[Bug 2646] zombie processes when using privilege separation

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Jan 6 14:24:49 AEDT 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2646

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
(In reply to Akshay from comment #7)

I think this is a bug in your init program. We could probably tell more
clearly if you include PPID in your process lists (e.g. "ps ajf").

Here are is the process list from when the session is active:

> root at 4871a0e3589e:/# ps auxf
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME
> COMMAND
> root         8  0.0  0.0  26468  3772 ?        S+   01:14   0:00
> /usr/sbin/sshd -D -r

^^ this sshd process (pid=8) is listening to the network.

> root        19  0.0  0.0  29028  4084 ?        Ss   01:14   0:00  \_
> sshd: nsadmin [priv]

^^ this one (pid=19) is the privilege separation monitor process.

> nsadmin     21  0.0  0.0  29028  2668 ?        S    01:14   0:00    
> \_ sshd: nsadmin at pts/0

^^ this one is the low-privilege child process.

> Later, (after login then logout)...
> 
> root at 4871a0e3589e:/# ps auxf
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME
> COMMAND
> root         8  0.0  0.0  26468  3772 ?        S+   01:14   0:00
> /usr/sbin/sshd -D -r

^^ the listener process is still here.

> nsadmin     21  0.0  0.0      0     0 ?        Z    01:14   0:00
> [sshd] <defunct>

This process was previously a child of the monitor process on pid=19,
but its parent has already exited, so it's not around to call waitpid()
to reap it.

In this situation, init is supposed to do the reaping since pid=21 is
clearly orphaned. See https://en.wikipedia.org/wiki/Zombie_process for
a bit more detail on how this is supposed to flow.

This might be your problem:
https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list