Bug#859192: marked as done (unblock: openssh/1:7.4p1-10)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 01 Apr 2017 20:19:00 +0000
with message-id <daea24e4-06d8-d8ac-50e5-56ac51a22724@thykier.net>
and subject line Re: Bug#859192: unblock: openssh/1:7.4p1-10
has caused the Debian Bug report #859192,
regarding unblock: openssh/1:7.4p1-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859192
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: openssh/1:7.4p1-10
• From: Colin Watson <cjwatson@debian.org>
• Date: Fri, 31 Mar 2017 11:58:06 +0100
• Message-id: <20170331105805.GA31551@riva.ucam.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock openssh 1:7.4p1-10, which has already built everywhere
and passed on ci.debian.net.  This has one RC bug fix (#858252) and one
that I think verges on RC (#760422/#856825) since it causes some very
confusing problems for anyone with a separate /var.  The fix for the
latter is a bit lengthy but it's almost entirely a mechanical
search-and-replace, with the sole exception being the addition of
--with-pid-dir=/run (the default is /var/run).

diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm	2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm	2017-03-30 11:18:22.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-35b2ea77a74348b575d680061f35ec7992b26ec8
-35b2ea77a74348b575d680061f35ec7992b26ec8
+904bc482ad87648a2c799c441dc6a8449f24e15a
+904bc482ad87648a2c799c441dc6a8449f24e15a
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog	2017-03-16 13:43:15.000000000 +0000
+++ openssh-7.4p1/debian/changelog	2017-03-30 11:19:04.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10) unstable; urgency=medium
+
+  * Move privilege separation directory and PID file from /var/run/ to /run/
+    (closes: #760422, #856825).
+  * Unbreak Unix domain socket forwarding for root (closes: #858252).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 30 Mar 2017 11:19:04 +0100
+
 openssh (1:7.4p1-9) unstable; urgency=medium
 
   * Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest
diff -Nru openssh-7.4p1/debian/openssh-server-udeb.dirs openssh-7.4p1/debian/openssh-server-udeb.dirs
--- openssh-7.4p1/debian/openssh-server-udeb.dirs	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server-udeb.dirs	2017-03-30 11:18:21.000000000 +0100
@@ -1 +1 @@
-var/run/sshd
+run/sshd
diff -Nru openssh-7.4p1/debian/openssh-server.if-up openssh-7.4p1/debian/openssh-server.if-up
--- openssh-7.4p1/debian/openssh-server.if-up	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.if-up	2017-03-30 11:18:21.000000000 +0100
@@ -25,8 +25,8 @@
 	exit 0
 fi
 
-if [ ! -f /var/run/sshd.pid ] || \
-   [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" != sshd ]; then
+if [ ! -f /run/sshd.pid ] || \
+   [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then
 	exit 0
 fi
 
diff -Nru openssh-7.4p1/debian/openssh-server.postinst openssh-7.4p1/debian/openssh-server.postinst
--- openssh-7.4p1/debian/openssh-server.postinst	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.postinst	2017-03-30 11:18:21.000000000 +0100
@@ -111,7 +111,7 @@
 
 setup_sshd_user() {
 	if ! getent passwd sshd >/dev/null; then
-		adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd
+		adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd
 	fi
 }
 
@@ -125,14 +125,14 @@
 	    rm -f /etc/ssh/primes
 	fi
 	if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
-	    rm -f /var/run/sshd/.placeholder
+	    rm -f /run/sshd/.placeholder
 	fi
 	if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
 	   which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \
 	   ! status ssh 2>/dev/null | grep -q ' start/'; then
 	    # We must stop the sysvinit-controlled sshd before we can
 	    # restart it under Upstart.
-	    start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true
+	    start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid || true
 	fi
 	if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
 	   deb-systemd-helper debian-installed ssh.socket && \
@@ -146,7 +146,7 @@
 	   [ -d /run/systemd/system ]; then
 	    # We must stop the sysvinit-controlled sshd before we can
 	    # restart it under systemd.
-	    start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
+	    start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd || true
 	fi
 fi
 
diff -Nru openssh-7.4p1/debian/openssh-server.preinst openssh-7.4p1/debian/openssh-server.preinst
--- openssh-7.4p1/debian/openssh-server.preinst	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.preinst	2017-03-30 11:18:21.000000000 +0100
@@ -7,9 +7,9 @@
 if [ "$action" = upgrade ] || [ "$action" = install ]
 then
   if dpkg --compare-versions "$version" lt 1:5.5p1-6 && \
-     [ -d /var/run/sshd ]; then
-    # make sure /var/run/sshd is not removed on upgrades
-    touch /var/run/sshd/.placeholder
+     [ -d /run/sshd ]; then
+    # make sure /run/sshd is not removed on upgrades
+    touch /run/sshd/.placeholder
   fi
 fi
 
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.init openssh-7.4p1/debian/openssh-server.ssh.init
--- openssh-7.4p1/debian/openssh-server.ssh.init	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.init	2017-03-30 11:18:21.000000000 +0100
@@ -66,9 +66,9 @@
 
 check_privsep_dir() {
     # Create the PrivSep empty dir if necessary
-    if [ ! -d /var/run/sshd ]; then
-	mkdir /var/run/sshd
-	chmod 0755 /var/run/sshd
+    if [ ! -d /run/sshd ]; then
+	mkdir /run/sshd
+	chmod 0755 /run/sshd
     fi
 }
 
@@ -87,7 +87,7 @@
 	check_for_no_start
 	check_dev_null
 	log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
-	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -96,7 +96,7 @@
   stop)
 	check_for_upstart 0
 	log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
-	if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then
+	if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -108,7 +108,7 @@
 	check_for_no_start
 	check_config
 	log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true
-	if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then
+	if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -120,10 +120,10 @@
 	check_privsep_dir
 	check_config
 	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
-	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid
+	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid
 	check_for_no_start log_end_msg
 	check_dev_null log_end_msg
-	if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true
 	else
 	    log_end_msg 1 || true
@@ -136,13 +136,13 @@
 	check_config
 	log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
 	RET=0
-	start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid || RET="$?"
+	start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid || RET="$?"
 	case $RET in
 	    0)
 		# old daemon stopped
 		check_for_no_start log_end_msg
 		check_dev_null log_end_msg
-		if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+		if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 		    log_end_msg 0 || true
 		else
 		    log_end_msg 1 || true
@@ -163,7 +163,7 @@
 
   status)
 	check_for_upstart 1
-	status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
+	status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
 	;;
 
   *)
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.upstart openssh-7.4p1/debian/openssh-server.ssh.upstart
--- openssh-7.4p1/debian/openssh-server.ssh.upstart	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.upstart	2017-03-30 11:18:21.000000000 +0100
@@ -21,7 +21,7 @@
     test -x /usr/sbin/sshd || { stop; exit 0; }
     test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
 
-    mkdir -p -m0755 /var/run/sshd
+    mkdir -p -m0755 /run/sshd
 end script
 
 # if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series	2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/patches/series	2017-03-30 11:18:21.000000000 +0100
@@ -33,3 +33,4 @@
 ssh-keygen-hash-corruption.patch
 ssh-keyscan-hash-port.patch
 ssh-keygen-null-deref.patch
+unbreak-unix-forwarding-for-root.patch
diff -Nru openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
--- openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch	2017-03-30 11:18:22.000000000 +0100
@@ -0,0 +1,80 @@
+From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 4 Jan 2017 05:37:40 +0000
+Subject: upstream commit
+
+unbreak Unix domain socket forwarding for root; ok
+markus@
+
+Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
+Bug-Debian: https://bugs.debian.org/858252
+Last-Update: 2017-03-30
+
+Patch-Name: unbreak-unix-forwarding-for-root.patch
+---
+ serverloop.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index c4e4699d..c55d203b 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
+ 	Channel *c = NULL;
+ 	char *target, *originator;
+ 	u_short originator_port;
++	struct passwd *pw = the_authctxt->pw;
++
++	if (pw == NULL || !the_authctxt->valid)
++		fatal("server_input_global_request: no/invalid user");
+ 
+ 	target = packet_get_string(NULL);
+ 	originator = packet_get_string(NULL);
+@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
+ 	/* XXX fine grained permissions */
+ 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+ 	    !no_port_forwarding_flag && !options.disable_forwarding &&
+-	    use_privsep) {
++	    (pw->pw_uid == 0 || use_privsep)) {
+ 		c = channel_connect_to_path(target,
+ 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
+ 	} else {
+@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 	int want_reply;
+ 	int r, success = 0, allocated_listen_port = 0;
+ 	struct sshbuf *resp = NULL;
++	struct passwd *pw = the_authctxt->pw;
++
++	if (pw == NULL || !the_authctxt->valid)
++		fatal("server_input_global_request: no/invalid user");
+ 
+ 	rtype = packet_get_string(NULL);
+ 	want_reply = packet_get_char();
+@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 
+ 	/* -R style forwarding */
+ 	if (strcmp(rtype, "tcpip-forward") == 0) {
+-		struct passwd *pw;
+ 		struct Forward fwd;
+ 
+-		pw = the_authctxt->pw;
+-		if (pw == NULL || !the_authctxt->valid)
+-			fatal("server_input_global_request: no/invalid user");
+ 		memset(&fwd, 0, sizeof(fwd));
+ 		fwd.listen_host = packet_get_string(NULL);
+ 		fwd.listen_port = (u_short)packet_get_int();
+@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 		/* check permissions */
+ 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+ 		    || no_port_forwarding_flag || options.disable_forwarding ||
+-		    !use_privsep) {
++		    (pw->pw_uid != 0 && !use_privsep)) {
+ 			success = 0;
+-			packet_send_debug("Server has disabled port forwarding.");
++			packet_send_debug("Server has disabled "
++			    "streamlocal forwarding.");
+ 		} else {
+ 			/* Start listening on the socket */
+ 			success = channel_setup_remote_fwd_listener(
diff -Nru openssh-7.4p1/debian/rules openssh-7.4p1/debian/rules
--- openssh-7.4p1/debian/rules	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/rules	2017-03-30 11:18:21.000000000 +0100
@@ -68,7 +68,8 @@
 confflags += --disable-strip
 confflags += --with-mantype=doc
 confflags += --with-4in6
-confflags += --with-privsep-path=/var/run/sshd
+confflags += --with-privsep-path=/run/sshd
+confflags += --with-pid-dir=/run
 
 # The Hurd needs libcrypt for res_query et al.
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
diff -Nru openssh-7.4p1/debian/systemd/sshd.conf openssh-7.4p1/debian/systemd/sshd.conf
--- openssh-7.4p1/debian/systemd/sshd.conf	2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/systemd/sshd.conf	2017-03-30 11:18:21.000000000 +0100
@@ -1 +1 @@
-d /var/run/sshd 0755 root root
+d /run/sshd 0755 root root

unblock openssh/1:7.4p1-10

-- 
Colin Watson                                       [cjwatson@debian.org]

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>
• Cc: Colin Watson <cjwatson@debian.org>, 859192-done@bugs.debian.org
• Subject: Re: Bug#859192: unblock: openssh/1:7.4p1-10
• From: Niels Thykier <niels@thykier.net>
• Date: Sat, 01 Apr 2017 20:19:00 +0000
• Message-id: <daea24e4-06d8-d8ac-50e5-56ac51a22724@thykier.net>
• In-reply-to: <[🔎] 20170401201702.GE19424@mraw.org>
• References: <20170331105805.GA31551@riva.ucam.org> <[🔎] 98fc79e1-3d7b-2efe-3049-66e1f2dbed02@thykier.net> <[🔎] 20170401201702.GE19424@mraw.org>

Cyril Brulebois:
> Niels Thykier <niels@thykier.net> (2017-04-01):
>>> unblock openssh/1:7.4p1-10
>>>
>>
>> Ack from here - CC'ing KiBi for a d-i ack.
> 
> I'm not sure this affects d-i (and I haven't tried it), but no
> objections on principle.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels

--- End Message ---