Debian Bug report logs -
#480020
openssh-server: adjusted OOM killer is inherited by all child processes
Reported by: Vaclav Ovsik <vaclav.ovsik@i.cz>
Date: Wed, 7 May 2008 15:45:02 UTC
Severity: normal
Tags: patch
Found in version openssh/1:4.7p1-8
Fixed in version openssh/1:4.7p1-11
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#480020; Package openssh-server.
(full text, mbox, link).
Acknowledgement sent to Vaclav Ovsik <vaclav.ovsik@i.cz>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openssh-server
Version: 1:4.7p1-8
Severity: normal
Tags: patch
Hi,
there is IMO problem with adjusting OOM killer by startup script,
because it is inherited by all child processes:
zito@bobek:/tmp$ ./ps_oom_adj
OMA PID TTY STAT TIME COMMAND
...
-17 24733 ? Ss 0:00 /usr/sbin/sshd
-17 25007 ? Ss 0:00 \_ sshd: zito [priv]
-17 25010 ? S 0:00 \_ sshd: zito@pts/11
-17 25012 pts/11 Ss+ 0:00 \_ -bash
^^^ everything is immortal
I have prepared an attached patch, that implements adjusting directly in
sshd and the adjusting is reverted after fork() to original value.
sid:~# ./ps_oom_adj
OMA PID TTY STAT TIME COMMAND
...
-17 1494 ? Ss 0:00 /usr/sbin/sshd
0 1645 ? Ss 0:00 \_ sshd: zito [priv]
0 1649 ? S 0:00 \_ sshd: zito@pts/0
0 1652 pts/0 Ss 0:00 \_ -bash
0 1669 pts/0 S 0:00 \_ newrole -r sysadm_r
This also solves problem with enabled SE Linux - no need to change
policy for this. I hope this change will be usable, please review the
code.
Thanks
--
zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii adduser 3.107 add and remove users and groups
ii debconf [debconf-2.0 1.5.21 Debian configuration management sy
ii dpkg 1.14.18 package maintenance system for Deb
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcomerr2 1.40.8-2 common error description library
ii libkrb53 1.6.dfsg.3-1 MIT Kerberos runtime libraries
ii libpam-modules 0.99.10.0-1~icz50+1 Pluggable Authentication Modules f
ii libpam-runtime 0.99.10.0-1~icz50+1 Runtime support for the PAM librar
ii libpam0g 0.99.10.0-1~icz50+1 Pluggable Authentication Modules l
ii libselinux1 2.0.59-1 SELinux shared libraries
ii libssl0.9.8 0.9.8g-8 SSL shared libraries
ii libwrap0 7.6.q-15 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-12 Linux Standard Base 3.2 init scrip
ii openssh-client 1:4.7p1-8 secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages openssh-server recommends:
ii xauth 1:1.0.3-1 X authentication utility
-- debconf information excluded
[sshd-oom-adj.patch (text/x-c, attachment)]
[ps_oom_adj (application/x-shellscript, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#480020; Package openssh-server.
(full text, mbox, link).
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
Message #10 received at 480020@bugs.debian.org (full text, mbox, reply):
tags 480020 pending
thanks
On Wed, May 07, 2008 at 05:42:58PM +0200, Vaclav Ovsik wrote:
> there is IMO problem with adjusting OOM killer by startup script,
> because it is inherited by all child processes:
[...]
> I have prepared an attached patch, that implements adjusting directly in
> sshd and the adjusting is reverted after fork() to original value.
Thanks for this. I tidied the code up a little bit and have committed it
to my CVS tree. I also forwarded it upstream as:
https://bugzilla.mindrot.org/show_bug.cgi?id=1470
Regards,
--
Colin Watson [cjwatson@debian.org]
Tags added: pending
Request was from Colin Watson <cjwatson@debian.org>
to control@bugs.debian.org.
(Sun, 25 May 2008 22:36:10 GMT) (full text, mbox, link).
Reply sent to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Vaclav Ovsik <vaclav.ovsik@i.cz>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 480020-close@bugs.debian.org (full text, mbox, reply):
Source: openssh
Source-Version: 1:4.7p1-11
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_4.7p1-11_i386.udeb
to pool/main/o/openssh/openssh-client-udeb_4.7p1-11_i386.udeb
openssh-client_4.7p1-11_i386.deb
to pool/main/o/openssh/openssh-client_4.7p1-11_i386.deb
openssh-server-udeb_4.7p1-11_i386.udeb
to pool/main/o/openssh/openssh-server-udeb_4.7p1-11_i386.udeb
openssh-server_4.7p1-11_i386.deb
to pool/main/o/openssh/openssh-server_4.7p1-11_i386.deb
openssh_4.7p1-11.diff.gz
to pool/main/o/openssh/openssh_4.7p1-11.diff.gz
openssh_4.7p1-11.dsc
to pool/main/o/openssh/openssh_4.7p1-11.dsc
ssh-askpass-gnome_4.7p1-11_i386.deb
to pool/main/o/openssh/ssh-askpass-gnome_4.7p1-11_i386.deb
ssh-krb5_4.7p1-11_all.deb
to pool/main/o/openssh/ssh-krb5_4.7p1-11_all.deb
ssh_4.7p1-11_all.deb
to pool/main/o/openssh/ssh_4.7p1-11_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 480020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 26 May 2008 12:21:39 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:4.7p1-11
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client - secure shell client, an rlogin/rsh/rcp replacement
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell server, an rshd replacement
openssh-server-udeb - secure shell server for the Debian installer (udeb)
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
ssh-krb5 - secure shell client and server (transitional package)
Closes: 480020 481018 481151 481187 481398 481530 481576 481591 481596 481621 481624 481676 481721 481781 481836 481870 481876 482341 482464 482548 482808 482887
Changes:
openssh (1:4.7p1-11) unstable; urgency=low
.
* Make init script depend on $syslog, and fix some other dependency
glitches (thanks, Petter Reinholdtsen; closes: #481018).
* Remove 0 and 6 from Default-Stop in init script (thanks, Kel Modderman;
closes: #481151).
* Restore OOM killer adjustment for child processes (thanks, Vaclav Ovsik;
closes: #480020).
* Allow building with heimdal-dev (LP: #125805).
.
* Check RSA1 keys without the need for a separate blacklist. Thanks to
Simon Tatham for the idea.
* Generate two keys with the PID forced to the same value and test that
they differ, to defend against recurrences of the recent Debian OpenSSL
vulnerability.
* Recommend openssh-blacklist from openssh-client (closes: #481187).
* Recommend openssh-blacklist-extra from openssh-client and
openssh-server.
* Make ssh-vulnkey report the file name and line number for each key
(thanks, Heiko Schlittermann and Christopher Perry; closes: #481398).
* Check for blacklists in /usr/share/ssh/ as well as /etc/ssh/ (see
#481283).
* Log IP addresses of hosts attempting to use blacklisted keys (closes:
#481721).
* Incorporate various ssh-vulnkey suggestions from Hugh Daniel:
- Add -v (verbose) option, and don't print output for keys that have a
blacklist file but that are not listed unless in verbose mode.
- Move exit status documentation to a separate section.
- Document key status descriptions.
- Add key type to output.
- Fix error output if ssh-vulnkey fails to read key files, with the
exception of host keys unless -a was given.
- In verbose mode, output the name of each file examined.
* Handle leading IP addresses in ssh-vulnkey input (LP: #230497).
* Fix various ssh-vulnkey problems pointed out by Solar Designer:
- Fix some buffer handling inconsistencies.
- Use xasprintf to build user key file names, avoiding truncation
problems.
- Drop to the user's UID when reading user keys with -a.
- Use EUID rather than UID when run with no file names and without -a.
- Reword "Unknown (no blacklist information)" to "Unknown (blacklist
file not installed)".
.
* Fix typo in ssh/vulnerable_host_keys message (thanks, Esko Arajärvi).
* debconf template translations:
- Update Finnish (thanks, Esko Arajärvi; closes: #481530).
- Update French (thanks, Christian Perrier; closes: #481576).
- Update Norwegian Bokmål (thanks, Bjørn Steensrud; closes: #481591).
- Update Galician (thanks, Jacobo Tarrio; closes: #481596).
- Update Japanese (thanks, Kenshi Muto; closes: #481621).
- Update Czech (thanks, Miroslav Kure; closes: #481624).
- Update German (thanks, Helge Kreutzmann; closes: #481676).
- Update Portuguese (thanks, Ricardo Silva; closes: #481781).
- Update Basque (thanks, Piarres Beobide; closes: #481836).
- Update Bulgarian (thanks, Damyan Ivanov; closes: #481870).
- Update Vietnamese (thanks, Clytie Siddall; closes: #481876).
- Update Spanish (thanks, Javier Fernandez-Sanguino Peña; closes:
#482341).
- Update Turkish (thanks, Mert Dirik; closes: #482548).
- Update Russian (thanks, Yuri Kozlov; closes: #482887).
- Update Swedish (thanks, Martin Bagge; closes: #482464).
- Update Italian (thanks, Luca Monducci; closes: #482808).
Checksums-Sha1:
76b1ec02be086629c98f629d6d955688f389742e 1504 openssh_4.7p1-11.dsc
3b2959ca6e5f5a29a9a3332afbc373f4d9ea6ba1 213899 openssh_4.7p1-11.diff.gz
841ac47f237a0cc7e35549f58194ea26481d52e5 1046 ssh_4.7p1-11_all.deb
be9ffaa00bb7d6037a868004868fec4bf23b4977 89540 ssh-krb5_4.7p1-11_all.deb
8d24567122a77c3b48721c1c2e25429d19ae8ef0 710256 openssh-client_4.7p1-11_i386.deb
c7dde9059563f8bc16ba502654b9a3e01bdc0cb3 255818 openssh-server_4.7p1-11_i386.deb
4dd4df4eede7f78e1dfa767ecde8ddb74b873c6f 97016 ssh-askpass-gnome_4.7p1-11_i386.deb
967716d18bd41be43b721144a1875dcd825904f9 159278 openssh-client-udeb_4.7p1-11_i386.udeb
34167fced5733b4b96fa58e905da8a5a43bb2978 171868 openssh-server-udeb_4.7p1-11_i386.udeb
Checksums-Sha256:
e9a2c8a80c176251abcfe45152f4995ef65687affce4258b4912af274d1f2076 1504 openssh_4.7p1-11.dsc
ba7b4dfb8cc3c6c8b7c0cd18159494d1ac0ffd0268c8cc9719ab8e295ed92aeb 213899 openssh_4.7p1-11.diff.gz
eab5678692328983fd994422a238eb8efc63af0ea78979cb6d41bdbaf5719b59 1046 ssh_4.7p1-11_all.deb
edd24d6460b2265f1834a5401d77ec441439441e4a5d9891725ba921f24e4c45 89540 ssh-krb5_4.7p1-11_all.deb
316696398e1e68ff5dc5b9a72d3311c81eb74bd33178a4da49b8ca0558088e94 710256 openssh-client_4.7p1-11_i386.deb
6197f0b02518032e3b880d202ae13dcf40a8a96202949d8b3a3f7465b2685068 255818 openssh-server_4.7p1-11_i386.deb
16c15308fc7acc3fea14530d48932d2c7a6f8959549e90177741d7f6ec40cf47 97016 ssh-askpass-gnome_4.7p1-11_i386.deb
8089a5f2157d5f3e2e000a6a347e3df97ac7db3ebe86d4e9c696180676d43898 159278 openssh-client-udeb_4.7p1-11_i386.udeb
914ab3652e358c67f57e9c4a6a7f372915fadd3fae9269a2b8440b495f3b7294 171868 openssh-server-udeb_4.7p1-11_i386.udeb
Files:
004e8ca11e79bf3d792b3ba47bf3458d 1504 net standard openssh_4.7p1-11.dsc
334a00e4a6c26267baf18c0cbccae511 213899 net standard openssh_4.7p1-11.diff.gz
b8ce184ff75db4a81aa30134b66511ed 1046 net extra ssh_4.7p1-11_all.deb
4a4bcb8a4cb7c764c91a65f18d25ca0d 89540 net extra ssh-krb5_4.7p1-11_all.deb
2689b5c1c12e5dc606ee4456fe157243 710256 net standard openssh-client_4.7p1-11_i386.deb
8b5cdca372a689386d0b0899aa34488c 255818 net optional openssh-server_4.7p1-11_i386.deb
7f2cbdfa0bdf5830ddfaca2a74e2d84b 97016 gnome optional ssh-askpass-gnome_4.7p1-11_i386.deb
55f51aaecf030f5a55de169d753d6bae 159278 debian-installer optional openssh-client-udeb_4.7p1-11_i386.udeb
910f47b9d5daf20fd75c95c71b7daca7 171868 debian-installer optional openssh-server-udeb_4.7p1-11_i386.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFIOrp79t0zAhD6TNERAmB/AJ4sVohXeElqjT1BReSdXEUKyV0pLACfWhYc
EU34xsMUE8Ran05CZsZFlQw=
=hfCS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 26 Jun 2008 07:29:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 25 18:52:03 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.