[Bug 1860822] Re: ptrace fails with yama/ptrace_scope=0

2020-01-26 Thread jklowden 
Seth, thank you kindly for your prompt and clear answer.  I modified
server.c and confirm that gdb can now attach to the child process.
Although prctl(PR_SET_DUMPABLE, 1) has no effect (and returns 0!) when
called before resetting privileges, it works after the gid has been
reset to the debugging process's gid.

I see where it's documented now.  PR_SET_DUMPABLE is not mentioned in
/etc/sysctl.d/10-ptrace.conf, but ptrace_scope in procfs(5) refers us to
ptrace(2), which says, under PTRACE_ATTACH, "Processes that are not
dumpable ... can not be attached via ptrace(2) PTRACE_ATTACH."  The
elided text refers to prctl(2), wherein the description of
PR_SET_DUMPABLE describes how processes come to have their dumpable flag
reset to 0.  It's all there if you know where to look.

Yet that's a bit thin, isn't it?  I missed it, and my question on SO
failed to elicit any pointer to PR_SET_DUMPABLE.  IMO the gdb message in
response to failing to attach is too wordy and basic.  The focus on
ptrace is almost misdirection, insofar as PTRACE_ATTACH is controlled by
the union of ptrace_scope and the dumpable flag.

I'm not sure what to suggest.  A note in the gdb man page would be good.
Maybe best would a file in /usr/share/doc/linux-doc describing
debugging, dumpability, and ptrace from a programmer's point of view.
ISTM one shouldn't have to understand the ptrace(2) syscall to use gdb
on running processes.

Thanks again for your help.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1860822

Title:
  ptrace fails with yama/ptrace_scope=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-signed/+bug/1860822/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1860822] [NEW] ptrace fails with yama/ptrace_scope=0

2020-01-24 Thread jklowden 
Public bug reported:

I cannot attach to a process with gdb despite setting ptrace_scope to 0.
The process has no capabilities, and is running under my uid & gid.

The process is a child, forked from a privileged program that has
divested itself of its parent's privileges.  The parent is setgid and
has some capabilities.  None of that is true of the child.

First, the OS:

$ lsb_release -rd
Description:Ubuntu 16.04 LTS
Release:16.04

The ptrace setting:

$ nl /proc/sys/kernel/yama/ptrace_scope 
 1  0

Me:

$ echo uid: $(id -u) gid: $(id -g)
uid: 1000 gid: 1000


The test program (source included with this PR): 

$ ls -ln server
-rwxrwsr-x 1 1000 1002 17760 Jan 24 17:30 server

$ getcap server
server = cap_dac_read_search,cap_sys_ptrace+ep

Please note it is setgid to the group 1002, not my gid.

The "server" program forks a child.  That child

1. reports its uid and gid: effective, real, and saved, and its capabilities
2. removes its capabilities with cap_set_proc and disclaims its gid with 
setregid(getgid(), getgid())
3. reports its uid and gid, and capabilities again
4. pauses with pause(2). 

Although the child reports everything is in order, gdb still cannot
attach to it.

To facilitate testing, the child writes its pid to a fifo named on the
command line.  That lets the following script read the pid from the fifo
and conveniently demonstrate the whole problem:

[snip]
$ echo q | sh -x ./run 
+ set -e
+ rm -f fifo
+ mkfifo fifo
+ ./server fifo
child 18876 paused awaiting SIGCONT
 inherited: user  1000, euser  1000
 inherited: group 1000, egroup 1002
 inherited: ruid  1000, euid  1000, suid 1000
 inherited: rgid  1000, egid  1002, sgid 1002
 inherited capabilities: '= cap_dac_read_search,cap_sys_ptrace+ep'
   new: user  1000, euser  1000
   new: group 1000, egroup 1000
   new: ruid  1000, euid  1000, suid 1000
   new: rgid  1000, egid  1000, sgid 1000
   new capabilities: '='
+ read pid
+ echo child is 18876
child is 18876
+ gdb -q -p 18876
Attaching to process 18876
Could not attach to process.  If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user.  For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.
(gdb) + kill -s CONT 18876
child exited
[pins]

This appears to be a bug that affects everyone using gdb on Ubuntu.  If
so, many dealing with privileged processes are working around it by
running gdb as root.  It's not clear to me that's an improvement on the
status quo ante, before the ptrace_scope control was introduced.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-169-generic 4.4.0-169.198
ProcVersionSignature: Ubuntu 4.4.0-169.198-generic 4.4.197
Uname: Linux 4.4.0-169-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.21
Architecture: amd64
Date: Fri Jan 24 17:03:29 2020
InstallationDate: Installed on 2016-07-15 (1288 days ago)
InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.3)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-signed
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: linux-signed (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug xenial

** Attachment added: "Makefile, test program, and script to demonstrate"
   https://bugs.launchpad.net/bugs/1860822/+attachment/5322687/+files/cap.tar

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1860822

Title:
  ptrace fails with yama/ptrace_scope=0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-signed/+bug/1860822/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1836219] [NEW] pidfile_close prevents pidfile_remove from working

2019-07-11 Thread jklowden 
Public bug reported:

The whole pidfile_xxx suite, besides being unnecessarily complicated
compared to 1 function in NetBSD, does not do what it says on the tin.

Complications.  4 functions instead of one.  pidfile_open requires
pidptr, but doesn't use it.  The other functions require an argument
that the documentation says isn't needed, but is.

Error. Most important, pidfile_close modifies its argument such that
pidfile_remove can't use it: both the file descriptor and the name are
destroyed.

The following program and associated output illustrates the problem.

#include 
#include 
#include 

#include 

void
show_pfh( const char func[], struct pidfh * pfh ) {
  printf( "%s: fh = %d, name = %s\n", func, pfh->pf_fd, pfh->pf_path );
}

int
main(int argc, char *argv[])
{
  pid_t pid;
  
  struct pidfh * pfh = pidfile_open("/tmp/foo.pid", 0644, );

  if( !pfh ) {
err(EXIT_FAILURE, "pidfile_open");
  }
  show_pfh("open", pfh);
  
  if( -1 == pidfile_write(pfh) ) {
err(EXIT_FAILURE, "pidfile_write");
  }
  show_pfh("write", pfh);

  if( -1 == pidfile_close(pfh) ) {
err(EXIT_FAILURE, "pidfile_close");
  }
  show_pfh("close", pfh);

  if( -1 == pidfile_remove(pfh) ) {
err(EXIT_FAILURE, "pidfile_remove");
  }
  show_pfh("remove", pfh);

  return 0;
}
  
$ ./pid
open: fh = 3, name = /tmp/foo.pid
write: fh = 3, name = /tmp/foo.pid
close: fh = 0, name = 
pid: pidfile_remove: Invalid argument

$ grep -iE 'name|version' /etc/os-release 
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
UBUNTU_CODENAME=xenial

$ gcc --version | grep ^gcc
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609

$ ldd pid
linux-vdso.so.1 =>  (0x7fffc79b6000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x7f72ee343000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f72edf79000)
/lib64/ld-linux-x86-64.so.2 (0x7f72ee558000)

** Affects: libbsd (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836219

Title:
  pidfile_close prevents pidfile_remove from working

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libbsd/+bug/1836219/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1736295] Re: awk script to render mdoc from man pages

2017-12-07 Thread jklowden 
On Thu, 07 Dec 2017 23:30:06 -
Joshua Powers  wrote:

> Matt was kind enough to respond, here is what he said:
> 
> ---
> Unfortunately development of Eucalyptus from an official corporate
> capacity has been halted. Since its an open source project, anyone
> can contribute PRs using github. The euca2ools github repository is
> at: https://github.com/eucalyptus/euca2ools
> ---
> 
> @jkl is proposing a merge on github something you would be willing to
> do?

Yes, can do.  This way, the script will be available to anyone who
wants it.  It doesn't sound like the euca2ools project any longer has
interest in producing mdoc man pages, but since it came up early in
my search for such a conversion tool, someone else looking for one may
find it there.  

Many thanks for your diligence.

--jkl

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1736295

Title:
  awk script to render mdoc from man pages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/1736295/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1736295] Re: awk script to render mdoc from man pages

2017-12-07 Thread jklowden 
On Thu, 07 Dec 2017 07:41:19 -
ChristianEhrhardt <1736...@bugs.launchpad.net> wrote:

> But I tried to contribute or even ping there fore you

Thank you for your efforts, Christian.  Much obliged.

--jkl

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1736295

Title:
  awk script to render mdoc from man pages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/1736295/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1736295] Re: awk script to render mdoc from man pages

2017-12-06 Thread jklowden 
On Wed, 06 Dec 2017 16:51:11 -
Joshua Powers  wrote:

> My suggestion is to open an account on the upstream atlassian site you
> linked to and submit a comment there with your fix. We only track
> ubuntu bugs here it would be better if your work were included
> directly in the upstream source

Hi Joshua,

Thanks, but I hereby give up.

I tried to open an account there.  I think I *did* create an account,
but that doesn't give me access to that project.  

I wrote the script.  I posted it.  The project doesn't offer any
contact information, let alone an email address.  If they want any
help, they have an odd way of showing it.  

If some human being contacts me with a willingness to work, instead of
bureaucratic blah-di-blah, I'll be happy to get involved.  But filling
out forms and opening useless accounts is why I left corporate
America.

Kind regards,

--jkl

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1736295

Title:
  awk script to render mdoc from man pages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/1736295/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1736295] [NEW] awk script to render mdoc from man pages

2017-12-04 Thread jklowden 
Public bug reported:

The attached awk script converts Help2Man output (troff -man macros) to
mdoc.  The results aren't perfect, but the script alleviates a lot of
the tedium in the conversion.

I would be willing to improve the script for the project's benefit if
the development team finds it useful.

It's my understanding this is an important outstanding TODO for the
project, per
https://eucalyptus.atlassian.net/projects/TOOLS/issues/TOOLS-677?filter=allopenissues.

** Affects: euca2ools (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "man2mdoc"
   https://bugs.launchpad.net/bugs/1736295/+attachment/5018569/+files/man2mdoc

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1736295

Title:
  awk script to render mdoc from man pages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/euca2ools/+bug/1736295/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1672058] [NEW] vis/unvis utilities missing from libbsd-dev

2017-03-11 Thread jklowden 
Public bug reported:

$ man vis | sed -ne '/SEE/,/^$/p'
SEE ALSO
 unvis(1), vis(1), snprintf(3), strlcpy(3), unvis(3)

The libbsd-dev package includes the man pages for the library functions,
and those pages refer to command-line utilities that are not included in
the package.  AFAICT, these utilities are not available in any Ubuntu
package.

It would be preferable to include the utilities, because it makes
working with the library easier.

If the utilities are not to be included for some reason, the man pages
should exclude them from SEE ALSO, which is a blind alley.  It would be
a kindness to the user to mention them (perhaps in a NOTES section) with
a pointer to a known source such as the NetBSD archive.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: libbsd-dev 0.8.2-1
ProcVersionSignature: Ubuntu 3.13.0-63.103-generic 3.13.11-ckt25
Uname: Linux 3.13.0-63-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.4
Architecture: amd64
Date: Sat Mar 11 12:17:47 2017
Dependencies:
 gcc-6-base 6.0.1-0ubuntu1
 libbsd0 0.8.2-1
 libc6 2.23-0ubuntu5
 libgcc1 1:6.0.1-0ubuntu1
InstallationDate: Installed on 2012-10-22 (1600 days ago)
InstallationMedia: Ubuntu-Server 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120817.3)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: libbsd
UpgradeStatus: Upgraded to xenial on 2016-12-15 (86 days ago)

** Affects: libbsd (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672058

Title:
  vis/unvis utilities missing from libbsd-dev

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libbsd/+bug/1672058/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1053562] [NEW] no man page for syslogd

2012-09-20 Thread jklowden 
Public bug reported:

$ man syslogd
No manual entry for syslogd

It would be nice if /usr/share/man/man8/rsyslogd.8.gz were hard-linked
to /usr/share/man/man8/syslogd.8.gz.  The user seeking documentation
shouldn't have to remember, oh, right, on Ubuntu it's *r*syslogd.  I
briefly thought were was no logger daemon.

$ uname -rv
3.2.0-29-generic #46-Ubuntu SMP Fri Jul 27 17:03:23 UTC 2012

I'm using LTS 12.04.

** Affects: ubuntu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1053562

Title:
  no man page for syslogd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1053562/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs