init: don't hold /dev/console open

Bug #486005 reported by Casey Dahlin on 2009-11-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
upstart
Medium
Scott James Remnant (Canonical)
upstart (Fedora)
Fix Released
Medium
upstart (Ubuntu)
Medium
Scott James Remnant (Canonical)

Bug Description

The SAK key (mappable with loadkeys or Alt+Sysrq+K with magic sysrq enabled) can kill Upstart because Upstart maintains an open fd to /dev/console. As far as I know Upstart no longer needs to do this.

Basically this means people using the SAK key to verify GDM before logging in get a kernel panic instead.

Description of problem:

SAK (Alt-SysRq-K) is no longer working in X. When this combination is pressed to restart X server, system just hangs, without even syncing to disk, display is corrupted, magic key is not working.

Workaround:

If you need to login into server or workstation from graphical console, you can switch to text console tty2..tty6, use SAK to clean console from any malicious software, which is left by previous user, then login into system, verify owner of GDM and X processes or just kill them, then switch back to tty1 and login into system using graphical console.

How reproducible:

Always.

Steps to Reproduce:
1. Boot Fedora in graphic mode.
2. Press Alt-SysRq-K

Actual results:

System is hangs without syncing to disk due to kernel panic: "Kernel panic - not syncing: Attempted to kill init!"

Expected results:

X server and GDM are restarted.

This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 10 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

This still happens with F12, please see https://bugzilla.redhat.com/show_bug.cgi?id=528260

Nice example of racism in Open Source.

Yes, this bug is still exists in Fedora 11/12.

Strange. I didn't get any mails about being assigned this bug, never seen it before.

First question: Are you really running initng? The bug is classified as initng, but I see nothing in the description that indicates that initng is really used. If you ARE using initng, I can recommend switching to upstart as initng isn't maintained all that much anymore.

Currently, I use upstart-0.3.11-1.fc11.i586 on my notebook.

Problem is not in initialization subsystem itself: init, initng or upstart. Problem in configuration of init subsystem and/or kernel behaviour.

When SysRQ-K combination (SAK) is pressed on tty1, *kernel* kills *all* processes on this tty, including all daemons, including init process, and then hangs because init process is killed. It is *bad idea* to use SAK on tty1.

In public environment (e.g. computer class in school) SAK is highly recommended, otherwise smart child will leave slightly modified version of GDM left running and will fool next user.

Unfortunately, X servers is moved from tty7 to tty1, so there is no other protection from smart children except reboot.

To fix that problem, upstart must be configured to use any other tty except tty1 for X server. Moreover, tty1 should not be used to login into system at all and SAK key should be disabled for tty1 in kernel.

Ok. I'll change asignee then to the one responsible for upstart.

If SAK is killing *init* something else weird is going on, it has nothing to do with where the X server is.

> If SAK is killing *init* something else weird is going on, it has nothing to do
with where the X server is.

SAK kills *all* processes on tty1, including all daemons, including init.

Quote from kernel/Documentation/SAK.txt:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
On the PC keyboard, SAK kills all applications which have /dev/console opened. Unfortunately this includes a number of things which you don't actually want killed.

This is because these applications are incorrectly holding /dev/console open. Be sure to complain to your Linux distributor about this!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[vlisivka@apollo 1]$ sudo fuser -v /dev/console
                     USER PID ACCESS COMMAND
/dev/console: root 1 F.... init
                     root 1258 F.... rsyslogd
[vlisivka@apollo 1]$ sudo fuser -v /dev/tty1
                     USER PID ACCESS COMMAND
/dev/tty1: root 1878 F.... Xorg

SAK on tty1 will kill Xorg and /sbin/init with rsyslogd.

Upstart definitely holds a /dev/console fd. Might be useful to just preclude pid 1 from SAKing.

If notting agrees I'll move this to kernel and write the patch.

Is there a real reason to hold a /dev/console fd?

Especially now that rhgb is dead and we don't need to do redirection in that way.

I'll move this into launchpad then and get Scott's input.

As far as I can tell, it's only held open simply because sysvinit used to - Upstart doesn't use it for anything and it could quite well be /dev/null instead

Changed in upstart:
status: New → Triaged
summary: - SAK/Alt+SysRq+k kills init
+ init: don't hold /dev/console open
Changed in upstart:
importance: Undecided → Medium

*** Bug 528260 has been marked as a duplicate of this bug. ***

Changed in upstart (Fedora):
status: Unknown → Confirmed
Changed in upstart:
status: Triaged → Fix Committed
milestone: none → 0.6.5
Changed in upstart:
assignee: nobody → Scott James Remnant (scott)
Changed in upstart (Ubuntu):
status: New → Fix Committed
importance: Undecided → Medium
assignee: nobody → Scott James Remnant (scott)

0.6.5 2010-02-04 "Our last, best hope for victory"

 * Since libnih has been separated out into its own project, Upstart
   no longer includes its source and now uses the installed version by
   default.

 * The external nih-dbus-tool means that cross-compilation is trivial,
   the path to it may be overriden with NIH_DBUS_TOOL=... as an
   argument to configure. (Bug: #426740)

 * Developers may still build against a local libnih source tree by
   passing --with-local-libnih=/path/to/libnih to configure.

 * There is a new initctl "reload" command, with matching
   /sbin/reload symlink. This sends the SIGHUP signal to the running
   main process of the named job instance.

 * Event operator matches in jobs now support "!=" in addition to the
   usual "=", e.g.:

  start on net-device-added INTERFACE!=eth*

   (Bug: #513035)

 * Moved D-Bus system bus reconnection trigger from SIGHUP to SIGUSR1,
   since SIGHUP is already used for a forced configuration reload and
   causes Upstart to "forget" state.

 * Fixed bug where the default runlevel would be lost when an
   /etc/inittab file exists without an initdefault line. (Bug: #405847)

 * Fixed "Unhandled error" message from shutdown. (Bug: #426332)

 * Fixed "Unhandled error" assertion crash from Upstart child
   processes when failing to spawn a job. (Bug: #451917)

 * No longer holds /dev/console open, so the SAK SysRq key will not
   kill Upstart. (Bug: #486005)

 * Restored sync() call before reboot().

 * Added missing OPTIONS section to init(8) manpage. (Bug: #449883)

Changed in upstart:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart - 0.6.5-1

---------------
upstart (0.6.5-1) lucid; urgency=low

  * New upstream release:
    - libnih has been separated out into its own project.
    - "start on" and "stop on" now support != matches. LP: #513035.
    - Fixed crash in child when unable to spawn job. LP: #451917.
    - No longer holds /dev/console open so SAK won't kill init. LP: #486005.
    - Added missing OPTIONS section to init(8). LP: #449883.

  [ Scott James Remnant ]
  * Build-depend on libnih-dev, libnih-dbus-dev and nih-dbus-tool to use
    the separated out libnih.
    - This has the fix for LP: #436758.
    - Remove changelog.nih from the doc directory.
  * Bump udev build-dependency to 147 to match upstream.
  * udev/Makefile.am: Update to use external libnih

  [ Johan Kiviniemi ]
  * udev/upstart-udev-bridge.c: Change -device-remove to -device-removed to
    match -device-added and -device-changed. LP: #516698.
 -- Scott James Remnant <email address hidden> Thu, 04 Feb 2010 16:30:10 -0800

Changed in upstart (Ubuntu):
status: Fix Committed → Fix Released

This is fixed in 0.6.5. Can the reporter or anyone else verify its absence on F13?

works as expected on my F13 with upstart-0.6.5-3.fc13.i686

Changed in upstart (Fedora):
importance: Unknown → Medium
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.