On 10/14/2021 10:32 PM, Darren Tucker wrote:
On Fri, 15 Oct 2021 at 13:15, mike tancsa <mike@xxxxxxxxxx> wrote:
[...]
OK, I think its related to these settings. On my RELENG_13 box, if I set
these vals, the sftp fails
sftp-server[22121]: fatal: unable to make the process untraceable: No
such process
sysctl -w security.bsd.see_other_uids=0
sysctl -w security.bsd.see_other_gids=0
The call is:
procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace)
The second argument is PID, presumably pid 0 is an alias for its own
pid although the man page does not mention this. Does it work if you
replace the 0 with getpid() ?
Thanks Darren! That seems to fix it both in my jailed instance on
RELENG_12 as well as on a couple of RELENG_13 boxes I tested on. I
tested with the attached diff against what was in the portable tarball.
I am not sure including the pid in the fatal error message is safe or
not, but I put it in there but it never got to that stage in my testing.
---Mike
--- platform-tracing.c 2021-09-26 10:03:19.000000000 -0400
+++ /tmp/platform-tracing.c 2021-10-15 06:00:05.606329000 -0400
@@ -15,7 +15,10 @@
*/
#include "includes.h"
-
+#if defined(HAVE_PROCCTL)
+#include <string.h>
+#include <unistd.h>
+#endif
#include <sys/types.h>
#ifdef HAVE_SYS_PROCCTL_H
#include <sys/procctl.h>
@@ -40,22 +43,25 @@
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;
- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
- fatal("unable to make the process untraceable");
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
+ fatal("unable to make the process untraceable: %s for pid %d",
+ strerror(errno), (int)getpid());
#endif
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict)
- fatal("unable to make the process undumpable");
+ fatal("unable to make the process undumpable: %s",
+ strerror(errno));
#endif
#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
/* On Solaris, we should make this process untraceable */
if (setpflags(__PROC_PROTECT, 1) != 0 && strict)
- fatal("unable to make the process untraceable");
+ fatal("unable to make the process untraceable: %s",
+ strerror(errno));
#endif
#ifdef PT_DENY_ATTACH
/* Mac OS X */
if (ptrace(PT_DENY_ATTACH, 0, 0, 0) == -1 && strict)
- fatal("unable to set PT_DENY_ATTACH");
+ fatal("unable to set PT_DENY_ATTACH: %s", strerror(errno));
#endif
}
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev