Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-19499: Terminal Sessions May Hang if dzdo is Audited and Has Output Piped Under /bin/sh

Authentication Service ,  

10 September,19 at 02:04 PM

Problem:

It may be noticed that after enabling the Centrify DirectAudit agent to audit the dzdo command, and the user has a /bin/sh shell, some commands involving dzdo may cause the terminal shell to hang and not respond to inputs. This mostly affects Solaris and RedHat machines.

For example, if the following command is run to enable auditing of dzdo:  

[root@solaris]# dacontrol -e -c /usr/share/centrifydc/bin/dzdo 


Then run dainfo to verify:

[root@solaris]# dainfo
Pinging adclient: adclient is available
Daemon status: Online
......
DirectAudit NSS module: Inactive
User (root) audited status: No
DirectAudit is configured to audit the following command(s):
/usr/share/centrifydc/bin/dzdo


Then login with a user whose shell is set to /bin/sh, and try running a command like the following:

[user]@solaris:~$ dzdo cat /etc/passwd | grep normal

It has been found that the terminal session will hang. Even after trying "ctrl-c."



Cause:

For some commands (e.g. dzdo, sudo) that open /dev/tty directly, cdash will save the terminal attributes, set the terminal to raw mode, then restore the saved terminal attributes. In addition, as far as it is known, some other commands (e.g. more, less) will also do the same thing (save, set, restore) as cdash. When cdash runs with those commands together (e.g. dzdo cat /etc/passwd | more), the ultimate status of terminal might be quite random. For example, if cdash or more/less is the first one to save the terminal attributes and is also the last one to restore the terminal attributes, then terminal won't hang; otherwise, the terminal will hang (without echo).




Resolution:

Its difficult to fix this issue completely since the piped commands (more/less) are out of Centrify's control. However, Centrify has made the following improvements in the CentrifyDC 5.6.0 (Centrify Infrastructure Services suite 19.6) release: 

            - cdash will save the terminal attributes as soon as it starts to lower the possibility of saving an unexpected terminal
              attributes.
            - Providing a no-ship parameter (cdash.exit.make.tty.sane) so that cdash will set the terminal to 'sane' mode instead of
              restoring the previous saved attributes. The default value is false.
            - If the terminal is frozen, the  'stty sane' command can be run to bring it back to normal.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles