[PATCH] casperd should detach from controlling session

Pawel Jakub Dawidek pjd at FreeBSD.org
Mon Mar 17 09:24:45 UTC 2014 

On Thu, Mar 13, 2014 at 02:08:36PM -0700, Xin Li wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi, Pawel,
> 
> I have noticed that casperd's child (zygote) would still use
> controlling session from parent.  This can be observed by running ps
> - -ax on systems running casperd, where the child have a spurious
> console associated.
> 
> The attached patch would fix it.  May I commit it against -HEAD?

Hmm, daemon(3) does call setsid(2) already... Are you sure casperd
wasn't running with -F?

> By the way, the zygote child also closes file descriptor 4 twice
> (harmless; it's either sp[0] or the /dev/null which is closed before
> starting zygote_main, or before returning from stdnull().  Based on
> the construct of the code, I believe both close() can be omitted.  If
> this makes sense I'll submit a new patch.

I'd prefer to leave stdnull() as-is. I open /dev/null there and I close
it in the same function. Not closing it there would make it confusing
and would make function reuse error-prone.

If 'sock' has even higher number we will call close(2) on non-open
descriptors, but this is because there is no closerange(from, to)
syscall.

If you meant something else, do send me the patch and I can comment
further.

> Index: sbin/casperd/zygote.c
> ===================================================================
> --- sbin/casperd/zygote.c	(revision 263112)
> +++ sbin/casperd/zygote.c	(working copy)
> @@ -63,6 +63,9 @@ stdnull(void)
>  	if (fd == -1)
>  		errx(1, "Unable to open %s", _PATH_DEVNULL);
>  
> +	if (setsid() == -1)
> +		errx(1, "Unable to detach from session");
> +
>  	if (dup2(fd, STDIN_FILENO) == -1)
>  		errx(1, "Unable to cover stdin");
>  	if (dup2(fd, STDOUT_FILENO) == -1)

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140317/2ca3071a/attachment.sig>

More information about the freebsd-security mailing list