sshd blocking SIGALARM turns out to be due to tcpd
Wietse Venema
wietse at porcupine.org
Thu Mar 2 08:41:49 EST 2006
Ian Jackson:
> I recently encountered a bug where some ssh login sessions would
> apparently inherit a blocked SIGALRM. A web search showed up two
> relevant threads:
> http://lists.suse.com/archive/suse-linux-e/2005-Dec/2628.html
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113533337923128&w=2
> et seq - but sadly no answers.
>
> Experimentation with strace et al revealed the problem: the
> tcp-wrappers build I was using would use alarm(2) to time out of the
> ident (RFC931/1413) lookup, but failed to properly use sigsetjmp. I
> was using (basically) the Debian package (describing itself as version
> `7.6.dbs-8'), which had been patched to use sigsetjmp instead of plain
> setjmp but passed 0 for the 2nd argument. Changing it to pass 1 made
> it work.
>
> I have reported this bug to the Debian BTS and they will no doubt be
> passing it upstream more formally eventually, but I thought that since
> this problem is so mysterious I would document at least one possible
> cause in places where the symptoms had been seen already. See:
> http://bugs.debian.org/354855
> which contains a patch.
This could be introduced by third parties. The tcp wrapper does this:
if (setjmp(timebuf) == 0) {
signal(SIGALRM, timeout);
alarm(rfc931_timeout);
... stuff ...
alarm(0);
}
Thus, no dangling signal handlers.
Wietse
More information about the openssh-unix-dev
mailing list