r67BS6YP/Pid+2i1Mk+YW+eX+vS/KmvvcK4Deq IQVqYgGaxonrXQlPJiuk5tInNL6bqphPQZlH3YLlUlIL6nkJgrcVNkJMP+/QEcx67a5mjm M7wfZPxoFx9dpfFPBN0yCsVGYCnsGxhMbr76sXE/L6FN70hFBnLO2FBzQVXsnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721918128; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hFO/3JTrs6nik5eTea5LNrOPCx5XwS+i/Fn0ViwO/fk=; b=CmHOTYlLQeci67g6iay9EWP0hJSZduxvGt78z8tUH9sF9GsFtcSAAttBCuOE1UBu0CWyru RXuQJzW1VA6IBqdpDlH3mLaNxCNY8BL5uCFdkN1kEIxl7v82xXB1wnumWtePmAATqXdWo0 ib1M58jzPwCNzu04s92hj0/k06TM5244FbK2limUEnREiO2AoEEd4Mk5B1ts4sLtvoxEgQ LMi0VRVEC/WdxBZnTchqbh5CKjnXacQnDS7syJLB/IbM/qxrhHp3dKbgGemGndzgfmm8uD 4tL3YOYFtHcUmAHHEFWcJpz8xM+og/jGkeW6BIvyCWLpWtwRJhbgE4MZJ9ZMIg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WVD276N2Wzyql for ; Thu, 25 Jul 2024 14:35:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 46PEZRlP046158 for ; Thu, 25 Jul 2024 14:35:27 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 46PEZR9c046157 for ports-bugs@FreeBSD.org; Thu, 25 Jul 2024 14:35:27 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 280440] tcpwrappers no longer works with spawning processes in openssh-portable Date: Thu, 25 Jul 2024 14:35:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: mike@sentex.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280440 Bug ID: 280440 Summary: tcpwrappers no longer works with spawning processes in openssh-portable Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: mike@sentex.net We use tcpwrappers to geofence sshd connections. It stopped working with the latest openssh portable. Basic deny rules work, but spawn does not seem to execute. Looking at truss output (truss sshd -dddd ), one that works looks like this Server listening on 0.0.0.0 port 24. write(2,"Server listening on 0.0.0.0 port"...,38) =3D 38 (0x26) sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|S= IGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHL= D|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|= SIGUS R1|SIGUSR2 },{ }) =3D 0 (0x0) sigaction(SIGHUP,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL 0x0 ss_t }) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ },0x0) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|S= IGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHL= D|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|= SIGUS R1|SIGUSR2 },{ }) =3D 0 (0x0) sigaction(SIGCHLD,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL 0= x0 ss_t }) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ },0x0) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|S= IGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHL= D|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|= SIGUS R1|SIGUSR2 },{ }) =3D 0 (0x0) sigaction(SIGTERM,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL SA_RESTART ss_t }) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ },0x0) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|S= IGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHL= D|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|= SIGUS R1|SIGUSR2 },{ }) =3D 0 (0x0) sigaction(SIGQUIT,{ 0x31184e0b0950 SA_RESTART|SA_SIGINFO ss_t },{ SIG_DFL SA_RESTART ss_t }) =3D 0 (0x0) sigprocmask(SIG_SETMASK,{ },0x0) =3D 0 (0x0) getpid() =3D 51585 (0xc981) sigprocmask(SIG_BLOCK,{ SIGHUP|SIGQUIT|SIGTERM|SIGCHLD },{ }) =3D 0 (0x0) __sysctl("kern.proc.args.-1",4,0x0,0x0,0x311856637000,96) =3D 0 (0x0) ppoll({ 3/POLLIN 4/POLLIN },2,0x0,{ }) =3D 1 (0x1) sigprocmask(SIG_SETMASK,{ },0x0) =3D 0 (0x0) accept(4,{ AF_INET 192.1.124.126:48085 },0x311843efd870) =3D 5 (0x5) getpeername(5,{ AF_INET 192.1.124.126:48085 },0x311843efd3cc) =3D 0 (0x0) getsockname(5,{ AF_INET 64.7.148.55:24 },0x311843efd3cc) =3D 0 (0x0) sigprocmask(SIG_BLOCK,0x0,{ }) =3D 0 (0x0) open("/etc/hosts.allow",O_RDONLY,0666) =3D 6 (0x6) fstat(6,{ mode=3D-rwxr-xr-x ,inode=3D80398,size=3D2796,blksize=3D32768 }) = =3D 0 (0x0) read(6,"\nsshd : ALL : spawn /usr/loca"...,32768) =3D 2796 (0xaec) close(6) =3D 0 (0x0) fork() =3D 4119 (0x1017) wait4(-1,0x0,0x0,0x0) ERESTART SIGNAL 20 (SIGCHLD) code=3DCLD_EXITED pid=3D4119 uid=3D0 status=3D0 sigprocmask(SIG_SETMASK,{ SIGHUP|SIGINT|SIGQUIT|SIGILL|SIGTRAP|SIGABRT|SIGEMT|SIGFPE|SIGKILL|SIGBUS|S= IGSEGV|SIGSYS|SIGPIPE|SIGALRM|SIGTERM|SIGURG|SIGSTOP|SIGTSTP|SIGCONT|SIGCHL= D|SIGTTIN|SIGTTOU|SIGIO|SIGXCPU|SIGXFSZ|SIGVTALRM|SIGPROF|SIGWINCH|SIGINFO|= SIGUSR1|SIGUSR2 },0x0) =3D 0 (0x0) wait4(-1,{ EXITED,val=3D0 },WNOHANG,0x0) =3D 4119 (0x1017) wait4(-1,0x311843efc0cc,WNOHANG,0x0) ERR#10 'No child processes' sigreturn(0x311843efc100) EJUSTRETURN wait4(-1,0x0,0x0,0x0) ERR#10 'No child processes' sigprocmask(SIG_SETMASK,{ },0x0) =3D 0 (0x0) fcntl(5,F_GETFL,) =3D 6 (0x6) getpid() =3D 51585 (0xc981) debug1: fd 5 clearing O_NONBLOCK write(2,"debug1: fd 5 clearing O_NONBLOCK"...,34) =3D 34 (0x22) fcntl(5,F_SETFL,O_RDWR) =3D 0 (0x0) pipe2(0x311843efdd88,0) =3D 0 (0x0) socketpair(0x1,0x1,0x0,0x311843efdee8) =3D 0 (0x0) getpid() =3D 51585 (0xc981) debug1: Server will not fork when running in debugging mode. write(2,"debug1: Server will not fork whe"...,62) =3D 62 (0x3e) close(3) =3D 0 (0x0) Using 9.8p1 from the ports (July 6), it looks like this getpid() =3D 19884 (0x4dac) debug3: server_process_channel_timeouts: setting 0 timeouts write(2,"debug3: server_process_channel_t"...,61) =3D 61 (0x3d) getpid() =3D 19884 (0x4dac) debug3: channel_clear_timeouts: clearing write(2,"debug3: channel_clear_timeouts: "...,42) =3D 42 (0x2a) setsockopt(4,SOL_SOCKET,SO_KEEPALIVE,0x820630044,4) =3D 0 (0x0) getpid() =3D 19884 (0x4dac) getpeername(4,{ AF_INET 192.1.124.126:11150 },0x82062f85c) =3D 0 (0x0) getsockname(4,{ AF_INET 64.7.148.55:24 },0x82062f85c) =3D 0 (0x0) sigprocmask(SIG_BLOCK,0x0,{ }) =3D 0 (0x0) open("/etc/hosts.allow",O_RDONLY,0666) =3D 5 (0x5) fstat(5,{ mode=3D-rwxr-xr-x ,inode=3D80398,size=3D2796,blksize=3D32768 }) = =3D 0 (0x0) read(5,"\nsshd : ALL : spawn /usr/loca"...,32768) =3D 2796 (0xaec) getpid() =3D 19884 (0x4dac) issetugid() =3D 0 (0x0) open("/etc/resolv.conf",O_RDONLY|O_CLOEXEC,0666) =3D 6 (0x6) fstat(6,{ mode=3D-rw-r--r-- ,inode=3D108909,size=3D65,blksize=3D32768 }) = =3D 0 (0x0) fstat(6,{ mode=3D-rw-r--r-- ,inode=3D108909,size=3D65,blksize=3D32768 }) = =3D 0 (0x0) read(6,"search sentex.ca\nnameserver 64."...,32768) =3D 65 (0x41) read(6,0x828b05d00,32768) =3D 0 (0x0) close(6) =3D 0 (0x0) issetugid() =3D 0 (0x0) open("/etc/hosts",O_RDONLY|O_CLOEXEC,0666) =3D 6 (0x6) fstat(6,{ mode=3D-rw-r--r-- ,inode=3D80332,size=3D1229,blksize=3D32768 }) = =3D 0 (0x0) read(6,"# $FreeBSD: releng/11.1/etc/host"...,32768) =3D 1229 (0x4cd) read(6,0x828b05d00,32768) =3D 0 (0x0) close(6) =3D 0 (0x0) it sees the spawn line, but does not spawn the process which is a simple sh= ell script that does a geolookup and adds the IP to a pf table. --=20 You are receiving this mail because: You are the assignee for the bug.=