Date: Mon, 17 Mar 2014 10:26:37 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: d@delphij.net Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: [PATCH] casperd should detach from controlling session Message-ID: <20140317092635.GA1645@garage.freebsd.pl> In-Reply-To: <53221E54.1030600@delphij.net> References: <53221E54.1030600@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 13, 2014 at 02:08:36PM -0700, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > Hi, Pawel, >=20 > I have noticed that casperd's child (zygote) would still use > controlling session from parent. This can be observed by running ps > - -ax on systems running casperd, where the child have a spurious > console associated. >=20 > The attached patch would fix it. May I commit it against -HEAD? Hmm, daemon(3) does call setsid(2) already... Are you sure casperd wasn't running with -F? > By the way, the zygote child also closes file descriptor 4 twice > (harmless; it's either sp[0] or the /dev/null which is closed before > starting zygote_main, or before returning from stdnull(). Based on > the construct of the code, I believe both close() can be omitted. If > this makes sense I'll submit a new patch. I'd prefer to leave stdnull() as-is. I open /dev/null there and I close it in the same function. Not closing it there would make it confusing and would make function reuse error-prone. If 'sock' has even higher number we will call close(2) on non-open descriptors, but this is because there is no closerange(from, to) syscall. If you meant something else, do send me the patch and I can comment further. > Index: sbin/casperd/zygote.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- sbin/casperd/zygote.c (revision 263112) > +++ sbin/casperd/zygote.c (working copy) > @@ -63,6 +63,9 @@ stdnull(void) > if (fd =3D=3D -1) > errx(1, "Unable to open %s", _PATH_DEVNULL); > =20 > + if (setsid() =3D=3D -1) > + errx(1, "Unable to detach from session"); > + > if (dup2(fd, STDIN_FILENO) =3D=3D -1) > errx(1, "Unable to cover stdin"); > if (dup2(fd, STDOUT_FILENO) =3D=3D -1) --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --wac7ysb48OaltWcw Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlMmv8sACgkQForvXbEpPzRIBQCgx+4s/vLHhrWq1ljSWmpN9+w3 A+EAniOzeuOJh/G97lJdUiUBpriD4ZQa =h4VG -----END PGP SIGNATURE----- --wac7ysb48OaltWcw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140317092635.GA1645>