close stderr of persistent proxy command if not in debug mode

The patch should likely be first applied to upstream. If the parent becomes a new persistent connection master daemon, stderr of the proxy command should be detached, too, similar to the master daemon's stderr, as changed in openssh-portable@d2d6bf864e52af8491a60dd507f85b74361f5da3, upstream@4fb726f0fdcb155ad419913cea10dc4afd409d24 and discussed in bz#1988. Signed-off-by: Steffen Prohaska <prohaska@zib.de>
sprohaska · Oct 27, 2018 · 4839382 · 4839382
1 parent 262d81a
commit 4839382
Showing 1 changed file with 32 additions and 6 deletions.
diff --git a/sshconnect.c b/sshconnect.c
@@ -78,6 +78,7 @@ static int matching_host_key_dns = 0;
 static pid_t proxy_command_pid = 0;
 
 /* import */
+extern int debug_flag;
 extern Options options;
 extern char *__progname;
 
@@ -99,6 +100,33 @@ expand_proxy_command(const char *proxy_command, const char *user,
 	return ret;
 }
 
+/*
+ * If the parent may become a new master daemon in `control_persist_detach()`,
+ * keep stderr of the proxy command in debug mode, so that error messages get
+ * printed on the user's terminal.  But detach stderr in non-debug mode,
+ * because the proxy command will run as a daemon.
+ */
+static void
+prepare_proxy_stderr()
+{
+	int devnull;
+
+	if (!options.control_persist || debug_flag) {
+		return;
+	}
+
+	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+		error("%s: open(\"/dev/null\"): %s", __func__,
+		    strerror(errno));
+		return;
+	}
+
+	if (dup2(devnull, STDERR_FILENO) == -1)
+		error("%s: dup2: %s", __func__, strerror(errno));
+	if (devnull > STDERR_FILENO)
+		close(devnull);
+}
+
 /*
  * Connect to the given ssh server using a proxy command that passes a
  * a connected fd back to us.
@@ -140,10 +168,8 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, u_short port,
 		if (sp[0] >= 2)
 			close(sp[0]);
 
-		/*
-		 * Stderr is left as it is so that error messages get
-		 * printed on the user's terminal.
-		 */
+		prepare_proxy_stderr();
+
 		argv[0] = shell;
 		argv[1] = "-c";
 		argv[2] = command_string;
@@ -219,8 +245,8 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
 		/* Cannot be 1 because pin allocated two descriptors. */
 		close(pout[1]);
 
-		/* Stderr is left as it is so that error messages get
-		   printed on the user's terminal. */
+		prepare_proxy_stderr();
+
 		argv[0] = shell;
 		argv[1] = "-c";
 		argv[2] = command_string;