Mailing List Archive

Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8)
Hi,

    With the commit below, OpenSSH portable 8.8 doesnt seem to work
with sftp on FreeBSD with RELENG_12 and RELENG_13.  sftp errors out with

sftp-server[89445]: fatal: unable to make the process untraceable

commit 2d678c5e3bdc2f5c99f7af5122e9d054925d560d
Author: David Carlier <devnexen@gmail.com>
Date:   Wed Sep 8 19:49:54 2021 +0100

    Disable tracing on FreeBSD using procctl.

    Placed at the start of platform_disable_tracing() to prevent
declaration
    after code errors from strict C89 compilers (in the unlikely event that
    more than one method is enabled).

I opened a PR with the port maintainer

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259174

    ---Mike

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 10:48, mike tancsa <mike@sentex.net> wrote:
> With the commit below, OpenSSH portable 8.8 doesnt seem to work
> with sftp on FreeBSD with RELENG_12 and RELENG_13. sftp errors out with
>
> sftp-server[89445]: fatal: unable to make the process untraceable

As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
test suite passes on them. I have confirmed that both set
HAVE_PROCCTL and that the code is being compiled in and just run a
manual test on 13 which worked.

FreeBSD fbsd12 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC amd64

FreeBSD fbsd13 13.0-RELEASE FreeBSD 13.0-RELEASE #0
releng/13.0-n244733-ea31abc261f: Fri Apr 9 04:24:09 UTC 2021
root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
amd64

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 11:44, Darren Tucker <dtucker@dtucker.net> wrote:
[...]
> As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
> test suite passes on them. I have confirmed that both set
> HAVE_PROCCTL and that the code is being compiled in and just run a
> manual test on 13 which worked.

I just patched the VM images (usually the VMs are ephemeral) and it
also passed on those:

FreeBSD fbsd12 12.2-RELEASE-p7 FreeBSD 12.2-RELEASE-p7 GENERIC amd64

FreeBSD fbsd13 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24
07:33:27 UTC 2021
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
amd64

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 8:44 PM, Darren Tucker wrote:
> On Fri, 15 Oct 2021 at 10:48, mike tancsa <mike@sentex.net> wrote:
>> With the commit below, OpenSSH portable 8.8 doesnt seem to work
>> with sftp on FreeBSD with RELENG_12 and RELENG_13. sftp errors out with
>>
>> sftp-server[89445]: fatal: unable to make the process untraceable
> As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
> test suite passes on them. I have confirmed that both set
> HAVE_PROCCTL and that the code is being compiled in and just run a
> manual test on 13 which worked.
>
Thanks, I am not sure why its failing on these particular instances. I
tried just now on a separate box that has not had a previous version
installed and it doesnt show the same behaviour. I will keep looking to
see whats going on.

    ---Mike

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 12:37, mike tancsa <mike@sentex.net> wrote:
> Thanks, I am not sure why its failing on these particular instances. I
> tried just now on a separate box that has not had a previous version
> installed and it doesnt show the same behaviour. I will keep looking to
> see whats going on.

Did you start from a point where tracing is already disabled? I could
imagine the second attempt to disable it failing because it was
already disabled.

If nothing else we should at least include the errno in the message
when it fails:
https://github.com/openssh/openssh-portable/commit/fff13aaa262b7b3ec83ed21e29674cbf331780a7

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 9:45 PM, Darren Tucker wrote:
> Did you start from a point where tracing is already disabled? I could
> imagine the second attempt to disable it failing because it was
> already disabled.
>
> If nothing else we should at least include the errno in the message
> when it fails:
> https://github.com/openssh/openssh-portable/commit/fff13aaa262b7b3ec83ed21e29674cbf331780a7

Building now, but I need to include string.h no ?

On my RELENG_12 box (which is a jail)

Oct 14 22:03:04 internal-sftp[20149]: fatal: unable to make the process
untraceable: No such process


    ---Mike


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 13:04, mike tancsa <mike@sentex.net> wrote:
[...]
> Building now, but I need to include string.h no ?

that or stdio.h, depends on platform. I noticed the warning and just
added both.

> On my RELENG_12 box (which is a jail)
>
> Oct 14 22:03:04 internal-sftp[20149]: fatal: unable to make the process
> untraceable: No such process

I'm not sure how jails change the rules, the FreeBSD folks would need
to weigh in.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 10:04 PM, mike tancsa wrote:
> On 10/14/2021 9:45 PM, Darren Tucker wrote:
>> Did you start from a point where tracing is already disabled? I could
>> imagine the second attempt to disable it failing because it was
>> already disabled.
>>
>> If nothing else we should at least include the errno in the message
>> when it fails:
>> https://github.com/openssh/openssh-portable/commit/fff13aaa262b7b3ec83ed21e29674cbf331780a7
>>
>
> Building now, but I need to include string.h no ?
>
> On my RELENG_12 box (which is a jail)
>
> Oct 14 22:03:04 internal-sftp[20149]: fatal: unable to make the
> process untraceable: No such process
>
OK, I think its related to these settings. On my RELENG_13 box, if I set
these vals, the sftp fails

sftp-server[22121]: fatal: unable to make the process untraceable: No
such process

 sysctl -w security.bsd.see_other_uids=0
sysctl -w security.bsd.see_other_gids=0

    ---Mike

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 13:15, mike tancsa <mike@sentex.net> wrote:
[...]
> OK, I think its related to these settings. On my RELENG_13 box, if I set
> these vals, the sftp fails
>
> sftp-server[22121]: fatal: unable to make the process untraceable: No
> such process
>
> sysctl -w security.bsd.see_other_uids=0
> sysctl -w security.bsd.see_other_gids=0

The call is:
procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace)

The second argument is PID, presumably pid 0 is an alias for its own
pid although the man page does not mention this. Does it work if you
replace the 0 with getpid() ?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 10:32 PM, Darren Tucker wrote:
> On Fri, 15 Oct 2021 at 13:15, mike tancsa <mike@sentex.net> wrote:
> [...]
>> OK, I think its related to these settings. On my RELENG_13 box, if I set
>> these vals, the sftp fails
>>
>> sftp-server[22121]: fatal: unable to make the process untraceable: No
>> such process
>>
>> sysctl -w security.bsd.see_other_uids=0
>> sysctl -w security.bsd.see_other_gids=0
> The call is:
> procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace)
>
> The second argument is PID, presumably pid 0 is an alias for its own
> pid although the man page does not mention this. Does it work if you
> replace the 0 with getpid() ?

Thanks Darren! That seems to fix it both in my jailed instance on
RELENG_12 as well as on a couple of RELENG_13 boxes I tested on. I
tested with the attached diff against what was in the portable tarball.
I am not sure including the pid in the fatal error message is safe or
not, but I put it in there but it never got to that stage in my testing.

    ---Mike
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 5:44 PM, Darren Tucker wrote:
> On Fri, 15 Oct 2021 at 10:48, mike tancsa <mike@sentex.net> wrote:
>> With the commit below, OpenSSH portable 8.8 doesnt seem to work
>> with sftp on FreeBSD with RELENG_12 and RELENG_13. sftp errors out with
>>
>> sftp-server[89445]: fatal: unable to make the process untraceable
>
> As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
> test suite passes on them. I have confirmed that both set
> HAVE_PROCCTL and that the code is being compiled in and just run a
> manual test on 13 which worked.
>
> FreeBSD fbsd12 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC amd64
>
> FreeBSD fbsd13 13.0-RELEASE FreeBSD 13.0-RELEASE #0
> releng/13.0-n244733-ea31abc261f: Fri Apr 9 04:24:09 UTC 2021
> root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
> amd64
>

I think the tests may need to be improved as pid==0 represents a pseudo
kernel process.

> #include <sys/procctl.h>
> #include <err.h>
> #include <unistd.h>
>
> int
> main(void)
> {
> int disable_trace = PROC_TRACE_CTL_DISABLE;
>
> if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace))
> err(1, "procctl");
>
> return 0;
> }

With 0 it runs through truss fine. (Which I don't think it should but
I'll take that up with FreeBSD)

> procctl(P_PID,0,PROC_TRACE_CTL,0x7fffffffe478) = 0 (0x0)


With getpid() truss gives an error since the process is already traced.

> getpid() = 77976 (0x13098)
> procctl(P_PID,77976,PROC_TRACE_CTL,0x7fffffffe478) ERR#16 'Device busy'



--
Bryan Drewery
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 13:07, Bryan Drewery <bdrewery@freebsd.org> wrote:
>
> I think the tests may need to be improved as pid==0 represents a pseudo
> kernel process.

This is being fixed, but for compatibility with existing versions
getpid() should indeed be used.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Tue, 19 Oct 2021 at 13:40, Ed Maste <emaste@freebsd.org> wrote:
>
> On Fri, 15 Oct 2021 at 13:07, Bryan Drewery <bdrewery@freebsd.org> wrote:
> >
> > I think the tests may need to be improved as pid==0 represents a pseudo
> > kernel process.
>
> This is being fixed, but for compatibility with existing versions
> getpid() should indeed be used.

This was fixed in FreeBSD by f833ab9dd187 but the procctl call should
be changed in openssh.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev