Your message dated Thu, 15 May 2025 05:34:04 +0000
with message-id <[email protected]>
and subject line Bug#1105097: fixed in mini-httpd 1.30-13
has caused the Debian Bug report #1105097,
regarding mini-httpd: chroot blacklisted by systemd unit file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1105097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105097
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mini-httpd
Version: 1.30-12
Severity: serious
Tags: patch, trixie
If the chroot directive is specified in mini-httpd.conf,
the mini_httpd process is killed when launched by systemd:
systemd[1]: mini-httpd.service: Job 5848 mini-httpd.service/start finished,
result=done
systemd[1]: Started mini-httpd.service - mini_httpd server.
systemd[1]: mini-httpd.service: Child 12020 belongs to mini-httpd.service.
systemd[1]: mini-httpd.service: Main process exited, code=killed, status=31/SYS
systemd[1]: mini-httpd.service: Failed with result 'signal'.
systemd[1]: mini-httpd.service: Service will not restart (restart setting)
systemd[1]: mini-httpd.service: Changed running -> failed
systemd[1]: mini-httpd.service: Unit entered failed state.
systemd[1]: mini-httpd.service: Consumed 37ms CPU time.
systemd[1]: mini-httpd.service: Control group is empty.
Marked serious as this will break upgraded installs running in chroot.
Root cause appears to be systemd hardening merged in 1.30-10;
SystemCallFilter in the unit file is set to blacklist the @mount filter set.
Unfortunately, @mount includes the chroot syscall. The below patch explicitly
permits chroot. When the patch is applied, the service starts normally in
chroot.
--- mini-httpd.service.default
+++ mini-httpd.service.modified
@@ -15,6 +15,7 @@
CapabilityBoundingSet=~CAP_BPF CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CAP_SYS_TTY_CONFIG \
CAP_SYS_BOOT CAP_MAC_* CAP_SYS_NICE CAP_SYS_RESOURCE
CAP_SYS_PTRACE
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
@reboot @raw-io
+SystemCallFilter=chroot
RestrictNamespaces=~uts ipc pid user cgroup
ProtectKernelTunables=yes
ProtectKernelModules=yes
@@ -27,4 +28,4 @@
LockPersonality=yes
--- End Message ---
--- Begin Message ---
Source: mini-httpd
Source-Version: 1.30-13
Done: Alexandru Mihail <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mini-httpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexandru Mihail <[email protected]> (supplier of updated
mini-httpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 May 2025 18:25:39 +0300
Source: mini-httpd
Architecture: source
Version: 1.30-13
Distribution: unstable
Urgency: medium
Maintainer: Alexandru Mihail <[email protected]>
Changed-By: Alexandru Mihail <[email protected]>
Closes: 1105097
Changes:
mini-httpd (1.30-13) unstable; urgency=medium
.
* Adds chroot syscall exception to SystemCallFilter in the service.
This allows operation in chroot mode when using the service.
(Closes: #1105097)
* Update copyright years for debian scripts.
Checksums-Sha1:
43ed43e1a181cae9ee0d5e37b733eb66ad000323 1873 mini-httpd_1.30-13.dsc
8d486865d6ae937078e6a0806d6a58ad99d613f1 19932 mini-httpd_1.30-13.debian.tar.xz
83511ab63ecce7033ddee910ea58f37fa6dedff2 6584
mini-httpd_1.30-13_amd64.buildinfo
Checksums-Sha256:
afd5d7552149f7de300be6dc8b36c2a25457a7990ad7ba34db107d4f87692cb9 1873
mini-httpd_1.30-13.dsc
54e3e566b6e62a671b21982512dee50a3cb89aef964dd4e2f966e33a39b67987 19932
mini-httpd_1.30-13.debian.tar.xz
cdb10d6eb0faebb1afaecd63f72cd1f724afd445b1dde8b9b1c8c011f7816c30 6584
mini-httpd_1.30-13_amd64.buildinfo
Files:
3c94b9c2b5d3fc65bddca2c22679616e 1873 web optional mini-httpd_1.30-13.dsc
a126d4e8a87b4f72b79d422fe88dbd35 19932 web optional
mini-httpd_1.30-13.debian.tar.xz
5b44cc4dda9d4e813735ff12c2c479a3 6584 web optional
mini-httpd_1.30-13_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmgleK8ACgkQs6fPDIAY
hs/ylw//RuN/ith0KohENLAJf86GPXMZCafRtOMOhRwMbr7mWA6NSAIOS9P9HCM4
ro1BPk37l51cPs/Vyc6Yppg53N7lAfdzMYO0VbU+KPdIDYZ0fwU0p0KHgQ5fKths
wWpCU0OolUT2ituhThw3PZ7BMLA7pnRsTzYKY8PvrH9sYbxlm92KQhT7jnCE2EVk
YHaxsKsnguzjbGrlEu1yMcUg/QeYmJF5pwPMgGzsyBUHwHExnuiggn37ZBnlLt/2
k3Ql/dMUwmYrLohGsi9YNK7KoVow96DvxYM7neXENFB1HuRFZ7b1OUcqGroAUblm
SYrq/TKr1FH4VeUoj420AveHCI8qXv00mxMuKCLT5+19LRLfdaQtgz3ZNlnt0JZ7
mdPR3bxeMJeFfHUAop2Qg4BCDkCanPYMgv4sgkA9HEm71lkMlZrxEJABK12lVZRX
wDcW30iegjsy3g6oAmKg8YXLapSjWvIF6kXvqZ18SFigmFWZfXgGRbcCEikSJMLU
8ONgh4sdIM3o/34jh7bw7qhZ4uUBxWJVZFaxBBWnBGgfVTTq1WuTYfwRz4FISsXe
a9TGxORehxxvwFsY9405VUJ5GU684xT+oxHj8rlGY9M0cLpSiOZSWIgfSF9QmLA8
4ZtPFoS5E68QYfvbCqzj9LouiaSJIctLwc8ngH5+oacP2HDFk2k=
=L+lb
-----END PGP SIGNATURE-----
pgpy9qOoLfqoi.pgp
Description: PGP signature
--- End Message ---
