[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] fix for ssh zombies introduced with r35533

From: Kyle McKay <mackyle_at_gmail.com>
Date: Tue, 21 Apr 2009 04:39:15 -0700

On Apr 21, 2009, at 04:15, Greg Hudson wrote:
> On Tue, 2009-04-21 at 00:34 -0400, James Y Knight wrote:
>> Perhaps the svnserve
>> process to notice that its *input* pipe had been closed, and abort
>> the
>> connection.
>
> It already does this; try running svnserve -t and hitting ctrl-D to
> terminate the input stream, and you'll see that it exits.
>
> (I don't know why that's not enough to solve the problem.)

It's not enough because Apple's sshd codebase is broken. I have filed
bug report rdar://6810722 with Apple about this. Here are some
details from an email exchange I've been having:

On Apr 20, 2009, at 23:53, Damien Miller wrote:
> On Mon, 20 Apr 2009, Kyle McKay wrote:
>
>> Thanks for your response.
>>
>> On Apr 20, 2009, at 23:10, Damien Miller wrote:
>>>
>>> This doesn't look like bug#85 based on what you sent below. It looks
>>> more like a whatever that you were running failing to notice its
>>> stdout
>>> closing.
>>
>> Actually after looking at this some more, I think Apple's sshd is
>> just
>> missing the Bug 85 patch and I think the debug messages back this up.
>
> No, Apple's sshd clearly does have the bug #85 patch:
>
>> debug2: channel 0: rcvd eow
>
> Would not be printed otherwise. Perhaps they have forcibly disabled
> USE_PIPES in session.c? It is required for the patch to correctly
> function.
>
>> And in this case sshd included the Bug 85 fix and so was using
>> pipes to
>> communicate with the child and the child therefore got a SIGPIPE on
>> the input
>> open -> closed transition and exited.
>
> No, in both cases the signalling between sshd and the child process is
> identical from the logs. There may be differences depending on whether
> Apple has modified their sshd to avoid using pipes (thwarting the
> half-close fix in the process), but you will need to post a full debug
> log from the server to tell.
>
> -d

Yup, you're right. Apple has disabled the USE_PIPES define in their
source code.

Here's the original file:

http://www.opensource.apple.com/darwinsource/10.5.6/OpenSSH-95.1.5/openssh/session.c.orig

And the file they're using:

http://www.opensource.apple.com/darwinsource/10.5.6/OpenSSH-95.1.5/openssh/session.c

Here's the diff:

--- session.c.orig
+++ session.c
@@ -424,7 +424,9 @@
        }
}

+#ifndef __APPLE__
#define USE_PIPES
+#endif
/*
  * This is called to fork and execute a command when we have no tty.
This
  * will call do_child from the child, and server_loop from the parent
after
@@ -2082,8 +2084,10 @@
                n_bytes = packet_remaining();
        tty_parse_modes(s->ttyfd, &n_bytes);

+#ifndef __APPLE_PRIVPTY__
        if (!use_privsep)
                pty_setowner(s->pw, s->tty);
+#endif

        /* Set window size from the packet. */
        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
@@ -2321,9 +2325,11 @@
        if (s->pid != 0)
                record_logout(s->pid, s->tty, s->pw->pw_name);

+#ifndef __APPLE_PRIVPTY__
        /* Release the pseudo-tty. */
        if (getuid() == 0)
                pty_release(s->tty);
+#endif

        /*
         * Close the server side of the socket pairs. We must do this after

Thanks for your help.

Kyle

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1842264

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-04-21 13:40:37 CEST

This is an archived mail posted to the Subversion Users mailing list.