This article describes an issue that has been found where if the dzdo command is being audited and the user has a /bin/sh shell it will case the terminal session to hang and the steps that can be taken to resolve the issue.
Problem:
It may be noticed that after enabling the Centrify DirectAudit agent to audit the dzdo command, and the user has a /bin/sh shell, some commands involving dzdo may cause the terminal shell to hang and not respond to inputs. This mostly affects Solaris and RedHat machines.
For example, if the following command is run to enable auditing of dzdo:
[root@solaris]# dainfo Pinging adclient: adclient is available Daemon status: Online ...... DirectAudit NSS module: Inactive User (root) audited status: No DirectAudit is configured to audit the following command(s): /usr/share/centrifydc/bin/dzdo
Then login with a user whose shell is set to /bin/sh, and try running a command like the following:
[user]@solaris:~$ dzdo cat /etc/passwd | grep normal
It has been found that the terminal session will hang. Even after trying "ctrl-c."
Cause:
For some commands (e.g. dzdo, sudo) that open /dev/tty directly, cdash will save the terminal attributes, set the terminal to raw mode, then restore the saved terminal attributes. In addition, as far as it is known, some other commands (e.g. more, less) will also do the same thing (save, set, restore) as cdash. When cdash runs with those commands together (e.g. dzdo cat /etc/passwd | more), the ultimate status of terminal might be quite random. For example, if cdash or more/less is the first one to save the terminal attributes and is also the last one to restore the terminal attributes, then terminal won't hang; otherwise, the terminal will hang (without echo).
Resolution:
Its difficult to fix this issue completely since the piped commands (more/less) are out of Centrify's control. However, Centrify has made the following improvements in the CentrifyDC 5.6.0 (Centrify Infrastructure Services suite 19.6) release:
- cdash will save the terminal attributes as soon as it starts to lower the possibility of saving an unexpected terminal attributes. - Providing a no-ship parameter (cdash.exit.make.tty.sane) so that cdash will set the terminal to 'sane' mode instead of restoring the previous saved attributes. The default value is false. - If the terminal is frozen, the 'stty sane' command can be run to bring it back to normal.