Package: openssh-server
Version: 1:6.7p1-5+deb8u3
Severity: normal
Dear Maintainer,
two jessie systems behave differently after remote login via ssh with regard to
the handling of SIGPIPE:
1) a freshly installed system ignores SIGPIPE:
> me@fresh-installed:~$ yes | head -1
> y
> yes: standard output: Broken pipe
> yes: write error
2) an upgraded system does not ignore SIGPIPE ('yes' correctly terminates
without clobbering stderror and with correct return code)
> me@upgraded:~$ yes|head -1
> y
It depends on where/how the sshd was started; from c) below, it looks as if
'sshd: <user> [priv]' toggles the blocked flag
for SIGPIPE invariably.
I'd expect at least the same outcome for both systems, in addition, I'd expect
tools like 'yes', 'cat', 'grep' to behave
as always, i.e. to get a SIGPIPE delivered to them and to not clobber stderr
with 'Broken pipe' messages.
Hope the lengthy report helps in resolving this issue.
Following some analysis:
a) from systemd service, SIGPIPE finally blocked
root 29059 0.0 0.0 51016 4176 ? Ss Jul29 0:00 /usr/sbin/sshd
-D
root 17214 0.0 0.0 126756 8348 ? Ss 10:20 0:00 \_ sshd: me
[priv]
me 17217 0.0 0.0 126756 4856 ? S 10:20 0:00 | \_ sshd:
me@pts/0
me 17218 0.0 0.0 24084 6204 pts/0 Ss+ 10:20 0:00 | \_
-bash
ps -sf:
UID PID PENDING BLOCKED IGNORED CAUGHT
STAT TTY TIME COMMAND
0 29059 0000000000000000 0000000000000000 0000000000001000 0000000180014005
Ss ? 0:00 /usr/sbin/sshd -D
0 17214 0000000000000000 0000000000001000 0000000001001000 0000000180004003
Ss ? 0:00 \_ sshd: me [priv]
1002 17217 0000000000000000 0000000000001000 0000000000001000 0000000180010000
S ? 0:00 \_ sshd: me@pts/0
1002 17218 0000000000000000 0000000000001000 0000000000380004 000000004b817efb
Ss+ pts/0 0:00 \_ -bash
b) from atd, SIGPIPE finally blocked
daemon 21831 0.0 0.0 90992 4968 ? S 11:34 0:00 \_
/usr/sbin/atd -f
root 21832 0.0 0.0 17532 2620 ? SN 11:34 0:00 \_ sh
root 21833 0.0 0.0 51016 5284 ? SN 11:34 0:00 \_
/usr/sbin/sshd -D -p 7000
root 25343 0.0 0.0 126756 8408 ? SNs 11:41 0:00
\_ sshd: me [priv]
me 25346 0.0 0.0 126756 4872 ? SN 11:41 0:00
\_ sshd: me@pts/17
me 25347 0.0 0.0 24100 6156 pts/17 SNs 11:41 0:00
\_ -bash
root 27977 0.0 0.0 91448 6836 pts/17 SNL 11:46 0:00
\_ sudo -i
root 28000 0.0 0.0 20752 5916 pts/17 SN+ 11:46 0:00
\_ -bash
ps -sf:
UID PID PENDING BLOCKED IGNORED CAUGHT
STAT TTY TIME COMMAND
1 21831 0000000000000000 0000000000000000 0000000000000000 0000000180014003
S ? 0:00 /usr/sbin/atd -f
0 21832 0000000000000000 0000000000010000 0000000000000004 0000000000010002
SN ? 0:00 \_ sh
0 21833 0000000000000000 0000000000000000 0000000000001000 0000000180014005
SN ? 0:00 \_ /usr/sbin/sshd -D -p 7000
0 25343 0000000000000000 0000000000001000 0000000001001000 0000000180004003
SNs ? 0:00 \_ sshd: me [priv]
1002 25346 0000000000000000 0000000000001000 0000000000001000 0000000180010000
SN ? 0:00 \_ sshd: me@pts/17
1002 25347 0000000000000000 0000000000011000 0000000000380004 000000004b817efb
SNs pts/17 0:00 \_ -bash
0 27977 0000000000000000 0000000000001000 0000000000000000 00000001800b7a07
SNL pts/17 0:00 \_ sudo -i
0 28000 0000000000000000 0000000000001000 0000000000380004 000000004b817efb
SN+ pts/17 0:00 \_ -bash
c) from a sudo shell, SIGPIPE finally delivered, although on the initial login
(27719) blocked
root 29059 0.0 0.0 51016 4176 ? Ss Jul29 0:00 /usr/sbin/sshd
-D
root 27708 0.0 0.0 126756 8408 ? Ss 11:46 0:00 \_ sshd: me
[priv]
me 27718 0.0 0.0 126756 4916 ? S 11:46 0:00 | \_ sshd:
me@pts/31
me 27719 0.0 0.0 24084 6032 pts/31 Ss 11:46 0:00 | \_
-bash
root 27787 0.0 0.0 91448 6816 pts/31 SL 11:46 0:00 |
\_ sudo -i
root 27802 0.0 0.0 16408 5636 pts/31 S 11:46 0:00 |
\_ -bash
root 27934 0.0 0.0 51016 5256 pts/31 S+ 11:46 0:00 |
\_ /usr/sbin/sshd -D -p 8000
root 10677 0.0 0.0 126756 8592 ? Ss 14:30 0:00 |
\_ sshd: me [priv]
me 10694 0.0 0.0 126756 4012 ? S 14:30 0:00 |
\_ sshd: me@pts/54
me 10695 0.1 0.0 24104 6220 pts/54 Ss+ 14:30 0:00 |
\_ -bash
ps -sf:
UID PID PENDING BLOCKED IGNORED CAUGHT
STAT TTY TIME COMMAND
0 29059 0000000000000000 0000000000000000 0000000000001000 0000000180014005
Ss ? 0:00 /usr/sbin/sshd -D
0 27708 0000000000000000 0000000000001000 0000000001001000 0000000180004003
Ss ? 0:00 \_ sshd: me [priv]
1002 27718 0000000000000000 0000000000001000 0000000000001000 0000000180010000
S ? 0:00 \_ sshd: me@pts/31
1002 27719 0000000000000000 0000000000011000 0000000000380004 000000004b817efb
Ss pts/31 0:00 \_ -bash
0 27787 0000000000000000 0000000000001000 0000000000000000 00000001800b7a07
SL pts/31 0:00 \_ sudo -i
0 27802 0000000000000000 0000000000011000 0000000000380004 000000004b817efb
S pts/31 0:00 \_ -bash
0 27934 0000000000000000 0000000000001000 0000000000001000 0000000180014005
S+ pts/31 0:00 \_ /usr/sbin/sshd -D -p 8000
0 10677 0000000000000000 0000000000000000 0000000001001000 0000000180004003
Ss ? 0:00 \_ sshd: me [priv]
1002 10694 0000000000000000 0000000000000000 0000000000001000 0000000180010000
S ? 0:00 \_ sshd: me@pts/54
1002 10695 0000000000000000 0000000000000000 0000000000380004 000000004b817efb
Ss+ pts/54 0:00 \_ -bash
d) on upgraded system
root 22486 0.0 0.0 51012 3184 ? Ss Jul24 0:00 /usr/sbin/sshd
-D
root 1143 0.0 0.0 97672 6420 ? Ss 15:55 0:00 \_ sshd: me
[priv]
me 1148 0.0 0.0 97672 4048 ? S 15:55 0:00 \_ sshd:
me@pts/85
me 1151 0.1 0.1 23080 9044 pts/85 Ss 15:55 0:00 \_
-bash
ps sf:
UID PID PENDING BLOCKED IGNORED CAUGHT
STAT TTY TIME COMMAND
0 22486 0000000000000000 0000000000000000 0000000000001000 0000000180014005
Ss ? 0:00 /usr/sbin/sshd -D
0 1143 0000000000000000 0000000000000000 0000000001001000 0000000180004003
Ss ? 0:00 \_ sshd: me [priv]
1002 1148 0000000000000000 0000000000000000 0000000000001000 0000000180010000
S ? 0:00 \_ sshd: me@pts/85
1002 1151 0000000000000000 0000000000010000 0000000000380004 000000004b817efb
Ss pts/85 0:00 \_ -bash
*)
Last words of strace of 'yes' for 1)
[...]
write(1, "y\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\n"..., 4096) = 4096
y
write(1, "y\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\n"..., 4096) = -1
EPIPE (Broken pipe)
write(2, "yes: ", 5yes: ) = 5
write(2, "standard output", 15standard output) = 15
write(2, ": Broken pipe", 13: Broken pipe) = 13
write(2, "\n", 1
) = 1
close(1) = 0
munmap(0x7f08b48b7000, 4096) = 0
write(2, "yes: ", 5yes: ) = 5
write(2, "write error", 11write error) = 11
write(2, "\n", 1
) = 1
exit_group(1) = ?
+++ exited with 1 +++
Last words of strace of 'yes' for 2)
[...]
write(1, "y\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\n"..., 4096y
) = 4096
write(1, "y\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\ny\n"..., 4096) = -1
EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=1366, si_uid=1002} ---
+++ killed by SIGPIPE +++
BR,
Michael
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968)
(ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii dpkg 1.17.27
ii init-system-helpers 1.22
ii libc6 2.19-18+deb8u4
ii libcomerr2 1.42.12-1.1
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii libkrb5-3 1.12.1+dfsg-19+deb8u2
ii libpam-modules 1.1.8-3.1+deb8u1+b1
ii libpam-runtime 1.1.8-3.1+deb8u1
ii libpam0g 1.1.8-3.1+deb8u1+b1
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1t-1+deb8u2
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-5+deb8u3
ii openssh-sftp-server 1:6.7p1-5+deb8u3
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140913-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: false
Secure your future - Meet Newtec Dialog®
<http://www.newtec.eu/product/newtec-dialog> - the platform that embraces
change. With Mx-DMA™ <http://www.newtec.eu/technology/mx-dma> - Discover the
WTA ‘Teleport Technology of the Year’ award winner 2015!
***mail confidentiality footer ***
This message and any attachments thereto are confidential. They may also be
privileged or otherwise protected by work product immunity or other legal
rules. If you have received it by mistake, please let us know by e-mail reply
and delete it from your system; you may not copy this message or disclose its
contents to anyone. E-mail transmission cannot be guaranteed to be secure or
error free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore is in no
way liable for any errors or omissions in the content of this message, which
may arise as a result of e-mail transmission. If verification is required,
please request a hard copy.
