kern/72922: linux emulation: suid/sgid threaded applications
hang
Maxim Sobolev
sobomax at portaone.com
Thu Mar 10 05:00:16 PST 2005
The following reply was made to PR kern/72922; it has been noted by GNATS.
From: Maxim Sobolev <sobomax at portaone.com>
To: Andriy Gapon <avg at icyb.net.ua>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/72922: linux emulation: suid/sgid threaded applications
hang
Date: Thu, 10 Mar 2005 14:56:41 +0200
I see. Try to replace the following line in kern_prot.c:
if (signum == SIGTHR && td->td_proc->p_leader != NULL &&
with the following:
if (signum >= SIGTHR && td->td_proc->p_leader != NULL &&
And let me know if it helps.
BTW, would be be interested in getting FreeBSD commit bit, so that you
can do the work by yourself? ;-)
-Maxim
Andriy Gapon wrote:
> on 09.03.2005 11:59 Maxim Sobolev said the following:
>
>>Hmm, that's pretty strange. Can you please fetch the following Linux
>>binary, make it suid root and try to run as ordinary user on your
>>system? I've used it to verify that my patch is in fact works - after
>>the change has been made it stopped hanging at my system.
>>
>>http://www.pbxpress.com/~sobomax/aqueue_linux
>>
>>It will make sense to execute that strmqm program under ktrace(8) with
>>-i flag (use ports/devel/linux_kdump to decode resulting trace) and send
>>me the output of linux_kdump. Maybe your version of linuxthreads uses
>>some different set of flags in linux_clone(), so that my heuristics fails.
>
>
> Maxim,
>
> 1. I've tried to follow your advice, but a new strange thing happened
> (or maybe it is not strange, but I never payed attention before): "-i"
> in "ktrace -i" doesn't work on suid/sgid applications, when run as
> normal user:
>
> # chmod 6550 ~/tmp/aqueue_linux
> # ls -l ~/tmp/aqueue_linux
> -r-sr-s--- 1 avg topspin 16804 9 ÂÅÒ 13:47 /home/avg/tmp/aqueue_linux
>
>
> $ ktrace -i ~avg/tmp/aqueue_linux -n 100
> pusher started
> poper started
> $ linux_kdump > kdump.out
> $ cat kdump.out
> 16103 ktrace RET linux_brk 0
> 16103 ktrace CALL linux_olduname(0xbfbfea4e,0xbfbfe95c,0xbfbfe96c)
> 16103 ktrace NAMI "/home/avg/tmp/aqueue_linux"
> 16103 ktrace NAMI "/compat/linux/lib/ld-linux.so.2"
>
> If I set permission back to normal executable, "-i" works again.
>
>
> 2. "ktrace -i" works if executed as super-user and strmqm still hangs.
> Here's some relevant info, whcih makes things quite obvious:
>
> # egrep 'fork|exec|clone|kill|signal' kdump.out
> 79953 strmqm CALL linux_clone(0xf00,0x8099370)
> 79953 strmqm RET linux_clone 79954/0x13852
> 79954 strmqm RET linux_fork 0
> 79954 strmqm CALL linux_clone(0xf21,0xbf3ffbd0)
> 79954 strmqm RET linux_clone 79955/0x13853
> 79955 strmqm RET linux_fork 0
> 79954 strmqm CALL linux_kill(0x13851,0x20)
> 79954 strmqm RET linux_kill 0
> 79955 strmqm CALL linux_kill(0x13851,0x20)
> 79955 strmqm RET linux_kill 0
> 79955 strmqm CALL linux_kill(0x13851,0x20)
> 79955 strmqm RET linux_kill 0
> 79955 strmqm CALL linux_kill(0x13851,0x20)
> 79955 strmqm RET linux_kill 0
> uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
> 79954 strmqm CALL linux_clone(0xf21,0xbf1ffbd0)
> 79954 strmqm RET linux_clone 79956/0x13854
> 79956 strmqm RET linux_fork 0
> 79954 strmqm CALL linux_kill(0x13851,0x20)
> 79954 strmqm RET linux_kill 0
> 79956 strmqm CALL linux_kill(0x13851,0x20)
> 79956 strmqm RET linux_kill 0
> 79953 strmqm CALL linux_kill(0x13854,0x20)
> 79953 strmqm RET linux_kill 0
> 79956 strmqm CALL linux_kill(0x13851,0x20)
> 79956 strmqm RET linux_kill 0
> 79956 strmqm CALL linux_kill(0x13851,0x20)
> 79956 strmqm RET linux_kill 0
> 79953 strmqm CALL linux_kill(0x13853,0x1c)
> 79953 strmqm RET linux_kill RESTART
> permitted' from pthread_kill.)
> | ('1 - Operation not permitted' from pthread_kill.)
> | "
> "| Comment1 :- '1 - Operation not permitted' from
> pthread_kill. |
> 79954 strmqm CALL linux_kill(0x13854,0x21)
> 79954 strmqm RET linux_kill RESTART
> 79954 strmqm CALL linux_kill(0x13853,0x21)
> 79954 strmqm RET linux_kill RESTART
>
> Looks like signal 32 is OK, but there are 28 and 33 in addition to it.
> 33 seems to be another Linux real-time signal and is probably used with
> linux threads for some purpose. Here's what I read in signal(7) Linux
> man page:
> <<<
> Linux supports real-time signals as originally defined in the POSIX.4
> real-time extensions (and now included in POSIX 1003.1-2001). Linux
> supports 32 real-time signals, numbered from 32 (SIGRTMIN) to 63
> (SIGRTMAX). (Programs should always refer to real-time signals using
> notation SIGRTMIN+n, since the range of real-time signal numbers varies
> across Unices.)
>
> Unlike standard signals, real-time signals have no predefined meanings:
> the entire set of real-time signals can be used for application-defined
> purposes.
>
> (Note, however, that the LinuxThreads implementation uses the first
> three real-time signals.)
>
> So probably 32,33,34 should be subject to your patch.
>
> I am not sure what signal 28 (SIGWINCH?) is used for (in this case), but
> most probably it is not thread-related and not application critical,
> because execution continues after that signal, but an error message is
> logged.
>
More information about the freebsd-emulation
mailing list