Bug 27749 - programs run in %post have open filedescriptors
Summary: programs run in %post have open filedescriptors
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh
Version: 7.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-15 06:50 UTC by Damien Miller
Modified: 2007-04-18 16:31 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2001-02-17 15:55:14 UTC


Attachments (Terms of Use)

Description Damien Miller 2001-02-15 06:50:59 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-4 i686)


Programs run in the %post section of a spec during an upgrade have multiple
open filedescriptors, including ones to the rpm database and the original
rpm file. I haven't tested whether the fds are writeable, but this may be a
serious security problem if they are eg. network daemons which don't close
all open fds before forking and passing control to a user may inherit these
fds.

Reproducible: Always
Steps to Reproduce:
1.Upgrade the openssh-server package (which does a /etc/rc.d/init.d/sshd
restart in %post)
2. ls -l /proc/`cat /var/run/sshd.pid`/fd

	

Actual Results:  [root@xenon /root]#  ls -l /proc/`cat
/var/run/sshd.pid`/fd
total 0
lrwx------    1 root     root           64 Feb 15 16:57 0 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:57 1 -> /dev/null
lr-x------    1 root     root           64 Feb 15 16:57 11 ->
/home/djm/rpm/RPMS/i386/openssh-server-2.3.2p1-0.4.i386.rpm
lrwx------    1 root     root           64 Feb 15 16:57 12 -> /dev/pts/9
(deleted)
lrwx------    1 root     root           64 Feb 15 16:57 2 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:57 3 ->
socket:[261706]


Expected Results:  [root@xenon /root]#  ls -l /proc/`cat
/var/run/sshd.pid`/fd
total 0
lrwx------    1 root     root           64 Feb 15 16:58 0 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:58 1 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:58 2 -> /dev/null
lrwx------    1 root     root           64 Feb 15 16:58 3 ->
socket:[449209]


[root@xenon /root]# rpm -q rpm
rpm-4.0-4

Comment 1 Damien Miller 2001-02-15 06:55:24 UTC
I stand corrected - rpm-4 _doesn't_ leave a fd open to the rpm database, but
rpm-3.0.5-9.6x does:

[root@mothra /root]# ls -l /proc/15356/fd
total 0
lrwx------    1 root     root           64 Feb 15 17:02 0 -> /dev/null
lrwx------    1 root     root           64 Feb 15 17:02 1 -> /dev/null
lrwx------    1 root     root           64 Feb 15 17:02 12 -> /dev/pts/0
(deleted)
lrwx------    1 root     root           64 Feb 15 17:02 2 -> /dev/null
lr-x------    1 root     root           64 Feb 15 17:02 3 ->
/home/djm/rpm/RPMS/i386/openssh-server-2.3.2p1-0.4.i386.rpm
lrwx------    1 root     root           64 Feb 15 17:02 4 ->
/var/lib/rpm/packages.rpm
lrwx------    1 root     root           64 Feb 15 17:02 5 -> socket:[128297]


Comment 2 Jeff Johnson 2001-02-15 21:14:01 UTC
This problem needs to be fixed in the openssh-server package, as there other
ways that the daemon can inherit file descriptors if invoked from the command
line,  it's not only from upgading using rpm.

Changing component.

Comment 3 Damien Miller 2001-02-15 23:25:36 UTC
I disagree. 

While it doesn't really have any adverse effects on OpenSSH (it closes fds after
forking), it is not hygenic and may affect other programs. 

It can also have unpleasant effects such as not being able to unmount
filesystems because fds to rpm files are left open.


Comment 4 Pekka Savola 2001-02-17 15:55:09 UTC
This has been reported (with sshd) in the past, see: #18988

Smells like something that should be fixed in rpm in a generic fashion (rather than all init.d/* programs..).


Comment 5 Nalin Dahyabhai 2001-03-23 16:52:40 UTC
Fixed in initscripts-5.69 and later.


Note You need to log in before you can comment on or make changes to this bug.