sshd problem.

sshd problem.

[Kurt Roeckx]

If I run run_init /etc/init.d/ssh start it fails to start, even in
permissive mode.  I have no idea why it fails, I see nothing in
the logs.

If I run strace -f run_init /etc/init.d/ssh start, it starts
without problems, which currently seems to be the only way I can
make it start properly.

Note that it starts up properly when it boots.

I'm using Bryan May's version on debian woody.

run_init strace -f /etc/init.d/ssh start shows this at the end:

[pid  6267] fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) =
0
[pid  6267] read(0, "/etc/init.d/ssh: /usr/sbin/sshd:"..., 32768)
= 51
[pid  6267] read(0, "", 32768)          = 0
[pid  6267] close(1)                    = 0
[pid  6267] _exit(1)                    = ?
[pid  6265] <... wait4 resumed> [WIFEXITED(s) && WEXITSTATUS(s)
== 1], 0, NULL)
= 6267
[pid  6265] wait4(-1, [WIFEXITED(s) && WEXITSTATUS(s) == 1], 0,
NULL) = 6266
[pid  6265] rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [CHLD], 8) = 0
[pid  6265] rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
[pid  6265] rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
[pid  6265] rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
[pid  6265] rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
[pid  6265] rt_sigaction(SIGINT, {0x807a900, [], SA_RESTORER,
0x400826b8}, {0x806e2f8, [], SA_RESTORER, 0x400826b8}, 8) = 0
[pid  6265] close(3)                    = -1 EBADF (Bad file
descriptor)
[pid  6265] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  6265] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid  6265] wait4(-1, 0xbffff620, WNOHANG, NULL) = -1 ECHILD (No
child processes)
[pid  6265] sigreturn()                 = ? (mask now [])
[pid  6265] _exit(1)                    = ?
<... wait4 resumed> [WIFEXITED(s) && WEXITSTATUS(s) == 1], 0,
NULL) = 6265
rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [CHLD], 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [CHLD], 8) = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
wait4(-1, 0xbffff738, WNOHANG, NULL)    = -1 ECHILD (No child
processes)
sigreturn()                             = ? (mask now [])
rt_sigaction(SIGINT, {SIG_DFL}, {0x806e2f8, [], SA_RESTORER,
0x400826b8}, 8) = 0rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
_exit(0)                                = ?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sshd problem.

[Russell Coker]

On Sun, 6 Apr 2003 02:46, Kurt Roeckx wrote:
> If I run run_init /etc/init.d/ssh start it fails to start, even in
> permissive mode.  I have no idea why it fails, I see nothing in
> the logs.
>
> If I run strace -f run_init /etc/init.d/ssh start, it starts
> without problems, which currently seems to be the only way I can
> make it start properly.

Try putting a "sleep 1" after the line in the /etc/init.d/ssh file that starts 
the sshd and it should work.

I'm not sure whether this is a bug in expect or in the daemon.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: sshd problem.

[Kurt Roeckx]

On Sun, Apr 06, 2003 at 07:40:27AM +1000, Russell Coker wrote:
> On Sun, 6 Apr 2003 02:46, Kurt Roeckx wrote:
> > If I run run_init /etc/init.d/ssh start it fails to start, even in
> > permissive mode.  I have no idea why it fails, I see nothing in
> > the logs.
> >
> Try putting a "sleep 1" after the line in the /etc/init.d/ssh file that starts 
> the sshd and it should work.
> 
> I'm not sure whether this is a bug in expect or in the daemon.

That worked, thanks.


Kurt


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

sshd problem

[Russell Coker]

On a system running Debian/Squeeze (the latest stable release) I am seeing the 
following audit messages.  This happens when I run "ssh user@localhost" and 
enter something random in the password prompt.  When it happens one of the ssh 
privsep processes aborts and the tcp connection to port 22 is closed.  This 
doesn't seem to be a security problem.

type=AVC msg=audit(1315807424.338:39): avc:  denied  { unix_read unix_write } 
for  pid=1363 comm="sshd" key=58236  scontext=system_u:system_r:sshd_t:s0-
s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=SYSCALL msg=audit(1315807424.338:39): arch=c000003e syscall=29 success=no 
exit=-131939286884392 a0=e37c a1=200048 a2=1b6 a3=0 items=0 ppid=627 pid=1363 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1315807424.338:40): avc:  denied  { unix_read unix_write } 
for  pid=1363 comm="sshd" key=58771  scontext=system_u:system_r:sshd_t:s0-
s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1315807424.338:40): arch=c000003e syscall=64 success=no 
exit=-131939286884392 a0=e593 a1=8 a2=1b6 a3=0 items=0 ppid=627 pid=1363 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=ANOM_ABEND msg=audit(1315807424.341:41): auid=4294967295 uid=0 gid=0 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 pid=1363 
comm="sshd" sig=11

Below is the output of "ipcs|grep -v www-data".  The only shm and sem objects 
listed are the ones that interest us.

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status      
0x0000e37c 0          root       666        2097224    0                       

------ Semaphore Arrays --------
key        semid      owner      perms      nsems     
0x0000e593 294921     root       666        8


I did a quick gdb run on the system in question.  I first ran "ssh 
user@localhost" and then I ran gdb on the first of the two "sshd: unknown 
[priv]" processes (which is the one that crashes).  After gdb was attached I 
entered a random password (the test account in question didn't exist so no 
password would get a login).

At the point of the crash gdb said:
Program received signal SIGTRAP, Trace/breakpoint trap.
0x000000000044e1b5 in ?? ()

After that I could use the "c" command in gdb to keep running and my ssh 
client would ask me for another password (the expected action).  When I did 
the same thing without gdb the sshd process would SEGV.

It seems that there is some debugging code enabled in ssh or it's libraries.

I just put some auditallow statements in local.te and rebooted to discover who 
is creating the shm/sem resources in question.  It seems that the ssh client 
is doing so!  Does anyone have any idea why the ssh client is creating shm/sem 
resources that the server uses?

type=AVC msg=audit(1315808317.426:28): avc:  granted  { create } for  pid=965 
comm="ssh" key=58771  scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1315808317.426:28): arch=c000003e syscall=64 success=no 
exit=-131941352292392 a0=e593 a1=8 a2=7b6 a3=0 items=0 ppid=960 pid=965 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts0 ses=4294967295 comm="ssh" exe="/usr/bin/ssh" 
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1315808317.426:29): avc:  granted  { create } for  pid=965 
comm="ssh" key=58236  scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=SYSCALL msg=audit(1315808317.426:29): arch=c000003e syscall=29 
success=yes exit=0 a0=e37c a1=200048 a2=7b6 a3=1 items=0 ppid=960 pid=965 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts0 ses=4294967295 comm="ssh" exe="/usr/bin/ssh" 
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1315808317.426:30): avc:  denied  { unix_read unix_write } 
for  pid=968 comm="sshd" key=58236  scontext=system_u:system_r:sshd_t:s0-
s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=AVC msg=audit(1315808317.430:31): avc:  denied  { unix_read unix_write } 
for  pid=968 comm="sshd" key=58771  scontext=system_u:system_r:sshd_t:s0-
s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=sem

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.