Hi all,
I have recently came up against this problem myself, and have fixed /
submitted a patch to the openssh development team. Here is the original
report:
So I modified the code to try and repair this oom_adj problem...
port-linux.c:
line 235: //static int oom_adj_save = INT_MIN;
line 236:
** Tags added: lucid regression-release
** Tags removed: regression-potential
** Changed in: openssh (Ubuntu Hardy)
Status: New = Confirmed
** Changed in: openssh (Ubuntu Hardy)
Importance: Undecided = Medium
--
hardy: openssh-server oom_adj can lead to denial of service
** Tags added: hardy
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
Ubuntu-server-bugs mailing list
Is there going to be a back port to Hardy 8.04 LTS?
I have had a serious issue with a Virtual Server where the only access
is via SSHD. This resulted in an errant CPAN update downing the entire
box due to all services started via SSH being oom_adj == -17 and
therefore not being killed when out of
Colin, thanks for the reply. Maybe I got a wrong impression ;-)
After seeing the issue show up again and again over the last two years,
my suggestion would be to change the oom_adj patch itself to set the
child oom_adj value always to zero, independent of the value that it was
called with.
I
Yes, I think you're probably right. I was considering a few possible
alternatives and this seems the least bad.
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server
This bug was fixed in the package openssh - 1:5.3p1-3ubuntu2
---
openssh (1:5.3p1-3ubuntu2) lucid; urgency=low
* Always set child processes' OOM adjustment to 0, since Upstart will have
set sshd's OOM adjustment on startup and so simply restoring the startup
value won't
** Branch linked: lp:ubuntu/openssh
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
Ubuntu-server-bugs mailing
I understood the oom_adj patch perfectly, having written it. Apparently
I misunderstood how Upstart's 'oom' stanza worked though ...
Thanks for the analysis; I'll look into this.
** Tags added: regression-potential
--
hardy: openssh-server oom_adj can lead to denial of service
This bug either wasn't fixed or there has been a recent regression.
Ubuntu lucid
openssh-server 1:5.3p1-3ubuntu1
/etc/default/ssh: SSHD_OOM_ADJUST=-17
As well as causing kernel panics, a malicious user can use this
technique to kill off trusted root daemons and (if they use a port =
1024)
To confirm, sshd's child processes do indeed inherit the oom_adjust
setting.
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in
I think the debian patch had been applied in releases after Hardy. But
the daemon only resets the oom_adj value that it was originally called
with. So in Jaunty a DHCP restart script which had the oob_adj value of
-17 itself caused the same effect. See bug report #390556.
I have not checked lucid
OK, I've debugged a bit into the lucid upstart scripts:
First, I can confirm the regression.
The oom_adj patch is still in place, which is the good news. The bad
news is, that the problem is now caused by the upstart script
/etc/init/ssh.conf
Apparently the author didn't understand how the
Thank you for taking the time to report this bug and helping to make
Ubuntu better. However, I am closing it because the bug has been fixed
in the latest development version of Ubuntu - Lucid Lynx.
This is a significant bug in Ubuntu. If you need a fix for the bug in
previous versions of Ubuntu,
** Changed in: openssh (Ubuntu)
Status: Incomplete = Triaged
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
Thanks for taking the time to report this bug. Please check if this has
been solved on an up to date Ubuntu. If this is an issue on Hardy for
you,
Please note: I assume it will not be solved by an update of ssh as
packages on a released version are only patched (not updated) and this
only when a
** Changed in: debian
Status: Unknown = Fix Released
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
** This bug has been flagged as a security issue
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
--
** Bug watch added: Debian Bug tracker #480020
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480020
** Also affects: debian via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480020
Importance: Unknown
Status: Unknown
--
hardy: openssh-server oom_adj can lead to denial of
As work-around I would suggest setting SSHD_OOM_ADJUST to 0 in
/etc/default/ssh. This allows the killing of ssh and child processes by
the OOM killer again.
--
hardy: openssh-server oom_adj can lead to denial of service
https://bugs.launchpad.net/bugs/293000
You received this bug notification
20 matches
Mail list logo
