How sshd spawns and reuses pids

David Leadbeater dgl at dgl.cx
Tue Jul 29 17:07:48 AEST 2025 

On Tue, 29 Jul 2025 at 16:13, Gert Doering <gert at greenie.muc.de> wrote:
[...]
> sudo has recently grown the annoying behaviour of opening a pseudo-tty
> (pty) to run the command you specified in.  Which might be reported as
> "a new session" (new pty, new process group, etc).

The option is called "use_pty", the default has changed in sudo
(https://github.com/sudo-project/sudo/issues/258) but some default
sudoers files (e.g. Ubuntu's) also enabled it, so how "recently" this
happened varies. You can turn it off with:

Defaults !use_pty

It is a hardening against some attacks, although Linux since 6.2 also
hardened TIOCSTI
(https://man7.org/linux/man-pages/man2/TIOCSTI.2const.html) and 6.7
TIOCLINUX, so depending on kernel versions it may be safe to change.
But this is getting off-topic for this list.

For Zak, simply try something like:

tty
sudo tty

With use_pty you'll see two different paths. I doubt any of this is
related to SSH, it seems like your code is assuming a tty is the same
as an SSH session but just like PIDs ttys can be reused.

On Tue, 29 Jul 2025 at 10:25, Damien Miller <djm at mindrot.org> wrote:
> Brute-forcing fork(2) until you get the PID you want is basically the
> only way for a user-space process to "select" a PID. I'd expect this to
> be pretty noisy as, to be effective, a process doing this would need to
> create a lot of processes and ideally hold them open until they hit the
> PID they wanted.

...while on the topic of Linux there are various APIs to change how
PIDs are assigned, some background in
https://lisas.de/~adrian/criu-and-the-pid-dance-article.pdf (but those
need some kind of admin level capability, so they aren't usually a
security concern).

The ns_last_pid mentioned there means it's pretty easy to predict PIDs
on Linux (assuming no grsecurity/other hardening patches):

bash -c 'read X </proc/sys/kernel/ns_last_pid; next=$[X+1]; echo
$next'; bash -c 'echo $$'
[Assuming a quiet system, outputs same PID twice, once before the
process even runs.]

It also is possible to use inotify in order to watch PIDs, which can
make some PID choosing attacks more effective to pull off, see e.g.
Qualys's procps-ng audit report[1]. I don't think any of this is
relevant to the problem here, but thought I'd mention it, in case the
poster is assuming anything about PIDs.

David

[1]: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

More information about the openssh-unix-dev mailing list