diff -up openssh-6.6p1/monitor_wrap.c.audit-race openssh-6.6p1/monitor_wrap.c --- openssh-6.6p1/monitor_wrap.c.audit-race 2016-02-23 13:43:59.958203930 +0100 +++ openssh-6.6p1/monitor_wrap.c 2016-02-23 13:43:59.959203930 +0100 @@ -1456,4 +1456,31 @@ mm_audit_destroy_sensitive_data(const ch mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m); buffer_free(&m); } + +int mm_forward_audit_messages(int fdin) +{ + static char fb[256]; + size_t fblen; + do { + fblen = atomicio(read, fdin, fb, sizeof(fb)); + if (fblen == 0) { + // atomicio read returns EPIPE also with EOF + if (errno != EPIPE) { + error("%s: Failed to read the messages from child", __func__); + return -1; + } + return 0; + } + fblen = atomicio(vwrite, pmonitor->m_recvfd, fb, fblen); + if (fblen == 0 && errno != EPIPE) { + error("%s: Failed to pass the messages to the monitor", __func__); + return -1; + } + } while(fblen > 0); + return 0; +} +void mm_set_monitor_pipe(int fd) +{ + pmonitor->m_recvfd = fd; +} #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-6.6p1/monitor_wrap.h.audit-race openssh-6.6p1/monitor_wrap.h --- openssh-6.6p1/monitor_wrap.h.audit-race 2016-02-23 13:43:59.958203930 +0100 +++ openssh-6.6p1/monitor_wrap.h 2016-02-23 13:43:59.959203930 +0100 @@ -86,6 +86,8 @@ void mm_audit_unsupported_body(int); void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); void mm_audit_session_key_free_body(int, pid_t, uid_t); void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t); +int mm_forward_audit_messages(int); +void mm_set_monitor_pipe(int); #endif struct Session; diff -up openssh-6.6p1/session.c.audit-race openssh-6.6p1/session.c --- openssh-6.6p1/session.c.audit-race 2016-02-23 13:43:59.954203931 +0100 +++ openssh-6.6p1/session.c 2016-02-23 13:45:14.758194058 +0100 @@ -158,6 +159,10 @@ static Session *sessions = NULL; login_cap_t *lc; #endif +#ifdef SSH_AUDIT_EVENTS +int paudit[2]; +#endif + static int is_child = 0; static int have_dev_log = 1; @@ -891,6 +896,8 @@ do_exec(Session *s, const char *command) } if (s->command != NULL && s->ptyfd == -1) s->command_handle = PRIVSEP(audit_run_command(s->command)); + if (pipe(paudit) < 0) + fatal("pipe: %s", strerror(errno)); #endif if (s->ttyfd != -1) ret = do_exec_pty(s, command); @@ -906,6 +913,20 @@ do_exec(Session *s, const char *command) */ buffer_clear(&loginmsg); +#ifdef SSH_AUDIT_EVENTS + close(paudit[1]); + if (use_privsep && ret == 0) { + /* + * Read the audit messages from forked child and send them + * back to monitor. We don't want to communicate directly, + * because the messages might get mixed up. + * Continue after the pipe gets closed (all messages sent). + */ + ret = mm_forward_audit_messages(paudit[0]); + } + close(paudit[0]); +#endif /* SSH_AUDIT_EVENTS */ + return ret; } @@ -1718,12 +1739,27 @@ do_child(Session *s, const char *command struct passwd *pw = s->pw; int r = 0; +#ifdef SSH_AUDIT_EVENTS + close(paudit[0]); + /* Hack the monitor pipe to avoid race condition with parent */ + if (use_privsep) + mm_set_monitor_pipe(paudit[1]); +#endif + /* remove hostkey from the child's memory */ - destroy_sensitive_data(1); - /* Don't audit this - both us and the parent would be talking to the - monitor over a single socket, with no synchronization. */ + destroy_sensitive_data(use_privsep); + /* + * We can audit this, because we hacked the pipe to direct the + * messages over postauth child. But this message requires answer + * which we can't do using one-way pipe. + */ packet_destroy_all(0, 1); +#ifdef SSH_AUDIT_EVENTS + /* Notify parent that we are done */ + close(paudit[1]); +#endif + /* Force a password change */ if (s->authctxt->force_pwchange) { do_setusercontext(pw);