Your message dated Sat, 01 Apr 2017 20:19:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#859192: unblock: openssh/1:7.4p1-10
has caused the Debian Bug report #859192,
regarding unblock: openssh/1:7.4p1-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859192
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock openssh 1:7.4p1-10, which has already built everywhere
and passed on ci.debian.net. This has one RC bug fix (#858252) and one
that I think verges on RC (#760422/#856825) since it causes some very
confusing problems for anyone with a separate /var. The fix for the
latter is a bit lengthy but it's almost entirely a mechanical
search-and-replace, with the sole exception being the addition of
--with-pid-dir=/run (the default is /var/run).
diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm 2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm 2017-03-30 11:18:22.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-35b2ea77a74348b575d680061f35ec7992b26ec8
-35b2ea77a74348b575d680061f35ec7992b26ec8
+904bc482ad87648a2c799c441dc6a8449f24e15a
+904bc482ad87648a2c799c441dc6a8449f24e15a
971a7653746a6972b907dfe0ce139c06e4a6f482
971a7653746a6972b907dfe0ce139c06e4a6f482
openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2017-03-16 13:43:15.000000000 +0000
+++ openssh-7.4p1/debian/changelog 2017-03-30 11:19:04.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10) unstable; urgency=medium
+
+ * Move privilege separation directory and PID file from /var/run/ to /run/
+ (closes: #760422, #856825).
+ * Unbreak Unix domain socket forwarding for root (closes: #858252).
+
+ -- Colin Watson <[email protected]> Thu, 30 Mar 2017 11:19:04 +0100
+
openssh (1:7.4p1-9) unstable; urgency=medium
* Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest
diff -Nru openssh-7.4p1/debian/openssh-server-udeb.dirs
openssh-7.4p1/debian/openssh-server-udeb.dirs
--- openssh-7.4p1/debian/openssh-server-udeb.dirs 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server-udeb.dirs 2017-03-30
11:18:21.000000000 +0100
@@ -1 +1 @@
-var/run/sshd
+run/sshd
diff -Nru openssh-7.4p1/debian/openssh-server.if-up
openssh-7.4p1/debian/openssh-server.if-up
--- openssh-7.4p1/debian/openssh-server.if-up 2017-03-16 13:42:18.000000000
+0000
+++ openssh-7.4p1/debian/openssh-server.if-up 2017-03-30 11:18:21.000000000
+0100
@@ -25,8 +25,8 @@
exit 0
fi
-if [ ! -f /var/run/sshd.pid ] || \
- [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" != sshd ]; then
+if [ ! -f /run/sshd.pid ] || \
+ [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then
exit 0
fi
diff -Nru openssh-7.4p1/debian/openssh-server.postinst
openssh-7.4p1/debian/openssh-server.postinst
--- openssh-7.4p1/debian/openssh-server.postinst 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.postinst 2017-03-30
11:18:21.000000000 +0100
@@ -111,7 +111,7 @@
setup_sshd_user() {
if ! getent passwd sshd >/dev/null; then
- adduser --quiet --system --no-create-home --home /var/run/sshd
--shell /usr/sbin/nologin sshd
+ adduser --quiet --system --no-create-home --home /run/sshd
--shell /usr/sbin/nologin sshd
fi
}
@@ -125,14 +125,14 @@
rm -f /etc/ssh/primes
fi
if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
- rm -f /var/run/sshd/.placeholder
+ rm -f /run/sshd/.placeholder
fi
if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
which initctl >/dev/null && initctl version 2>/dev/null | grep -q
upstart && \
! status ssh 2>/dev/null | grep -q ' start/'; then
# We must stop the sysvinit-controlled sshd before we can
# restart it under Upstart.
- start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/sshd.pid || true
+ start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid
|| true
fi
if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
deb-systemd-helper debian-installed ssh.socket && \
@@ -146,7 +146,7 @@
[ -d /run/systemd/system ]; then
# We must stop the sysvinit-controlled sshd before we can
# restart it under systemd.
- start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd || true
+ start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd || true
fi
fi
diff -Nru openssh-7.4p1/debian/openssh-server.preinst
openssh-7.4p1/debian/openssh-server.preinst
--- openssh-7.4p1/debian/openssh-server.preinst 2017-03-16 13:42:18.000000000
+0000
+++ openssh-7.4p1/debian/openssh-server.preinst 2017-03-30 11:18:21.000000000
+0100
@@ -7,9 +7,9 @@
if [ "$action" = upgrade ] || [ "$action" = install ]
then
if dpkg --compare-versions "$version" lt 1:5.5p1-6 && \
- [ -d /var/run/sshd ]; then
- # make sure /var/run/sshd is not removed on upgrades
- touch /var/run/sshd/.placeholder
+ [ -d /run/sshd ]; then
+ # make sure /run/sshd is not removed on upgrades
+ touch /run/sshd/.placeholder
fi
fi
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.init
openssh-7.4p1/debian/openssh-server.ssh.init
--- openssh-7.4p1/debian/openssh-server.ssh.init 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.init 2017-03-30
11:18:21.000000000 +0100
@@ -66,9 +66,9 @@
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
- if [ ! -d /var/run/sshd ]; then
- mkdir /var/run/sshd
- chmod 0755 /var/run/sshd
+ if [ ! -d /run/sshd ]; then
+ mkdir /run/sshd
+ chmod 0755 /run/sshd
fi
}
@@ -87,7 +87,7 @@
check_for_no_start
check_dev_null
log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
- if start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+ if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -96,7 +96,7 @@
stop)
check_for_upstart 0
log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
- if start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/sshd.pid; then
+ if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid;
then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -108,7 +108,7 @@
check_for_no_start
check_config
log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration"
"sshd" || true
- if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd; then
+ if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile
/run/sshd.pid --exec /usr/sbin/sshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -120,10 +120,10 @@
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
- start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/sshd.pid
+ start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/run/sshd.pid
check_for_no_start log_end_msg
check_dev_null log_end_msg
- if start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+ if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -136,13 +136,13 @@
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
RET=0
- start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid
|| RET="$?"
+ start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid ||
RET="$?"
case $RET in
0)
# old daemon stopped
check_for_no_start log_end_msg
check_dev_null log_end_msg
- if start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+ if start-stop-daemon --start --quiet --oknodo --pidfile
/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -163,7 +163,7 @@
status)
check_for_upstart 1
- status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 ||
exit $?
+ status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
;;
*)
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.upstart
openssh-7.4p1/debian/openssh-server.ssh.upstart
--- openssh-7.4p1/debian/openssh-server.ssh.upstart 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.upstart 2017-03-30
11:18:21.000000000 +0100
@@ -21,7 +21,7 @@
test -x /usr/sbin/sshd || { stop; exit 0; }
test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
- mkdir -p -m0755 /var/run/sshd
+ mkdir -p -m0755 /run/sshd
end script
# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
diff -Nru openssh-7.4p1/debian/patches/series
openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/patches/series 2017-03-30 11:18:21.000000000 +0100
@@ -33,3 +33,4 @@
ssh-keygen-hash-corruption.patch
ssh-keyscan-hash-port.patch
ssh-keygen-null-deref.patch
+unbreak-unix-forwarding-for-root.patch
diff -Nru openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
--- openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
2017-03-30 11:18:22.000000000 +0100
@@ -0,0 +1,80 @@
+From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Wed, 4 Jan 2017 05:37:40 +0000
+Subject: upstream commit
+
+unbreak Unix domain socket forwarding for root; ok
+markus@
+
+Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
+
+Origin:
https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
+Bug-Debian: https://bugs.debian.org/858252
+Last-Update: 2017-03-30
+
+Patch-Name: unbreak-unix-forwarding-for-root.patch
+---
+ serverloop.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index c4e4699d..c55d203b 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
+ Channel *c = NULL;
+ char *target, *originator;
+ u_short originator_port;
++ struct passwd *pw = the_authctxt->pw;
++
++ if (pw == NULL || !the_authctxt->valid)
++ fatal("server_input_global_request: no/invalid user");
+
+ target = packet_get_string(NULL);
+ originator = packet_get_string(NULL);
+@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+ !no_port_forwarding_flag && !options.disable_forwarding &&
+- use_privsep) {
++ (pw->pw_uid == 0 || use_privsep)) {
+ c = channel_connect_to_path(target,
+ "[email protected]", "direct-streamlocal");
+ } else {
+@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void
*ctxt)
+ int want_reply;
+ int r, success = 0, allocated_listen_port = 0;
+ struct sshbuf *resp = NULL;
++ struct passwd *pw = the_authctxt->pw;
++
++ if (pw == NULL || !the_authctxt->valid)
++ fatal("server_input_global_request: no/invalid user");
+
+ rtype = packet_get_string(NULL);
+ want_reply = packet_get_char();
+@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void
*ctxt)
+
+ /* -R style forwarding */
+ if (strcmp(rtype, "tcpip-forward") == 0) {
+- struct passwd *pw;
+ struct Forward fwd;
+
+- pw = the_authctxt->pw;
+- if (pw == NULL || !the_authctxt->valid)
+- fatal("server_input_global_request: no/invalid user");
+ memset(&fwd, 0, sizeof(fwd));
+ fwd.listen_host = packet_get_string(NULL);
+ fwd.listen_port = (u_short)packet_get_int();
+@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void
*ctxt)
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+ || no_port_forwarding_flag || options.disable_forwarding ||
+- !use_privsep) {
++ (pw->pw_uid != 0 && !use_privsep)) {
+ success = 0;
+- packet_send_debug("Server has disabled port
forwarding.");
++ packet_send_debug("Server has disabled "
++ "streamlocal forwarding.");
+ } else {
+ /* Start listening on the socket */
+ success = channel_setup_remote_fwd_listener(
diff -Nru openssh-7.4p1/debian/rules openssh-7.4p1/debian/rules
--- openssh-7.4p1/debian/rules 2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/rules 2017-03-30 11:18:21.000000000 +0100
@@ -68,7 +68,8 @@
confflags += --disable-strip
confflags += --with-mantype=doc
confflags += --with-4in6
-confflags += --with-privsep-path=/var/run/sshd
+confflags += --with-privsep-path=/run/sshd
+confflags += --with-pid-dir=/run
# The Hurd needs libcrypt for res_query et al.
ifeq ($(DEB_HOST_ARCH_OS),hurd)
diff -Nru openssh-7.4p1/debian/systemd/sshd.conf
openssh-7.4p1/debian/systemd/sshd.conf
--- openssh-7.4p1/debian/systemd/sshd.conf 2017-03-16 13:42:18.000000000
+0000
+++ openssh-7.4p1/debian/systemd/sshd.conf 2017-03-30 11:18:21.000000000
+0100
@@ -1 +1 @@
-d /var/run/sshd 0755 root root
+d /run/sshd 0755 root root
unblock openssh/1:7.4p1-10
--
Colin Watson [[email protected]]
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Cyril Brulebois:
> Niels Thykier <[email protected]> (2017-04-01):
>>> unblock openssh/1:7.4p1-10
>>>
>>
>> Ack from here - CC'ing KiBi for a d-i ack.
>
> I'm not sure this affects d-i (and I haven't tried it), but no
> objections on principle.
>
>
> KiBi.
>
Unblocked, thanks.
~Niels
--- End Message ---
