From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311 When sshd starts, it closes file descriptors 0, 1, and 2, but doesn't bother to close any addition file descriptors it may have inherited. This is a bug; any security conscious program should close *all* inherited fds upon starting. (See [Stevens] section 13.3.) In the past, there have been several programs, including sendmail, that could be exploited by opening all but a couple fds and then starting the program and having it croak due to an unexpected shortage of descriptors. In some cases, it was possible to turn this into a root level exploit. I don't know if OpenSSH can be exploited in this manner, but the bug should be fixed before someone decides to see if it can. I already tried to get the OpenSSH developers to fix this bug, but they refused; see http://bugzilla.mindrot.org/show_bug.cgi?id=3 for the whole sad exchange. The attached patch fixes this bug, as well as correcting a few other issues with the way in which sshd daemonizes itself. If you add it as Patch10 to the recent openssh-3.1p1-2.src.rpm errata, it will apply cleanly. References: [Stevens]: Advanced Programming in the UNIX Environment, W. Richard Stevens, Addison-Wesley, 1992.
Created attachment 48564 [details] patch to make sshd daemonize itself properly
Still true with current sshd It still doesn't seem to pose a problem in the Red Hat cases for two reasons: 1. Our sshd is normally run from scripts at boot up 2. Our login does close fds so seems to avoid leaks I still think this is a good idea and good practice
Actually, this *has* caused a problem before: rpm used to have a bug where scripts (%post, %postun, etc.) inherited fds from rpm. As a result, running "rpm -Uvh openssh-server*.rpm" could hang, because the openssh-server package contains a %post script to perform "/sbin/service sshd condrestart", and the new sshd process wound wind up inheriting a bogus fd. I agree with the OpenSSH guys, in that in the above situation, the true bug lies with the program (rpm) that never bothered to close its extra fds before forking a child. But I disagree with the OpenSSH guys, in that I believe that *any* program that is security-sensitive in any way absolutely needs to sanitize the environment it inherits, regardless of whether that sanitizing winds up hiding a bug in some other program. (And the fd table definitely counts as an inherited environment.)
Some additional info: http://marc.theaimsgroup.com/?l=bind9-workers&m=103112021703700&w=2
Is this issue still relevant?
Does OpenSSH still fail to properly daemonize itself? Yes. Will upstream accept a patch to fix it? No. Why? Because they don't view it as a potential security problem. I do. (There have been cases in the past where programs could be exploited by filling or mostly-filling the fd table before exec()ing them.) Paul Vixie's point that _SC_OPEN_MAX can be a huge number (2**24-1) is a valid one, but after some thought, I believe the best way to address that is to first attempt to use /proc/self/fd to obtain the list of open file descriptors. If /proc/self/fd is unavailable, then fall back to doing brute-force close() calls up to the value of _SC_OPEN_MAX. I can supply a patch to implement the behavior in the previous paragraph. The issue for you is to choose what you feel is the lesser of two evils: maintaining a patch that upstream will never accept, or tolerating sloppy coding that could lead to a security vulnerability in the future.
I don't see how could the sshd be exploited by filling it's open fds table - it's not a setuid binary. The different situation would be if the sshd would be started from an buggy application as in the comment #3 and the opened fd was exploited somehow by a connecting client. But even then it would be the responsibility of the buggy exec'er. But I think I could accept a patch which would close the fds from /proc/self/fd if available (without the brute force fallback).
*** Bug 59382 has been marked as a duplicate of this bug. ***
The problem is that there might be situations in which an attacker could contrive to have sshd [re]started from a buggy application. In that case, the risk isn't so much a buggy exec'er as it is a malicious exec'er. I actually agree with the OpenSSH guys in that sshd shouldn't coddle buggy exec'er. But sshd is an extremely security-sensitive application. It pays to be paranoid, even if doing so has the undesired side-effect of coddling buggy exec'ers. If you'll accept a patch to close open fds based on /proc information, then I'll provide it. But there's no way the OpenSSH guys will ever accept such a patch.
I will consider this for FC5.
This should be fixed upstream.
It's not fixed in 4.7p1, as far as I can tell. Per comment 9, I doubt the OpenSSH developers will ever fix this, because they don't think it's a bug.