Mailing List Archive: agent-ptrace regression test failing in Ubuntu 22.04

agent-ptrace regression test failing in Ubuntu 22.04

Oct 26, 2022, 8:26 AM

Post #1 of 4 (386 views)

I'm having the agent-ptrace consistently fail under Ubuntu 22.04. This
is under a pristine Ubuntu 22.04 VM. If I set the envar SUDO=sudo I get:

make[1]: Entering directory '/home/parallels/openssh-portable/regress'
run test agent-ptrace.sh ...
ptrace succeeded?: exit code 1
failed disallow agent ptrace attach

The contents of gdb.out are:

GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/parallels/openssh-portable/ssh-agent...
Attaching to program: /home/parallels/openssh-portable/ssh-agent,
process 54674
Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Inappropriate ioctl for device.
/home/parallels/openssh-portable/regress/54674: No such file or directory.
(gdb)

I don't know if GDB changed their wording but it certainly seems like
the test should pass. If I update the egrep then it does pass but I'm
not sure if that's legit. Anyway, I used the following:

diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index feef5241..e5e5d32f 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -54,7 +54,7 @@ EOF
if [ $r -ne 0 ]; then
fail "gdb failed: exit code $r"
fi
- egrep 'ptrace: Operation not permitted.|procfs:.*Permission
denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable
to access task ' >/dev/null ${OBJ}/gdb.out
+ egrep 'ptrace: Operation not permitted.|procfs:.*Permission
denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable
to access task |Could not attach to process.' >/dev/null ${OBJ}/gdb.out
r=$?
rm -f ${OBJ}/gdb.out
if [ $r -ne 0 ]; then

Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: agent-ptrace regression test failing in Ubuntu 22.04 [ In reply to ]

rapier at psc

Oct 26, 2022, 10:49 AM

Post #2 of 4 (386 views)

Permalink

I'm also seeing a similar issue with the test agent-getpeereid.
Under Ubuntu 20.04 the test to add user nobody has a return value of 2
which indicates that it wasn't able to attach. In Ubuntu 22.04 I'm
getting a return value of 1. This is with the V_9_0_P1 branch.

Specifically here:
if test -z "$sudo" ; then
# doas
${SUDO} -n -u ${UNPRIV} ${SSHADD} -l 2>/dev/null
else
# sudo
< /dev/null ${SUDO} -S -u ${UNPRIV} ${SSHADD} -l
2>/dev/null
fi
r=$?
if [ $r -lt 2 ]; then
fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
fi

Under Ubuntu 22.04 it does fail but the return value seems to be different.

If I get rid of the redirects to /dev/null and print the value of r I
get the following on 22.04:
run test agent-getpeereid.sh ...
The agent has no identities.
r is 1
Sorry, user parallels is not allowed to execute
'/home/parallels/openssh-portable/ssh-add -l' as nobody on
parallels-Parallels-Virtual-Platform.
r is 1
ssh-add did not fail for nobody: 1 < 2
failed disallow agent attach from other uid

Under 20.04 I get the following:
run test agent-getpeerid.sh ...
The agent has no identities.
r is 1
Could not open a connection to your authentication agent.
r is 2
ok disallow agent attach from other uid

Again, it looks there was a change in the wording and exit codes.
Possibly related to sudo? On 20.04 sudo is version 1.8.31. Under 22.04
it's version 1.9.9. Seems like it might also be causing problems in
agent-restrict.

Chris

On 10/26/22 11:26 AM, Chris Rapier wrote:
> I'm having the agent-ptrace consistently fail under Ubuntu 22.04. This
> is under a pristine Ubuntu 22.04 VM. If I set the envar SUDO=sudo I get:
>
> make[1]: Entering directory '/home/parallels/openssh-portable/regress'
> run test agent-ptrace.sh ...
> ptrace succeeded?: exit code 1
> failed disallow agent ptrace attach
>
> The contents of gdb.out are:
>
> GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90
> Copyright (C) 2022 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> Type "show copying" and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <https://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
>     <http://www.gnu.org/software/gdb/documentation/>.
>
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /home/parallels/openssh-portable/ssh-agent...
> Attaching to program: /home/parallels/openssh-portable/ssh-agent,
> process 54674
> Could not attach to process. If your uid matches the uid of the target
> process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
> again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
> ptrace: Inappropriate ioctl for device.
> /home/parallels/openssh-portable/regress/54674: No such file or directory.
> (gdb)
>
> I don't know if GDB changed their wording but it certainly seems like
> the test should pass. If I update the egrep then it does pass but I'm
> not sure if that's legit. Anyway, I used the following:
>
> diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
> index feef5241..e5e5d32f 100644
> --- a/regress/agent-ptrace.sh
> +++ b/regress/agent-ptrace.sh
> @@ -54,7 +54,7 @@ EOF
>         if [ $r -ne 0 ]; then
>                 fail "gdb failed: exit code $r"
>         fi
> -       egrep 'ptrace: Operation not permitted.|procfs:.*Permission
> denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable
> to access task ' >/dev/null ${OBJ}/gdb.out
> +       egrep 'ptrace: Operation not permitted.|procfs:.*Permission
> denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable
> to access task |Could not attach to process.' >/dev/null ${OBJ}/gdb.out
>         r=$?
>         rm -f ${OBJ}/gdb.out
>         if [ $r -ne 0 ]; then
>
>
> Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: agent-ptrace regression test failing in Ubuntu 22.04 [ In reply to ]

dtucker at dtucker

Nov 30, 2022, 6:57 PM

Post #3 of 4 (354 views)

Permalink

On Thu, 27 Oct 2022 at 04:52, Chris Rapier <rapier@psc.edu> wrote:
[...]
> Again, it looks there was a change in the wording and exit codes.
> Possibly related to sudo? On 20.04 sudo is version 1.8.31. Under 22.04
> it's version 1.9.9. Seems like it might also be causing problems in
> agent-restrict.

I just ran into this on a new Ubuntu install. I'd previously worked
with Val Baranov off-list debugging a similar problem and wrote some
additional logging for the test, however I never got around to
committing it until now.

It does indeed seem to be a problem with sudo-1.9.9: it prompts for a
password for a command with a full path even though the (stock, in
this case) configuration says not to. It seems to be fixed in sudo
1.9.11. I'm not sure what can be done other than updating sudo or
skipping these tests with known affected versions.

%sudo ALL=(ALL:ALL) NOPASSWD: ALL

$ sudo --version | head -1 # Ubuntu 22.04
Sudo version 1.9.9
$ </dev/null sudo -S -u nobody id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
$ cp `which id` . && </dev/null sudo -S -u nobody `pwd`/id
[sudo] password for builder:
sudo: no password was provided
sudo: a password is required

$ sudo --version | head -1 # Debian sid
Sudo version 1.9.11p3
$ </dev/null sudo -u nobody id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
$ cp `which id` .; </dev/null sudo -u nobody `pwd`/id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: agent-ptrace regression test failing in Ubuntu 22.04 [ In reply to ]

dtucker at dtucker

Nov 30, 2022, 10:38 PM

Post #4 of 4 (353 views)

Permalink

On Thu, 1 Dec 2022 at 13:57, Darren Tucker <dtucker@dtucker.net> wrote:
[...]
> It does indeed seem to be a problem with sudo-1.9.9: it prompts for a
> password for a command with a full path

In my case, the prompt is misleading because what it's complaining
about is that "nobody" did not have execute permission on one of the
directories in the path to ssh-add. "chmod o+x"-ing that directory
and the test passes. Newer sudo versions (eg 1.9.12) are more
descriptive:

$ cp `which id` . && </dev/null /usr/local/bin/sudo -S -u nobody `pwd`/id
sudo: unable to execute /home/builder/id: Permission denied

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev