vsftpd hangs with SIGCHLD when pam_exec.so is used
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
vsftpd (Debian) |
New
|
Unknown
|
||||
vsftpd (Fedora) |
Fix Released
|
High
|
||||
vsftpd (Ubuntu) | Status tracked in Oracular | |||||
Focal |
Fix Released
|
Undecided
|
Christian Ehrhardt | |||
Jammy |
Fix Released
|
Undecided
|
Christian Ehrhardt | |||
Noble |
Invalid
|
Undecided
|
Unassigned | |||
Oracular |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
* User impact: under certain conditions using pam_exec the vsftp server
just hangs
* Reason: when running sub-processes on login through pam_exec a process
is spawned. That can confuse vsftp if that child ends triggering SIGCHLD but
already been picked up by e.g. pam_exec.so itself.
* Fix: The fix uses waitpid over wait to be able to pass options. With that
it sets WNOHANG in vsf_sysutil_wait except if it is explicitly called
to wait as done in common_do_login for the pre-login child.
Therefore these other calls now allow it to "return immediately if
no child has exited" as defined for WNOHANG in [1]
[1]: https:/
[ Test Plan ]
# install
$ apt install lftp vsftpd
# change config
$ sed -i.old '1 i\account optional pam_exec.so debug quiet /root/foo.sh\' /etc/pam.d/vsftpd
# script to run
$ cat > /root/foo.sh << EOF
#!/bin/bash
/bin/true
touch /tmp/brooks-
/bin/true
EOF
$ chmod +x /root/foo.sh
# enable ssl
$ sed -i -s -e 's/ssl_
$ systemctl restart vsftpd.service
# Place a file there
$ echo foobar > /home/ubuntu/egal
# set test PW to ubuntu user
echo 'ubuntu:ubuntu' | chpasswd
# Using it with ftps (and ignore cert verification as it is the snakeoil cert)
To verify the test config, if you run this in a second console you should see it calling the script as yo uact on the server.
$ tail -f /var/log/auth.log
...
2024-07-
Good case (Noble / Oracular):
root@n:~# lftp 127.0.0.1
lftp 127.0.0.1:~> set ftp:ssl-
lftp 127.0.0.1:~> set ssl:verify-
lftp 127.0.0.1:~> login ubuntu ubuntu
lftp ubuntu@127.0.0.1:~> dir
-rw-r--r-- 1 0 0 7 Jul 16 07:30 egal
lftp ubuntu@127.0.0.1:~> get egal
7 bytes transferred
lftp ubuntu@127.0.0.1:~>
exit
root@n:~# cat egal
foobar
Bad case (Focal and Jammy)
root@j:~# lftp 127.0.0.1
lftp 127.0.0.1:~> set ftp:ssl-
lftp 127.0.0.1:~> set ssl:verify-
lftp 127.0.0.1:~> login ubuntu ubuntu
lftp ubuntu@127.0.0.1:~> dir
`ls' at 0 [Sending commands...]
[ Where problems could occur ]
* This changes signal handling for SIGCHLD.
The code now returns cleanly if there was nobody to wait for, which formerly
would have caused a the main process to die "Child died, so we'll do the same"
That is intentionally changed for the condition of the child already being
consumed.
If there is a use case of the child leaving which was meant to terminate
(unlikely, this is an unclean die call) it might no more happen now.
[ Other Info ]
* The code is the same (only no change rebuilds) still, this does not occur in
Noble and Oracular. At least not with the current test setup. That is slightly
disturbing.
Also in the reproduction we've seen that it only occurred with FTPS, but that
is not conceptually tied to the problem, it might only be yet another detail
that changes the timing and size of the signal race window.
Of course we can assume that it is just a race and the window is
different there, but then should we not fix it? Or we can assume something
else e.g. pam_exec has changed behavior to mask the issue and hence no vsftpd
change is needed there. I think it is wasted to research this for ages, but
it leaves some uncertainty.
---
When you try to run a script with pam_exec.so on login vsftpd freezes with SIGCHLD.
This was fixed in 2015 by redhat and never adopted to Debian/Ubunutu.
See also:
- https:/
- https:/
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 118 lines (+96/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/0078-0026-Prevent-hanging-in-SIGCHLD-handler.patch (+88/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 118 lines (+96/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/0076-0026-Prevent-hanging-in-SIGCHLD-handler.patch (+88/-0)
debian/patches/series (+1/-0)
Changed in vsftpd (Fedora): | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
Changed in vsftpd (Debian): | |
status: | Unknown → New |
description: | updated |
description: | updated |
description: | updated |
The issue seems to appear also on RHEL7.
+++ This bug was initially created as a clone of Bug #1092877 +++
Description of problem:
The vsftpd hangs when the pam_exec.so is added to the /etc/pam.d/vsftpd.
------- ------- ------- ------- ------- ------- --- ------- ------- ------- ------- ------- ---
...
...
session include password-auth
session optional pam_exec.so /bin/echo
-------
Version-Release number of selected component (if applicable):
vsftpd-3.0.2-9.el7
How reproducible:
always
Steps to Reproduce: vsftpd. conf
1. add pam_exec.so calling echo to /etc/pam.d/vsftpd
2. add session_support=YES to /etc/vsftpd/
3. restart vsftpd
4. connect with a client to the vsftpd
5. login and send e.g. ls command
Actual results:
The vsftpd hangs in SIGCHLD handler
Expected results:
The vsftpd will work as intended.