From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2045 Path: news.gmane.org!not-for-mail From: "Ciprian Dorin, Craciun" Newsgroups: gmane.comp.sysutils.supervision.general,gmane.comp.tools.sudo.user Subject: Improper setting / resetting of the signals mask Date: Tue, 14 Sep 2010 14:14:45 +0300 Message-ID: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: dough.gmane.org 1284462921 15603 80.91.229.12 (14 Sep 2010 11:15:21 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Tue, 14 Sep 2010 11:15:21 +0000 (UTC) To: supervision@list.skarnet.org, sudo-users@sudo.ws Original-X-From: supervision-return-2280-gcsg-supervision=m.gmane.org@list.skarnet.org Tue Sep 14 13:15:19 2010 Return-path: Envelope-to: gcsg-supervision@lo.gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by lo.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1OvTTr-0005bj-3s for gcsg-supervision@lo.gmane.org; Tue, 14 Sep 2010 13:15:19 +0200 Original-Received: (qmail 27334 invoked by uid 76); 14 Sep 2010 11:17:22 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 27326 invoked from network); 14 Sep 2010 11:17:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=ic5Y0my/Fm/nMYpPCYQolE8PM7gF448PzUStFPCcvFU=; b=AiuaM1K9TpYMjB4VDSsHR0Ohc3gn+JBJUJ6b2HuUv2wtzEkcENtZSxJp/yBSITyc6p agtbhkSOGe+3vGJhU+yd+ps+XFuwUlyUrZF9c9vjDPXZEM3I1UcN9/2EvIQ1F/sd13SJ 09AiOrwQvPII2SzWzXXVZIYUWH1oe0umju0No= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=U19JJxu64ECKCKPR+BgrTvwuFCwDMGI8FfQgCxr7GUDRoND5wozm2au58Qrhk+L5/m ZcyUwLw8XFcqCEZd2vfnzb+Xl6NjBrJW8LXv4vUmZ/eWWlq/92AYept9lam3o06oT0N0 FERLlWX6dD4dsO0qDUj7AoOvC67dwKrHDJVP8= Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2045 gmane.comp.tools.sudo.user:3358 Archived-At: Hello all! Sorry for cross-posting, but this "bug" is relevant to both projects (`runit` and `sudo`), so please forgive me in advance. :) In short `sudo` doesn't seem to reset (zero out) its inherited signal mask, and `runit` seems to leave some signals blocked when exec-ing children. (And the side-effect is breaking some service management scripts.) Now the long story: * (`runit` specific) it seems that when `runit` starts the `./contro/t` script it leaves some signals blocked (at least the mask 0x14000) (see below in the transcript from `ps s $PID`); (it seems that this happens only for `./contro/X` and not for the `./run` scripts;) * (`sudo` specific) it seems that when `sudo` starts it doesn't reset the inherited blocked signals, on which it seems to rely for detecting when the child process finished; (and this only happens with the latest versions of `sudo` (`1.7.4p3`), because until now sudo didn't forked and waited for the child but instead it `execve`-d it; now because it uses the `pam-session` feature it waits for the child to terminate...) The following snippet is part of the `./control/t` script which only sends `TERM` followed by `KILL` signals to the service. It uses `sudo` to elevate the rights from my normal user to that of root. ~~~~ #!/bin/bash set -e +m -u -o pipefail || exit 1 exec 2>&1 echo "before sudo" >>/tmp/transcript.txt ps s "${$}" >>/tmp/transcript.txt test "${#}" -eq 0 test "${UID}" -eq 0 || exec sudo -u "#0" -g "#${UID}" -E -P -n -- "${0}" "${@}" echo "after sudo" >>/tmp/transcript.txt ps s "${$}" >>/tmp/transcript.txt pid="$( cat ./supervise/pid )" test -e "/proc/${pid}" || exit 1 kill -s TERM "${pid}" || true sleep 0.1s test -e "/proc/${pid}" || exit 0 sleep 1s test -e "/proc/${pid}" || exit 0 kill -s KILL "${pid}" || true exit 0 ~~~~ And the following is the result of running the script. See the BLOCKED (0x14000) signal mask: * the first "before sudo" text and the `ps` output line is before executing `sudo` (thus showing that `runit` doesn't clear the blocked signals mask); * the second "before sudo" text and the `ps` line is after executing `sudo` (and before the UID test) and the masks are just like the previous output (thus showing that sudo doesn't reset the masks); ~~~~ before sudo UID PID PENDING BLOCKED IGNORED CAUGHT STAT TTY TIME COMMAND 10101 5935 0000000000000000 0000000000014000 0000000000000004 0000000000010002 S ? 0:00 /bin/bash control/t before sudo UID PID PENDING BLOCKED IGNORED CAUGHT STAT TTY TIME COMMAND 0 5937 0000000000000000 0000000000014000 0000000000000004 0000000000010002 S ? 0:00 /bin/bash control/t ~~~~ And the following is the result of running the same script but with a minor modification (see the `nosig` wrapper in front of `sudo` which is just a simple C application that manually clears all signal masks before `execve`-ing): * see that the BLOCKED mask before using `nosig` is the same as in the previous case, but: * by using `nosig` followed by `sudo` the signal masks are cleared (I think that the "0x10000" signal is blocked by BASH in any case); ~~~~ test "${UID}" -eq 0 || exec nosig sudo -u "#0" -g "#${UID}" -E -P -n -- "${0}" "${@}" ~~~~ before sudo UID PID PENDING BLOCKED IGNORED CAUGHT STAT TTY TIME COMMAND 10101 6067 0000000000000000 0000000000014000 0000000000000004 0000000000010002 S ? 0:00 /bin/bash control/t before sudo UID PID PENDING BLOCKED IGNORED CAUGHT STAT TTY TIME COMMAND 0 6069 0000000000000000 0000000000010000 0000000000000004 0000000000010002 S ? 0:00 /bin/bash control/t ~~~~ So thank you for paying attention to my report, and I hope it'll be helpful for the developers. Ciprian.