Bug 27749

Summary: programs run in %post have open filedescriptors
Product: [Retired] Red Hat Linux Reporter: Damien Miller <djm>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dr, jarno.huuskonen, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-17 15:55:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Damien Miller 2001-02-15 06:50:59 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-4 i686)


Programs run in the %post section of a spec during an upgrade have multiple
open filedescriptors, including ones to the rpm database and the original
rpm file. I haven't tested whether the fds are writeable, but this may be a
serious security problem if they are eg. network daemons which don't close
all open fds before forking and passing control to a user may inherit these
fds.

Reproducible: Always
Steps to Reproduce:
1.Upgrade the openssh-server package (which does a /etc/rc.d/init.d/sshd
restart in %post)
2. ls -l /proc/`cat /var/run/sshd.pid`/fd

	

Actual Results:  [root@xenon /root]#  ls -l /proc/`cat
/var/run/sshd.pid`/fd
total 0
lrwx------    1 root     root           64 Feb 15 16:57 0 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:57 1 -> /dev/null
lr-x------    1 root     root           64 Feb 15 16:57 11 ->
/home/djm/rpm/RPMS/i386/openssh-server-2.3.2p1-0.4.i386.rpm
lrwx------    1 root     root           64 Feb 15 16:57 12 -> /dev/pts/9
(deleted)
lrwx------    1 root     root           64 Feb 15 16:57 2 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:57 3 ->
socket:[261706]


Expected Results:  [root@xenon /root]#  ls -l /proc/`cat
/var/run/sshd.pid`/fd
total 0
lrwx------    1 root     root           64 Feb 15 16:58 0 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:58 1 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:58 2 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:58 3 ->
socket:[449209]


[root@xenon /root]# rpm -q rpm
rpm-4.0-4
Comment 1 Damien Miller 2001-02-15 06:55:24 UTC 
I stand corrected - rpm-4 _doesn't_ leave a fd open to the rpm database, but
rpm-3.0.5-9.6x does:

[root@mothra /root]# ls -l /proc/15356/fd
total 0
lrwx------    1 root     root           64 Feb 15 17:02 0 -> /dev/null
lrwx------    1 root     root           64 Feb 15 17:02 1 -> /dev/null
lrwx------    1 root     root           64 Feb 15 17:02 12 -> /dev/pts/0
(deleted)
lrwx------    1 root     root           64 Feb 15 17:02 2 -> /dev/null
lr-x------    1 root     root           64 Feb 15 17:02 3 ->
/home/djm/rpm/RPMS/i386/openssh-server-2.3.2p1-0.4.i386.rpm
lrwx------    1 root     root           64 Feb 15 17:02 4 ->
/var/lib/rpm/packages.rpm
lrwx------    1 root     root           64 Feb 15 17:02 5 -> socket:[128297]
Comment 2 Jeff Johnson 2001-02-15 21:14:01 UTC 
This problem needs to be fixed in the openssh-server package, as there other
ways that the daemon can inherit file descriptors if invoked from the command
line,  it's not only from upgading using rpm.

Changing component.
Comment 3 Damien Miller 2001-02-15 23:25:36 UTC 
I disagree. 

While it doesn't really have any adverse effects on OpenSSH (it closes fds after
forking), it is not hygenic and may affect other programs. 

It can also have unpleasant effects such as not being able to unmount
filesystems because fds to rpm files are left open.
Comment 4 Pekka Savola 2001-02-17 15:55:09 UTC 
This has been reported (with sshd) in the past, see: #18988

Smells like something that should be fixed in rpm in a generic fashion (rather than all init.d/* programs..).
Comment 5 Nalin Dahyabhai 2001-03-23 16:52:40 UTC 
Fixed in initscripts-5.69 and later.