I'm also seeing a similar issue with the test agent-getpeereid.
Under Ubuntu 20.04 the test to add user nobody has a return value of 2
which indicates that it wasn't able to attach. In Ubuntu 22.04 I'm
getting a return value of 1. This is with the V_9_0_P1 branch.
Specifically here:
if test -z "$sudo" ; then
# doas
${SUDO} -n -u ${UNPRIV} ${SSHADD} -l 2>/dev/null
else
# sudo
< /dev/null ${SUDO} -S -u ${UNPRIV} ${SSHADD} -l
2>/dev/null
fi
r=$?
if [ $r -lt 2 ]; then
fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
fi
Under Ubuntu 22.04 it does fail but the return value seems to be different.
If I get rid of the redirects to /dev/null and print the value of r I
get the following on 22.04:
run test agent-getpeereid.sh ...
The agent has no identities.
r is 1
Sorry, user parallels is not allowed to execute
'/home/parallels/openssh-portable/ssh-add -l' as nobody on
parallels-Parallels-Virtual-Platform.
r is 1
ssh-add did not fail for nobody: 1 < 2
failed disallow agent attach from other uid
Under 20.04 I get the following:
run test agent-getpeerid.sh ...
The agent has no identities.
r is 1
Could not open a connection to your authentication agent.
r is 2
ok disallow agent attach from other uid
Again, it looks there was a change in the wording and exit codes.
Possibly related to sudo? On 20.04 sudo is version 1.8.31. Under 22.04
it's version 1.9.9. Seems like it might also be causing problems in
agent-restrict.
Chris
On 10/26/22 11:26 AM, Chris Rapier wrote:
I'm having the agent-ptrace consistently fail under Ubuntu 22.04. This
is under a pristine Ubuntu 22.04 VM. If I set the envar SUDO=sudo I get:
make[1]: Entering directory '/home/parallels/openssh-portable/regress'
run test agent-ptrace.sh ...
ptrace succeeded?: exit code 1
failed disallow agent ptrace attach
The contents of gdb.out are:
GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/parallels/openssh-portable/ssh-agent...
Attaching to program: /home/parallels/openssh-portable/ssh-agent,
process 54674
Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Inappropriate ioctl for device.
/home/parallels/openssh-portable/regress/54674: No such file or directory.
(gdb)
I don't know if GDB changed their wording but it certainly seems like
the test should pass. If I update the egrep then it does pass but I'm
not sure if that's legit. Anyway, I used the following:
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index feef5241..e5e5d32f 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -54,7 +54,7 @@ EOF
if [ $r -ne 0 ]; then
fail "gdb failed: exit code $r"
fi
- egrep 'ptrace: Operation not permitted.|procfs:.*Permission
denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable
to access task ' >/dev/null ${OBJ}/gdb.out
+ egrep 'ptrace: Operation not permitted.|procfs:.*Permission
denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable
to access task |Could not attach to process.' >/dev/null ${OBJ}/gdb.out
r=$?
rm -f ${OBJ}/gdb.out
if [ $r -ne 0 ]; then
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev