Your message dated Sat, 01 Apr 2017 20:19:00 +0000 with message-id <daea24e4-06d8-d8ac-50e5-56ac51a22724@thykier.net> and subject line Re: Bug#859192: unblock: openssh/1:7.4p1-10 has caused the Debian Bug report #859192, regarding unblock: openssh/1:7.4p1-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 859192: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859192 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: openssh/1:7.4p1-10
- From: Colin Watson <cjwatson@debian.org>
- Date: Fri, 31 Mar 2017 11:58:06 +0100
- Message-id: <20170331105805.GA31551@riva.ucam.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock openssh 1:7.4p1-10, which has already built everywhere and passed on ci.debian.net. This has one RC bug fix (#858252) and one that I think verges on RC (#760422/#856825) since it causes some very confusing problems for anyone with a separate /var. The fix for the latter is a bit lengthy but it's almost entirely a mechanical search-and-replace, with the sole exception being the addition of --with-pid-dir=/run (the default is /var/run). diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm --- openssh-7.4p1/debian/.git-dpm 2017-03-16 13:42:23.000000000 +0000 +++ openssh-7.4p1/debian/.git-dpm 2017-03-30 11:18:22.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -35b2ea77a74348b575d680061f35ec7992b26ec8 -35b2ea77a74348b575d680061f35ec7992b26ec8 +904bc482ad87648a2c799c441dc6a8449f24e15a +904bc482ad87648a2c799c441dc6a8449f24e15a 971a7653746a6972b907dfe0ce139c06e4a6f482 971a7653746a6972b907dfe0ce139c06e4a6f482 openssh_7.4p1.orig.tar.gz diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2017-03-16 13:43:15.000000000 +0000 +++ openssh-7.4p1/debian/changelog 2017-03-30 11:19:04.000000000 +0100 @@ -1,3 +1,11 @@ +openssh (1:7.4p1-10) unstable; urgency=medium + + * Move privilege separation directory and PID file from /var/run/ to /run/ + (closes: #760422, #856825). + * Unbreak Unix domain socket forwarding for root (closes: #858252). + + -- Colin Watson <cjwatson@debian.org> Thu, 30 Mar 2017 11:19:04 +0100 + openssh (1:7.4p1-9) unstable; urgency=medium * Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest diff -Nru openssh-7.4p1/debian/openssh-server-udeb.dirs openssh-7.4p1/debian/openssh-server-udeb.dirs --- openssh-7.4p1/debian/openssh-server-udeb.dirs 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server-udeb.dirs 2017-03-30 11:18:21.000000000 +0100 @@ -1 +1 @@ -var/run/sshd +run/sshd diff -Nru openssh-7.4p1/debian/openssh-server.if-up openssh-7.4p1/debian/openssh-server.if-up --- openssh-7.4p1/debian/openssh-server.if-up 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server.if-up 2017-03-30 11:18:21.000000000 +0100 @@ -25,8 +25,8 @@ exit 0 fi -if [ ! -f /var/run/sshd.pid ] || \ - [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" != sshd ]; then +if [ ! -f /run/sshd.pid ] || \ + [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then exit 0 fi diff -Nru openssh-7.4p1/debian/openssh-server.postinst openssh-7.4p1/debian/openssh-server.postinst --- openssh-7.4p1/debian/openssh-server.postinst 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server.postinst 2017-03-30 11:18:21.000000000 +0100 @@ -111,7 +111,7 @@ setup_sshd_user() { if ! getent passwd sshd >/dev/null; then - adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd + adduser --quiet --system --no-create-home --home /run/sshd --shell /usr/sbin/nologin sshd fi } @@ -125,14 +125,14 @@ rm -f /etc/ssh/primes fi if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then - rm -f /var/run/sshd/.placeholder + rm -f /run/sshd/.placeholder fi if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \ which initctl >/dev/null && initctl version 2>/dev/null | grep -q upstart && \ ! status ssh 2>/dev/null | grep -q ' start/'; then # We must stop the sysvinit-controlled sshd before we can # restart it under Upstart. - start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || true + start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid || true fi if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \ deb-systemd-helper debian-installed ssh.socket && \ @@ -146,7 +146,7 @@ [ -d /run/systemd/system ]; then # We must stop the sysvinit-controlled sshd before we can # restart it under systemd. - start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true + start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd || true fi fi diff -Nru openssh-7.4p1/debian/openssh-server.preinst openssh-7.4p1/debian/openssh-server.preinst --- openssh-7.4p1/debian/openssh-server.preinst 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server.preinst 2017-03-30 11:18:21.000000000 +0100 @@ -7,9 +7,9 @@ if [ "$action" = upgrade ] || [ "$action" = install ] then if dpkg --compare-versions "$version" lt 1:5.5p1-6 && \ - [ -d /var/run/sshd ]; then - # make sure /var/run/sshd is not removed on upgrades - touch /var/run/sshd/.placeholder + [ -d /run/sshd ]; then + # make sure /run/sshd is not removed on upgrades + touch /run/sshd/.placeholder fi fi diff -Nru openssh-7.4p1/debian/openssh-server.ssh.init openssh-7.4p1/debian/openssh-server.ssh.init --- openssh-7.4p1/debian/openssh-server.ssh.init 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server.ssh.init 2017-03-30 11:18:21.000000000 +0100 @@ -66,9 +66,9 @@ check_privsep_dir() { # Create the PrivSep empty dir if necessary - if [ ! -d /var/run/sshd ]; then - mkdir /var/run/sshd - chmod 0755 /var/run/sshd + if [ ! -d /run/sshd ]; then + mkdir /run/sshd + chmod 0755 /run/sshd fi } @@ -87,7 +87,7 @@ check_for_no_start check_dev_null log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 || true else log_end_msg 1 || true @@ -96,7 +96,7 @@ stop) check_for_upstart 0 log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true - if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then + if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid; then log_end_msg 0 || true else log_end_msg 1 || true @@ -108,7 +108,7 @@ check_for_no_start check_config log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true - if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then + if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then log_end_msg 0 || true else log_end_msg 1 || true @@ -120,10 +120,10 @@ check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid + start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid check_for_no_start log_end_msg check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 || true else log_end_msg 1 || true @@ -136,13 +136,13 @@ check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true RET=0 - start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid || RET="$?" + start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid || RET="$?" case $RET in 0) # old daemon stopped check_for_no_start log_end_msg check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 || true else log_end_msg 1 || true @@ -163,7 +163,7 @@ status) check_for_upstart 1 - status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $? + status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $? ;; *) diff -Nru openssh-7.4p1/debian/openssh-server.ssh.upstart openssh-7.4p1/debian/openssh-server.ssh.upstart --- openssh-7.4p1/debian/openssh-server.ssh.upstart 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/openssh-server.ssh.upstart 2017-03-30 11:18:21.000000000 +0100 @@ -21,7 +21,7 @@ test -x /usr/sbin/sshd || { stop; exit 0; } test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; } - mkdir -p -m0755 /var/run/sshd + mkdir -p -m0755 /run/sshd end script # if you used to set SSHD_OPTS in /etc/default/ssh, you can change the diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series --- openssh-7.4p1/debian/patches/series 2017-03-16 13:42:23.000000000 +0000 +++ openssh-7.4p1/debian/patches/series 2017-03-30 11:18:21.000000000 +0100 @@ -33,3 +33,4 @@ ssh-keygen-hash-corruption.patch ssh-keyscan-hash-port.patch ssh-keygen-null-deref.patch +unbreak-unix-forwarding-for-root.patch diff -Nru openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch --- openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch 2017-03-30 11:18:22.000000000 +0100 @@ -0,0 +1,80 @@ +From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 4 Jan 2017 05:37:40 +0000 +Subject: upstream commit + +unbreak Unix domain socket forwarding for root; ok +markus@ + +Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2 + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3 +Bug-Debian: https://bugs.debian.org/858252 +Last-Update: 2017-03-30 + +Patch-Name: unbreak-unix-forwarding-for-root.patch +--- + serverloop.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/serverloop.c b/serverloop.c +index c4e4699d..c55d203b 100644 +--- a/serverloop.c ++++ b/serverloop.c +@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void) + Channel *c = NULL; + char *target, *originator; + u_short originator_port; ++ struct passwd *pw = the_authctxt->pw; ++ ++ if (pw == NULL || !the_authctxt->valid) ++ fatal("server_input_global_request: no/invalid user"); + + target = packet_get_string(NULL); + originator = packet_get_string(NULL); +@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void) + /* XXX fine grained permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && + !no_port_forwarding_flag && !options.disable_forwarding && +- use_privsep) { ++ (pw->pw_uid == 0 || use_privsep)) { + c = channel_connect_to_path(target, + "direct-streamlocal@openssh.com", "direct-streamlocal"); + } else { +@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) + int want_reply; + int r, success = 0, allocated_listen_port = 0; + struct sshbuf *resp = NULL; ++ struct passwd *pw = the_authctxt->pw; ++ ++ if (pw == NULL || !the_authctxt->valid) ++ fatal("server_input_global_request: no/invalid user"); + + rtype = packet_get_string(NULL); + want_reply = packet_get_char(); +@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) + + /* -R style forwarding */ + if (strcmp(rtype, "tcpip-forward") == 0) { +- struct passwd *pw; + struct Forward fwd; + +- pw = the_authctxt->pw; +- if (pw == NULL || !the_authctxt->valid) +- fatal("server_input_global_request: no/invalid user"); + memset(&fwd, 0, sizeof(fwd)); + fwd.listen_host = packet_get_string(NULL); + fwd.listen_port = (u_short)packet_get_int(); +@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) + /* check permissions */ + if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 + || no_port_forwarding_flag || options.disable_forwarding || +- !use_privsep) { ++ (pw->pw_uid != 0 && !use_privsep)) { + success = 0; +- packet_send_debug("Server has disabled port forwarding."); ++ packet_send_debug("Server has disabled " ++ "streamlocal forwarding."); + } else { + /* Start listening on the socket */ + success = channel_setup_remote_fwd_listener( diff -Nru openssh-7.4p1/debian/rules openssh-7.4p1/debian/rules --- openssh-7.4p1/debian/rules 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/rules 2017-03-30 11:18:21.000000000 +0100 @@ -68,7 +68,8 @@ confflags += --disable-strip confflags += --with-mantype=doc confflags += --with-4in6 -confflags += --with-privsep-path=/var/run/sshd +confflags += --with-privsep-path=/run/sshd +confflags += --with-pid-dir=/run # The Hurd needs libcrypt for res_query et al. ifeq ($(DEB_HOST_ARCH_OS),hurd) diff -Nru openssh-7.4p1/debian/systemd/sshd.conf openssh-7.4p1/debian/systemd/sshd.conf --- openssh-7.4p1/debian/systemd/sshd.conf 2017-03-16 13:42:18.000000000 +0000 +++ openssh-7.4p1/debian/systemd/sshd.conf 2017-03-30 11:18:21.000000000 +0100 @@ -1 +1 @@ -d /var/run/sshd 0755 root root +d /run/sshd 0755 root root unblock openssh/1:7.4p1-10 -- Colin Watson [cjwatson@debian.org]Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Cyril Brulebois <kibi@debian.org>
- Cc: Colin Watson <cjwatson@debian.org>, 859192-done@bugs.debian.org
- Subject: Re: Bug#859192: unblock: openssh/1:7.4p1-10
- From: Niels Thykier <niels@thykier.net>
- Date: Sat, 01 Apr 2017 20:19:00 +0000
- Message-id: <daea24e4-06d8-d8ac-50e5-56ac51a22724@thykier.net>
- In-reply-to: <[🔎] 20170401201702.GE19424@mraw.org>
- References: <20170331105805.GA31551@riva.ucam.org> <[🔎] 98fc79e1-3d7b-2efe-3049-66e1f2dbed02@thykier.net> <[🔎] 20170401201702.GE19424@mraw.org>
Cyril Brulebois: > Niels Thykier <niels@thykier.net> (2017-04-01): >>> unblock openssh/1:7.4p1-10 >>> >> >> Ack from here - CC'ing KiBi for a d-i ack. > > I'm not sure this affects d-i (and I haven't tried it), but no > objections on principle. > > > KiBi. > Unblocked, thanks. ~Niels
--- End Message ---