[sudo-workers] [BUG] iolog terminate process sent to background

Todd C. Miller Todd.Miller at courtesan.com
Tue Nov 21 21:09:30 MST 2017 

Here is what I see on Ubuntu 16.04.3 LTS:

linux-build [/tmp] % ./replicator.sh 
    log_output
/usr/bin/iperf3
running KO test
no sleep
iperf3 KO
iperf3: no process found
running OK test
sleeping 3s
iperf3 KO
iperf3: no process found

I don't see a difference between the sleep and no-sleep version.
That's the same output present in the bug you filed, BTW.

I had use_pty in an earlier test instead of log_output which makes
a difference when all of standard input, output and error are
redirected in recent sudo versions.  Using log_output, however, I
get the same as above.  Sorry about that.

Now, using iperf3 -D, I see:

nux-build [/tmp] % ./replicator.sh
    log_output
/usr/bin/iperf3
running KO test
no sleep
100424
iperf3 OK
running OK test
sleeping 3s
100433
iperf3 OK

The difference with -D is that it creates a new terminal session
(using the setsid system call) and so is not affected when the sudo
session ends.

Redirecting the standard input, output and error appears insufficient
because the command is still a member of the foreground process
group.  Here's what the Linux setpgid(2) says:

    If the session leader exits, then a SIGHUP signal will also
    be sent to each process in the foreground process group of
    the controlling terminal.

I would not have expected this to apply since the command is run
in the background, yet it seems to anyway.  If you run iperf3 via
strace you can see that it receives SIGHUP and terminates.

Instead of just redirecting to /dev/null, we can use the the setsid
utility to run the command in a new session.  E.g.

    setsid iperf3 -s >/dev/null 2>&1 &

However, there is a race condition between when the new session is
created and when the script finishes.  If the script completes
before the new session is created the command will still be killed
by SIGHUP.  Without a sleep the command is likely to be killed
before setsid can do its thing.

Here's your test running iperf3 via setsid:

linux-build [/tmp] % ./replicator.sh 
    log_output
/usr/bin/iperf3
running KO test
no sleep
iperf3 KO
iperf3: no process found
running OK test
sleeping 3s
100816
iperf3 OK

In summary, if you are going to run a background process from a
shell script run via sudo with I/O logging you'll need to arrange
to have the command run in a new session, either via a "daemon"
flag or by using the setsid utility.  Even using the setsid utility
it is still possible for a script to exit before the background
command's session is set up.

 - todd

More information about the sudo-workers mailing list