OpenSSH server fails to terminate executed program under certain conditions
Lucas Mulling
lucas.mulling at suse.com
Wed Jun 4 04:58:25 AEST 2025
Hello,
We started experiencing failures in all architectures in a libssh test after
updating to OpenSSH 10.0p2. The test in question is
torture_channel_exit_signal, relevant code below:
rc = snprintf(request, sizeof(request), "cat");
[...]
/* Make the request, read parts with close */
rc = ssh_channel_request_exec(channel, request);
assert_ssh_return_code(session, rc);
rc = ssh_channel_request_send_signal(channel, "TERM");
assert_ssh_return_code(session, rc);
exit_status = ssh_channel_get_exit_state(channel,
&exit_status,
&exit_signal,
&core_dumped);
In debugging I've found that the test requests SIGTERM so fast that the server
-- OpenSSH -- has not had yet time to properly setup the child, resulting in
killpg from session_signal_req failing (see log bellow).
OpenSSH was build with:
./configure \
--with-pam \
--with-privsep-path=/var/lib/empty \
--with-systemd --libexecdir=$(pwd)
With an added log to:
@@ -1508,6 +1513,8 @@ do_child(struct ssh *ssh, Session *s, const char *command)
struct passwd *pw = s->pw;
int r = 0;
+ debug2("do child");
+
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
/* remove keys from memory */
Relevant log snippet:
debug3: send packet: type 99
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request signal reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req signal
debug1: session_signal_req: signal TERM, killpg(458610, 15)
debug1: temporarily_use_uid: 5001/9000 (e=5001/9000)
debug1: restore_uid: (unprivileged)
session_signal_req: status(0)
session_signal_req: killpg(458610, 15): No such process
debug2: do child
Note that do_child is called after killpg is called, this means (in my
understating) that the correct gid has not been setup for killpg to
work. This would, probably, not happen in a real world use case due to
network delays.
Could you clarify if this behaviour is intended?
More information about the openssh-unix-dev
mailing list