Bug 1570907

Summary: Polkit leaks zombies following timeout events
Product: Red Hat Enterprise Linux 7 Reporter: Kyle Walker <kwalker>
Component: polkitAssignee: Polkit Maintainers <polkit-devel>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.5CC: abetkike, bhull, daherrma, dkochuka, dramayan, fsumsal, jrybar, polkit-devel, qguo
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: polkit-0.112-16.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1616282 (view as bug list) Environment:
Last Closed: 2018-10-30 10:30:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1616282    

Description Kyle Walker 2018-04-23 16:54:28 UTC 
Description of problem:
  The polkit daemon leaks processes zombie processes after timeout events. This results in a large number of Zombie processes building up and can result in system failures if not addressed.

Version-Release number of selected component (if applicable):
  polkit-0.112-14.el7.x86_64

How reproducible:
  Easily

Steps to Reproduce:
1. Add the following contents to a new /etc/polkit-1/rules.d/51-test.rules file

    polkit.addRule(function(action, subject) {          
        var res = polkit.spawn(['/usr/bin/sleep', '60']);                                                    
        polkit.log(res);      
        if (res == '')        
            return null;      
    });                       


2. Stop polkit

    # systemctl stop polkit

3. As a non-root user, issue a "systemctl restart test" which just triggers the polkit authentication configuration above.

    $ systemctl restart test


Actual results:
  The sleep processes are not reaped, leaving them to build up as observed in the following output:

    # ps --forest -p $(pidof polkitd) --ppid $(pidof polkitd)| head
      PID TTY          TIME CMD
      621 ?        00:00:03 polkitd
     3351 ?        00:00:00  \_ sleep <defunct>
     3468 ?        00:00:00  \_ sleep <defunct>
     3494 ?        00:00:00  \_ sleep <defunct>
     3520 ?        00:00:00  \_ sleep <defunct>
     3546 ?        00:00:00  \_ sleep <defunct>
     3572 ?        00:00:00  \_ sleep <defunct>
     3598 ?        00:00:00  \_ sleep <defunct>
     3625 ?        00:00:00  \_ sleep <defunct>



Expected results:
  Zombie sleep processes are properly reaped.


Additional info:
  This issue is observable in the latest Fedora releases and has been reported in the upstream "PolicyKit" project bug tracker:

    106021 – Polkitd: The utils_spawn_data_free reap timeout subprocess did not work resulting in a large number of zombie processes 
    https://bugs.freedesktop.org/show_bug.cgi?id=106021
Comment 15 errata-xmlrpc 2018-10-30 10:30:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3141