Red Hat Bugzilla – Full Text Bug Listing
|Summary:||OpenSSH's sshd doesn't daemonize itself properly|
|Product:||[Fedora] Fedora||Reporter:||James Ralston <ralston>|
|Component:||openssh||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED UPSTREAM||QA Contact:||Brian Brock <bbrock>|
|Version:||rawhide||CC:||bressers, k.georgiou, peak|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-09-24 14:57:11 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description James Ralston 2002-03-15 02:13:21 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311 When sshd starts, it closes file descriptors 0, 1, and 2, but doesn't bother to close any addition file descriptors it may have inherited. This is a bug; any security conscious program should close *all* inherited fds upon starting. (See [Stevens] section 13.3.) In the past, there have been several programs, including sendmail, that could be exploited by opening all but a couple fds and then starting the program and having it croak due to an unexpected shortage of descriptors. In some cases, it was possible to turn this into a root level exploit. I don't know if OpenSSH can be exploited in this manner, but the bug should be fixed before someone decides to see if it can. I already tried to get the OpenSSH developers to fix this bug, but they refused; see http://bugzilla.mindrot.org/show_bug.cgi?id=3 for the whole sad exchange. The attached patch fixes this bug, as well as correcting a few other issues with the way in which sshd daemonizes itself. If you add it as Patch10 to the recent openssh-3.1p1-2.src.rpm errata, it will apply cleanly. References: [Stevens]: Advanced Programming in the UNIX Environment, W. Richard Stevens, Addison-Wesley, 1992.
Comment 1 James Ralston 2002-03-15 02:15:10 EST
Created attachment 48564 [details] patch to make sshd daemonize itself properly
Comment 2 Alan Cox 2002-12-18 15:48:11 EST
Still true with current sshd It still doesn't seem to pose a problem in the Red Hat cases for two reasons: 1. Our sshd is normally run from scripts at boot up 2. Our login does close fds so seems to avoid leaks I still think this is a good idea and good practice
Comment 3 James Ralston 2003-01-20 02:26:11 EST
Actually, this *has* caused a problem before: rpm used to have a bug where scripts (%post, %postun, etc.) inherited fds from rpm. As a result, running "rpm -Uvh openssh-server*.rpm" could hang, because the openssh-server package contains a %post script to perform "/sbin/service sshd condrestart", and the new sshd process wound wind up inheriting a bogus fd. I agree with the OpenSSH guys, in that in the above situation, the true bug lies with the program (rpm) that never bothered to close its extra fds before forking a child. But I disagree with the OpenSSH guys, in that I believe that *any* program that is security-sensitive in any way absolutely needs to sanitize the environment it inherits, regardless of whether that sanitizing winds up hiding a bug in some other program. (And the fd table definitely counts as an inherited environment.)
Comment 4 Mike A. Harris 2003-03-05 06:36:27 EST
Some additional info: http://marc.theaimsgroup.com/?l=bind9-workers&m=103112021703700&w=2
Comment 5 Josh Bressers 2004-06-18 16:55:15 EDT
Is this issue still relevant?
Comment 6 James Ralston 2004-06-25 20:15:59 EDT
Does OpenSSH still fail to properly daemonize itself? Yes. Will upstream accept a patch to fix it? No. Why? Because they don't view it as a potential security problem. I do. (There have been cases in the past where programs could be exploited by filling or mostly-filling the fd table before exec()ing them.) Paul Vixie's point that _SC_OPEN_MAX can be a huge number (2**24-1) is a valid one, but after some thought, I believe the best way to address that is to first attempt to use /proc/self/fd to obtain the list of open file descriptors. If /proc/self/fd is unavailable, then fall back to doing brute-force close() calls up to the value of _SC_OPEN_MAX. I can supply a patch to implement the behavior in the previous paragraph. The issue for you is to choose what you feel is the lesser of two evils: maintaining a patch that upstream will never accept, or tolerating sloppy coding that could lead to a security vulnerability in the future.
Comment 7 Tomas Mraz 2005-01-26 12:00:01 EST
I don't see how could the sshd be exploited by filling it's open fds table - it's not a setuid binary. The different situation would be if the sshd would be started from an buggy application as in the comment #3 and the opened fd was exploited somehow by a connecting client. But even then it would be the responsibility of the buggy exec'er. But I think I could accept a patch which would close the fds from /proc/self/fd if available (without the brute force fallback).
Comment 8 Tomas Mraz 2005-02-03 05:44:39 EST
*** Bug 59382 has been marked as a duplicate of this bug. ***
Comment 9 James Ralston 2005-02-03 15:59:07 EST
The problem is that there might be situations in which an attacker could contrive to have sshd [re]started from a buggy application. In that case, the risk isn't so much a buggy exec'er as it is a malicious exec'er. I actually agree with the OpenSSH guys in that sshd shouldn't coddle buggy exec'er. But sshd is an extremely security-sensitive application. It pays to be paranoid, even if doing so has the undesired side-effect of coddling buggy exec'ers. If you'll accept a patch to close open fds based on /proc information, then I'll provide it. But there's no way the OpenSSH guys will ever accept such a patch.
Comment 10 Tomas Mraz 2005-09-08 11:41:32 EDT
I will consider this for FC5.
Comment 11 Tomas Mraz 2007-09-24 14:57:11 EDT
This should be fixed upstream.