[Bug 1092329] New: plasma5-workspace: plasmashell inherits file descriptors to child processes
http://bugzilla.suse.com/show_bug.cgi?id=1092329 Bug ID: 1092329 Summary: plasma5-workspace: plasmashell inherits file descriptors to child processes Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: KDE Workspace (Plasma) Assignee: fabian@ritter-vogt.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: astieger@suse.com, kbabioch@suse.com, lnussel@suse.com, matthias.gerstner@suse.com, security-team@suse.de Found By: --- Blocker: --- Finding from Leap 15 general audit in bug 1090647. When logging into a KDE plasma session in Leap 15, a couple of file descriptors are inherited to child processes. Example: - log into a plasma session - open a `konsole` - `ls -lh /proc/$$/fd` will show things like these: lrwx------ 1 mgerstner users 64 May 8 11:55 0 -> /dev/pts/0 l-wx------ 1 mgerstner users 64 May 8 11:55 1 -> //dev/pts/0 lrwx------ 1 mgerstner users 64 May 8 11:55 10 -> /dev/pts/0 lrwx------ 1 mgerstner users 64 May 8 11:55 18 -> socket:[28235] lrwx------ 1 mgerstner users 64 May 8 11:55 2 -> /dev/pts/0 lrwx------ 1 mgerstner users 64 May 8 11:55 255 -> /dev/pts/0 lrwx------ 1 mgerstner users 64 May 8 11:55 27 -> socket:[28284] lrwx------ 1 mgerstner users 64 May 8 11:55 30 -> socket:[28301] lrwx------ 1 mgerstner users 64 May 8 11:55 31 -> socket:[28283] lrwx------ 1 mgerstner users 64 May 8 11:55 33 -> socket:[28311] lrwx------ 1 mgerstner users 64 May 8 11:55 34 -> socket:[28302] lrwx------ 1 mgerstner users 64 May 8 11:55 36 -> socket:[28321] lrwx------ 1 mgerstner users 64 May 8 11:55 46 -> /memfd:pulseaudio (deleted) lrwx------ 1 mgerstner users 64 May 8 11:55 48 -> socket:[33459] lrwx------ 1 mgerstner users 64 May 8 11:55 49 -> socket:[33460] lr-x------ 1 mgerstner users 64 May 8 11:55 50 -> /usr/share/sounds/Oxygen-Sys-Special.ogg lrwx------ 1 mgerstner users 64 May 8 11:55 55 -> socket:[33466] lrwx------ 1 mgerstner users 64 May 8 11:55 56 -> socket:[33467] It looks like these are opened by `plasmashell` process which is luckily already running as the logged in user and not as root. The amount and kind of open files is differing. Most times only unix domain sockets are left around. Child processes can happily read from and write to these sockets. It is unclear to me what their purpose is. Some of them seem to echo the data sent to them. While this should not pose a direct security issue it is very unclean. For example even after a `su -` to become root the file descriptors are inherited. So they can cross security boundaries. It might also confuse applications and reduces the amount of available file descriptors for each process. Whichever process is responsible for opening these files in the first place should set the `O_CLOEXEC` flag to avoid inheriting these file descriptors to arbitrary child processes. The same (or similar) situation is also found on Leap 42.3 by the way so this is probably an issue that exists for a longer while now. A test with the Gnome desktop on the other hand showed no extra open files. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c1
Fabian Vogt
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c2
--- Comment #2 from Fabian Vogt
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c3
Fabian Vogt
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c4
--- Comment #4 from Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c5
--- Comment #5 from Fabian Vogt
I simply started konsole from the start menu.
Indeed, that doesn't use kinit, but QProcess directly. I still can't reproduce the issue.
Process tree looks like this:
mgerstn+ 3829 1 3828 3828 0 1081851 140840 1 12:20 ? 00:00:04 /usr/bin/plasmashell mgerstn+ 4129 3829 3828 3828 0 219461 41088 0 12:20 ? 00:00:01 /usr/bin/konsole mgerstn+ 4134 4129 4134 4134 0 4440 6884 0 12:20 pts/0 00:00:00 /bin/bash mgerstn+ 9613 4134 9613 4134 0 9265 3812 1 13:10 pts/0 00:00:00 ps -ejHF
It doesn't happen the same everytime. But after doing a fresh login it happens nearly always for me.
Is plasmashell the first process in the hierarchy with those fds leaked? Can you provide the plasmashell log (either kquitapp5 plasmashell; plasmashell) or the system journal? I'll give it a try on a live media. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c6
--- Comment #6 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c7
--- Comment #7 from Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c8
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1092329
http://bugzilla.suse.com/show_bug.cgi?id=1092329#c9
Fabian Vogt
Did you find something by now (given your submission referencing this bug)?
Yes, but in an unrelated library: if libqalculate (unrelated to Plasma, but used in krunner and plasmoids) was loaded, it leaks two fds as part of a pipe. That's fixed now, but shouldn't impact the leaked sockets, memfd or .ogg file. I managed to leak three sockets from plasmashell (which I'll investigate), but never the other sockets, pulseaudio memfd or .ogg file.
In the attachment you can find the log of plasmashell running in the foreground. I started it from a sane shell without leaked FDs. A konsole started from this plasmashell had leaked FDs again.
It's easily reproducible in my virtual machine setup for the current Leap 15 RC. Initially I did a clean install with KDE desktop environment, logged into plasma, started konsole and there it was.
I tested with disabled sound notifications (as far as I found this possible) and with enable qemu sound emulation but the situation did not change with regard to the leaked sockets.
On my Tumbleweed install with the libqalculate patch, neither krunner nor plasmashell leak even a single fd. Maybe it's related to the update notification, which is disabled on TW (PackageKit can't do zypper dup). I'll give it another try tomorrow. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com