Bug#548099: broken on kfreebsd
also sprach Ludovico Gardenghi gar...@debian.org [2012.02.19.1754 +0100]: It seems reasonable to me to try to climb up the process tree until we meet a process with sshd in the command line (or, maybe better (?), with sshd in the proc/pid/exe symlink). Still not the cleanest of the solutions, but should be quite portable. Last I checked, /proc is *not* portable. -- .''`. martin f. krafft madduck@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Bug#548099: broken on kfreebsd
On Tue, Feb 21, 2012 at 15:53:34 +0100, martin f krafft wrote: It seems reasonable to me to try to climb up the process tree until we meet a process with sshd in the command line (or, maybe better (?), with sshd in the proc/pid/exe symlink). Still not the cleanest of the solutions, but should be quite portable. Last I checked, /proc is *not* portable. Right, sorry: quite as in at least for the architectures we'd like to fix, and AFAIK, which I agree is a sensibly different meaning. The check I proposed seems to work fine at least on a recent Linux (2.6.3x), on kFreeBSD 8.2 (asdfasdf) and hurd (exodar). I haven't tested it with esotheric configurations. Looking for the tty in the sshd commandline did not prove very portable as well, so until a really portable way is found we could add another not-so-portable check. molly-guard is not a very complex tool, so I'd not be afraid to pollute it with stuff that will be too complex to remove in the future. molly-guard does not guarantee to be triggered each time you're connected via ssh (e.g. a screen or tmux started on a local console and reattached remotely will not contain SSH_* in the environment nor will the inside shell have a sshd-owned tty), IMHO if some more false negatives can be avoided, it could be worth adding a test. Bye, Ludovico -- l...@dovi.coIRC: garden@freenode OpenPGP: 1024D/63D2D5D907F89BB8 Jabber/gtalk: garde...@gmail.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548099: broken on kfreebsd
Hello,
I was checking this bug during the Paris BSP which is taking place right
now. What about throwing in another check like the following one in
addition to the tty and SSH_CONNECTION ones?
is_child_of_sshd() {
pid=$$
ppid=$PPID
# Walk up to init.
while [ $pid -ne 1 ]; do
grep -q sshd /proc/$ppid/cmdline return 0
pid=$ppid
ppid=$(grep ^PPid: /proc/$pid/status | tr -dc 0-9)
done
return 1
}
[...]
if ! pgrep -f ^sshd.+${PTS#/dev/}\ /dev/null \
[ -z ${SSH_CONNECTION:-} ] \
! is_child_of_sshd; then
[...]
It seems reasonable to me to try to climb up the process tree until we
meet a process with sshd in the command line (or, maybe better (?),
with sshd in the proc/pid/exe symlink). Still not the cleanest of the
solutions, but should be quite portable.
Ludovico
--
l...@dovi.coIRC: garden@freenode
OpenPGP: 1024D/63D2D5D907F89BB8 Jabber/gtalk: garde...@gmail.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548099: broken on kfreebsd
On Sat, 11 Sep 2010, martin f krafft wrote:
also sprach Peter Palfrader wea...@debian.org [2010.09.10.2046 +0200]:
I applied this patch, but now mollyguard doesn't recognize my tty is
from ssh.
Please elaborate, I have no kfreebsd systems to test molly-guard on.
I mean, I can get an SSH shell and run it in test-mode, but I cannot
test whether my changes break the commands for other types of tty.
Why is access to io and asdfasdf not sufficient? Even on these you can
probably check the return code of your scripts.
wea...@asdfasdf:~$ ALWAYS_QUERY_HOSTNAME=0 SSH_CONNECTION=''
MOLLYGUARD_SETTINGS='' MOLLYGUARD_CMD='' sh -x ./30-query-hostname
+ set -eu
+ ME=molly-guard
+ '[' -f '' ']'
+ PRETEND_SSH=0
+ test -t 0
+ case ${ALWAYS_QUERY_HOSTNAME:-0} in
++ tty
+ PTS=/dev/ttyp6
+ pgrep -f '^sshd.+ttyp6\'
+ '[' -z '' ']'
+ '[' 0 -eq 1 ']'
+ exit 0
wea...@asdfasdf:~$
[SSH_CONNECTION would usually be eaten by sudo]
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `-http://www.debian.org/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548099: broken on kfreebsd
It is instead working fine on my kfreebsd-amd64, up-to-date sid: r...@europa:~# uname -sr GNU/kFreeBSD 8.1-1-amd64 r...@europa:~# dpkg -l | grep molly-guard ii molly-guard 0.4.4-2 r...@europa:~# halt W: molly-guard: SSH session detected! Please type in hostname of the machine to halt: ^C Good thing I asked; I won't halt europa ... I think this works just because SSH_CONNECTION is properly set: r...@europa:~# env | grep -i ssh SSH_CLIENT=10.23.1.1 46891 22 SSH_TTY=/dev/ttyp0 SSH_CONNECTION=10.23.1.1 46891 10.23.1.2 22 Otherwise, I'm not sure how to identify a terminal spawned by sshd, as process grepping seems to behave differently and not to report the pseudo-terminal: root 703 /usr/sbin/sshd root 1012\_ /usr/sbin/sshd -R lucab 1016\_ /usr/sbin/sshd -R lucab 1017\_ -bash root 1043\_ su root 1050\_ bash Ciao, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S.| lucab (AT) debian.org `. `'` | GPG Key ID: 3BFB9FB3 `- http://www.debian.org | Debian GNU/Linux Developer pgpGOA39Cgttf.pgp Description: PGP signature
Bug#548099: broken on kfreebsd
martin f krafft wrote: This is fixed with http://git.debian.org/?p=collab-maint/molly-guard.git;a=commitdiff;h=c2b07f7d79d67d953d8a66880c6c0dee71aaee04 I applied this patch, but now mollyguard doesn't recognize my tty is from ssh. -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#548099: broken on kfreebsd
also sprach Peter Palfrader wea...@debian.org [2010.09.10.2046 +0200]: I applied this patch, but now mollyguard doesn't recognize my tty is from ssh. Please elaborate, I have no kfreebsd systems to test molly-guard on. I mean, I can get an SSH shell and run it in test-mode, but I cannot test whether my changes break the commands for other types of tty. -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems everyone has a little secret he keeps, i like the fires when the city sleeps. -- mc 900 ft jesus digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Bug#548099: broken on kfreebsd
tags 548099 tags moreinfo help thanks on debian kfreebsd-*: | fano:~# shutdown -h 1 more ram | W: aborting shutdown due to 30-query-hostname exiting with code 1. | fano:~# At first glance I notice at least one linuxism in 30-query-hostname, asking for /proc/pid/fd/0. This is fixed with http://git.debian.org/?p=collab-maint/molly-guard.git;a=commitdiff;h=c2b07f7d79d67d953d8a66880c6c0dee71aaee04 Also, it doesn't appear that ssh has the name of the controlling terminal in its processname on kfreebsd. I don't have any experience with kfreebsd nor any real environment to test, so I'd appreciate if you could provide suggestions on how to fix this. -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Bug#548099: broken on kfreebsd
Package: molly-guard Version: 0.4.4-2 Severity: important Hi, on debian kfreebsd-*: | fano:~# shutdown -h 1 more ram | W: aborting shutdown due to 30-query-hostname exiting with code 1. | fano:~# At first glance I notice at least one linuxism in 30-query-hostname, asking for /proc/pid/fd/0. Also, it doesn't appear that ssh has the name of the controlling terminal in its processname on kfreebsd. Cheers, weasel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
