Red Hat Bugzilla – Bug 61198
OpenSSH's sshd doesn't daemonize itself properly
Last modified: 2007-11-30 17:10:30 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311
When sshd starts, it closes file descriptors 0, 1, and 2, but doesn't bother to
close any addition file descriptors it may have inherited. This is a bug; any
security conscious program should close *all* inherited fds upon starting. (See
[Stevens] section 13.3.)
In the past, there have been several programs, including sendmail, that could be
exploited by opening all but a couple fds and then starting the program and
having it croak due to an unexpected shortage of descriptors. In some cases, it
was possible to turn this into a root level exploit.
I don't know if OpenSSH can be exploited in this manner, but the bug should be
fixed before someone decides to see if it can.
I already tried to get the OpenSSH developers to fix this bug, but they refused;
see http://bugzilla.mindrot.org/show_bug.cgi?id=3 for the whole sad exchange.
The attached patch fixes this bug, as well as correcting a few other issues with
the way in which sshd daemonizes itself. If you add it as Patch10 to the recent
openssh-3.1p1-2.src.rpm errata, it will apply cleanly.
[Stevens]: Advanced Programming in the UNIX Environment, W. Richard Stevens,
Created attachment 48564 [details]
patch to make sshd daemonize itself properly
Still true with current sshd
It still doesn't seem to pose a problem in the Red Hat cases for two reasons:
1. Our sshd is normally run from scripts at boot up
2. Our login does close fds so seems to avoid leaks
I still think this is a good idea and good practice
Actually, this *has* caused a problem before: rpm used to have a bug where
scripts (%post, %postun, etc.) inherited fds from rpm. As a result, running
"rpm -Uvh openssh-server*.rpm" could hang, because the openssh-server package
contains a %post script to perform "/sbin/service sshd condrestart", and the new
sshd process wound wind up inheriting a bogus fd.
I agree with the OpenSSH guys, in that in the above situation, the true bug lies
with the program (rpm) that never bothered to close its extra fds before forking
a child. But I disagree with the OpenSSH guys, in that I believe that *any*
program that is security-sensitive in any way absolutely needs to sanitize the
environment it inherits, regardless of whether that sanitizing winds up hiding a
bug in some other program. (And the fd table definitely counts as an inherited
Some additional info:
Is this issue still relevant?
Does OpenSSH still fail to properly daemonize itself? Yes.
Will upstream accept a patch to fix it? No. Why? Because they don't
view it as a potential security problem. I do. (There have been
cases in the past where programs could be exploited by filling or
mostly-filling the fd table before exec()ing them.)
Paul Vixie's point that _SC_OPEN_MAX can be a huge number (2**24-1) is
a valid one, but after some thought, I believe the best way to address
that is to first attempt to use /proc/self/fd to obtain the list of
open file descriptors. If /proc/self/fd is unavailable, then fall
back to doing brute-force close() calls up to the value of _SC_OPEN_MAX.
I can supply a patch to implement the behavior in the previous
paragraph. The issue for you is to choose what you feel is the lesser
of two evils: maintaining a patch that upstream will never accept, or
tolerating sloppy coding that could lead to a security vulnerability
in the future.
I don't see how could the sshd be exploited by filling it's open fds
table - it's not a setuid binary. The different situation would be if
the sshd would be started from an buggy application as in the comment
#3 and the opened fd was exploited somehow by a connecting client. But
even then it would be the responsibility of the buggy exec'er.
But I think I could accept a patch which would close the fds from
/proc/self/fd if available (without the brute force fallback).
*** Bug 59382 has been marked as a duplicate of this bug. ***
The problem is that there might be situations in which an attacker could
contrive to have sshd [re]started from a buggy application. In that case, the
risk isn't so much a buggy exec'er as it is a malicious exec'er.
I actually agree with the OpenSSH guys in that sshd shouldn't coddle buggy
exec'er. But sshd is an extremely security-sensitive application. It pays to
be paranoid, even if doing so has the undesired side-effect of coddling buggy
If you'll accept a patch to close open fds based on /proc information, then I'll
provide it. But there's no way the OpenSSH guys will ever accept such a patch.
I will consider this for FC5.
This should be fixed upstream.
It's not fixed in 4.7p1, as far as I can tell. Per comment 9, I doubt the
OpenSSH developers will ever fix this, because they don't think it's a bug.