[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#859192: unblock: openssh/1:7.4p1-10

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock openssh 1:7.4p1-10, which has already built everywhere
and passed on ci.debian.net.  This has one RC bug fix (#858252) and one
that I think verges on RC (#760422/#856825) since it causes some very
confusing problems for anyone with a separate /var.  The fix for the
latter is a bit lengthy but it's almost entirely a mechanical
search-and-replace, with the sole exception being the addition of
--with-pid-dir=/run (the default is /var/run).

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm	2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm	2017-03-30 11:18:22.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-35b2ea77a74348b575d680061f35ec7992b26ec8
-35b2ea77a74348b575d680061f35ec7992b26ec8
+904bc482ad87648a2c799c441dc6a8449f24e15a
+904bc482ad87648a2c799c441dc6a8449f24e15a
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2017-03-16 13:43:15.000000000 +0000
+++ openssh-7.4p1/debian/changelog	2017-03-30 11:19:04.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10) unstable; urgency=medium
+
+  * Move privilege separation directory and PID file from /var/run/ to /run/
+    (closes: #760422, #856825).
+  * Unbreak Unix domain socket forwarding for root (closes: #858252).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 30 Mar 2017 11:19:04 +0100
+
 openssh (1:7.4p1-9) unstable; urgency=medium
 
   * Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest
diff -Nru openssh-7.4p1/debian/openssh-server-udeb.dirs openssh-7.4p1/debian/openssh-server-udeb.dirs
--- openssh-7.4p1/debian/openssh-server-udeb.dirs	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server-udeb.dirs	2017-03-30 11:18:21.000000000 +0100
@@ -1 +1 @@
-var/run/sshd
+run/sshd
diff -Nru openssh-7.4p1/debian/openssh-server.if-up openssh-7.4p1/debian/openssh-server.if-up
--- openssh-7.4p1/debian/openssh-server.if-up	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.if-up	2017-03-30 11:18:21.000000000 +0100
@@ -25,8 +25,8 @@
 	exit 0
 fi
 
-if [ ! -f /var/run/sshd.pid ] || \
-   [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" != sshd ]; then
+if [ ! -f /run/sshd.pid ] || \
+   [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then
 	exit 0
 fi
 
diff -Nru openssh-7.4p1/debian/openssh-server.postinst openssh-7.4p1/debian/openssh-server.postinst
--- openssh-7.4p1/debian/openssh-server.postinst	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.postinst	2017-03-30 11:18:21.000000000 +0100
@@ -111,7 +111,7 @@
 
 setup_sshd_user() {
 	if ! getent passwd sshd >/dev/null; then
-		adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+		adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
 	fi
 }
 
@@ -125,14 +125,14 @@
 	    rm -f /etc/ssh/primes
 	fi
 	if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
-	    rm -f /var/run/sshd/.placeholder
+	    rm -f /run/sshd/.placeholder
 	fi
 	if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
 	   which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \
 	   ! status ssh 2>/dev/null | grep -q ' start/'; then
 	    # We must stop the sysvinit-controlled sshd before we can
 	    # restart it under Upstart.
-	    start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
+	    start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid || true
 	fi
 	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
 	   deb-systemd-helper debian-installed ssh.socket && \
@@ -146,7 +146,7 @@
 	   [ -d /run/systemd/system ]; then
 	    # We must stop the sysvinit-controlled sshd before we can
 	    # restart it under systemd.
-	    start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
+	    start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd || true
 	fi
 fi
 
diff -Nru openssh-7.4p1/debian/openssh-server.preinst openssh-7.4p1/debian/openssh-server.preinst
--- openssh-7.4p1/debian/openssh-server.preinst	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.preinst	2017-03-30 11:18:21.000000000 +0100
@@ -7,9 +7,9 @@
 if [ "$action" = upgrade ] || [ "$action" = install ]
 then
   if dpkg --compare-versions "$version" lt 1:5.5p1-6 && \
-     [ -d /var/run/sshd ]; then
-    # make sure /var/run/sshd is not removed on upgrades
-    touch /var/run/sshd/.placeholder
+     [ -d /run/sshd ]; then
+    # make sure /run/sshd is not removed on upgrades
+    touch /run/sshd/.placeholder
   fi
 fi
 
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.init openssh-7.4p1/debian/openssh-server.ssh.init
--- openssh-7.4p1/debian/openssh-server.ssh.init	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.init	2017-03-30 11:18:21.000000000 +0100
@@ -66,9 +66,9 @@
 
 check_privsep_dir() {
     # Create the PrivSep empty dir if necessary
-    if [ ! -d /var/run/sshd ]; then
-	mkdir /var/run/sshd
-	chmod 0755 /var/run/sshd
+    if [ ! -d /run/sshd ]; then
+	mkdir /run/sshd
+	chmod 0755 /run/sshd
     fi
 }
 
@@ -87,7 +87,7 @@
 	check_for_no_start
 	check_dev_null
 	log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
-	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -96,7 +96,7 @@
   stop)
 	check_for_upstart 0
 	log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
-	if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then
+	if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -108,7 +108,7 @@
 	check_for_no_start
 	check_config
 	log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true
-	if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then
+	if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -120,10 +120,10 @@
 	check_privsep_dir
 	check_config
 	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
-	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid
+	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid
 	check_for_no_start log_end_msg
 	check_dev_null log_end_msg
-	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -136,13 +136,13 @@
 	check_config
 	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
 	RET=0
-	start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid || RET="$?"
+	start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid || RET="$?"
 	case $RET in
 	    0)
 		# old daemon stopped
 		check_for_no_start log_end_msg
 		check_dev_null log_end_msg
-		if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+		if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 		    log_end_msg 0 || true
 		else
 		    log_end_msg 1 || true
@@ -163,7 +163,7 @@
 
   status)
 	check_for_upstart 1
-	status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
+	status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
 	;;
 
   *)
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.upstart openssh-7.4p1/debian/openssh-server.ssh.upstart
--- openssh-7.4p1/debian/openssh-server.ssh.upstart	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.upstart	2017-03-30 11:18:21.000000000 +0100
@@ -21,7 +21,7 @@
     test -x /usr/sbin/sshd || { stop; exit 0; }
     test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
 
-    mkdir -p -m0755 /var/run/sshd
+    mkdir -p -m0755 /run/sshd
 end script
 
 # if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/patches/series	2017-03-30 11:18:21.000000000 +0100
@@ -33,3 +33,4 @@
 ssh-keygen-hash-corruption.patch
 ssh-keyscan-hash-port.patch
 ssh-keygen-null-deref.patch
+unbreak-unix-forwarding-for-root.patch
diff -Nru openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
--- openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch	2017-03-30 11:18:22.000000000 +0100
@@ -0,0 +1,80 @@
+From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 4 Jan 2017 05:37:40 +0000
+Subject: upstream commit
+
+unbreak Unix domain socket forwarding for root; ok
+markus@
+
+Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
+Bug-Debian: https://bugs.debian.org/858252
+Last-Update: 2017-03-30
+
+Patch-Name: unbreak-unix-forwarding-for-root.patch
+---
+ serverloop.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index c4e4699d..c55d203b 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
+ 	Channel *c = NULL;
+ 	char *target, *originator;
+ 	u_short originator_port;
++	struct passwd *pw = the_authctxt->pw;
++
++	if (pw == NULL || !the_authctxt->valid)
++		fatal("server_input_global_request: no/invalid user");
+ 
+ 	target = packet_get_string(NULL);
+ 	originator = packet_get_string(NULL);
+@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
+ 	/* XXX fine grained permissions */
+ 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+ 	    !no_port_forwarding_flag && !options.disable_forwarding &&
+-	    use_privsep) {
++	    (pw->pw_uid == 0 || use_privsep)) {
+ 		c = channel_connect_to_path(target,
+ 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
+ 	} else {
+@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 	int want_reply;
+ 	int r, success = 0, allocated_listen_port = 0;
+ 	struct sshbuf *resp = NULL;
++	struct passwd *pw = the_authctxt->pw;
++
++	if (pw == NULL || !the_authctxt->valid)
++		fatal("server_input_global_request: no/invalid user");
+ 
+ 	rtype = packet_get_string(NULL);
+ 	want_reply = packet_get_char();
+@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 
+ 	/* -R style forwarding */
+ 	if (strcmp(rtype, "tcpip-forward") == 0) {
+-		struct passwd *pw;
+ 		struct Forward fwd;
+ 
+-		pw = the_authctxt->pw;
+-		if (pw == NULL || !the_authctxt->valid)
+-			fatal("server_input_global_request: no/invalid user");
+ 		memset(&fwd, 0, sizeof(fwd));
+ 		fwd.listen_host = packet_get_string(NULL);
+ 		fwd.listen_port = (u_short)packet_get_int();
+@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 		/* check permissions */
+ 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+ 		    || no_port_forwarding_flag || options.disable_forwarding ||
+-		    !use_privsep) {
++		    (pw->pw_uid != 0 && !use_privsep)) {
+ 			success = 0;
+-			packet_send_debug("Server has disabled port forwarding.");
++			packet_send_debug("Server has disabled "
++			    "streamlocal forwarding.");
+ 		} else {
+ 			/* Start listening on the socket */
+ 			success = channel_setup_remote_fwd_listener(
diff -Nru openssh-7.4p1/debian/rules openssh-7.4p1/debian/rules
--- openssh-7.4p1/debian/rules	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/rules	2017-03-30 11:18:21.000000000 +0100
@@ -68,7 +68,8 @@
 confflags += --disable-strip
 confflags += --with-mantype=doc
 confflags += --with-4in6
-confflags += --with-privsep-path=/var/run/sshd
+confflags += --with-privsep-path=/run/sshd
+confflags += --with-pid-dir=/run
 
 # The Hurd needs libcrypt for res_query et al.
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
diff -Nru openssh-7.4p1/debian/systemd/sshd.conf openssh-7.4p1/debian/systemd/sshd.conf
--- openssh-7.4p1/debian/systemd/sshd.conf	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/systemd/sshd.conf	2017-03-30 11:18:21.000000000 +0100
@@ -1 +1 @@
-d /var/run/sshd 0755 root root
+d /run/sshd 0755 root root

unblock openssh/1:7.4p1-10

-- 
Colin Watson                                       [cjwatson@debian.org]

Attachment: signature.asc
Description: Digital signature

Reply to: