Bug 55785

Summary: kppp: killing pppd after Alt-Ctrl-Bcksp shutsdown FreeBSD
Product: [Applications] kppp Reporter: J E Drews <j.e.drews>
Component: generalAssignee: Harri Porten <porten>
Status: RESOLVED WORKSFORME    
Severity: crash CC: hausmann
Priority: NOR    
Version: 2.1.2   
Target Milestone: ---   
Platform: Compiled Sources   
OS: FreeBSD   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description J E Drews 2003-03-10 03:10:29 UTC 
Version:           2.1.2 (using KDE 3.1.0)
Installed from:    compiled sources
Compiler:          gcc version 2.95.4 20020320 [FreeBSD]
OS:          FreeBSD (i386) release 4.8-RC

This bug report is related to:
http://bugs.kde.org/show_bug.cgi?id=23715

In FreeBSD, if a user account does ALT-CTRL-BACKSPACE, to kill the Kde desktop, then kppp and pppd are still running. If the user account now kills the pppd pid, then the FreeBSD computer shuts down.

To Reproduce:
A) Configure Kppp as a user.
i) in /etc (as root) do touch resolv.conf
ii) in /etc/ppp (as root) do touch options
iii) Configure the rest of Kppp in your Kde user account session.
B) Demonstration of Bug:
1) Dial out with Kppp
2) After the connection is established do: Alt-Ctrl-Backspace
3) Still in the user account, do ps -aux | grep ppp
4) do  (as user) kill pid-of-pppd
5) FreeBSD will now shutdown
This is a partial output of the shutdown sequence:
$ kill 373  //pid of pppd
$ It was pppd that died
$ pppd exited with return value 1
$ sending 1 SIGUSR1
$ Mar 9 01:20:07 Hostname syslogd: exiting on signal 15
The computer then shuts down.
Comment 1 Michael Nottebrock 2003-03-10 03:24:23 UTC 
It seems that sighandler_child in opener.cpp sends a SIGUSR1 to init (which results 
in a system shutdown, since it's part of kppp's setuid helper) while trying to kill its 
parent process. I don't know if getppid()'s behaviour of returning init as the parent 
process is bogus, however, if the rest of kppp is gone after a (forced) 
XFree86-crash, that might just be true. 
 
I think sighandler_child could use a bit of sanity checking before signalling anything 
to its alleged parent. This bug could be used as a first step to a local DOS attack, 
the second step needed would be to somehow force pppd to die (for example by 
pulling the cable, turning off the modem, etc).
Comment 2 Michael Nottebrock 2003-03-10 03:34:28 UTC 
Related bug btw.: 23715
Comment 3 Simon Hausmann 2003-07-07 10:28:32 UTC 
One can argue whether this is a pppd bug or not, but it actually kills its entire 
process group when the connection is terminated (see also kill_my_pg in pppd/
main.c) . See also http://cr.yp.to/daemontools/faq/create.html#pgrphack
Comment 4 J E Drews 2004-05-11 06:30:07 UTC 
I don't know if this has been fixed. I stopped using Kde about 5 months ago.
Comment 5 J E Drews 2004-05-11 06:43:07 UTC 
Just go ahead and close this -- it will never be fixed. FreeBSD has userland PPP.