Bug#487325: marked as done (openssh-server: /etc/default/ssh setting for oom_adj confused)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 21 Jul 2008 11:32:05 +0000
with message-id <E1KKtcb-0004nh-Hf@ries.debian.org>
and subject line Bug#487325: fixed in openssh 1:4.7p1-13
has caused the Debian Bug report #487325,
regarding openssh-server: /etc/default/ssh setting for oom_adj confused
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
487325: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487325
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: /etc/default/ssh setting for oom_adj confused
• From: Micah Anderson <micah@debian.org>
• Date: Fri, 20 Jun 2008 19:27:30 -0400
• Message-id: <20080620232730.993.88219.reportbug@pond.riseup.net>

Package: openssh-server
Version: 1:4.7p1-12
Severity: normal

Hi there!

I discovered recently during a testing migration that in a vserver
environment you do not have the capability to adjust /proc values.

This means that the oom_adj results in a lot of noise in the logfiles:

sshd[9363]: error writing /proc/self/oom_adj: Operation not permitted

Ok, so I thought I would disable it by tweaking the following in
/etc/default/ssh:

# OOM-killer adjustment for sshd (see
# linux/Documentation/filesystems/proc.txt; lower values reduce
# likelihood
# of being killed, -17 = disable)
SSHD_OOM_ADJUST=-17

Hmmm... its already set to -17 and -17 is 'disable'? Why isn't it
disabled then if its already set here to be disabled? The source
made me think that setting it to 0 should disable it:

+  const char *oom_adj = getenv("SSHD_OOM_ADJUST");
+  if (!oom_adj)
+     return;

I've tried setting this to 0, -17, no setting, and commenting it out
of the file altogether, but it still is being attempted....

After trial-and-error it seems like it shouldn't be set to anything at
all if it is supposed to be disabled. So, the environment variable
SSHD_OOM_ADJUST needs to be non-existant to actually disable it. I
don't understand why, unless there is some environment scrubbing going
on?

It doesn't help that in /etc/init.d/ssh, we find this:

export SSHD_OOM_ADJUST=-17

right before the sourcing of the /etc/default/ssh file. 

So the only way to really disable this is to comment out both
the line in /etc/init.d/ssh where the environment variable is
set to -17 and the line in /etc/default/ssh where it is also set.

I'm guessing that you were going for it a disable value of 0+ do it,
but it seems that is completely ignored, for whatever reason that is
beyond me.

In any case, having to edit the initscript to disable this is not the
right way.

I appreciate your continued maintainence of this package! 

Micah

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser               3.108              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.22             Debian configuration management sy
ii  dpkg                  1.14.19            package maintenance system for Deb
ii  libc6                 2.7-12             GNU C Library: Shared libraries
ii  libcomerr2            1.40.11-1          common error description library
ii  libkrb53              1.6.dfsg.4~beta1-2 MIT Kerberos runtime libraries
ii  libpam-modules        0.99.7.1-6         Pluggable Authentication Modules f
ii  libpam-runtime        0.99.7.1-6         Runtime support for the PAM librar
ii  libpam0g              0.99.7.1-6         Pluggable Authentication Modules l
ii  libselinux1           2.0.59-1           SELinux shared libraries
ii  libssl0.9.8           0.9.8g-10.1        SSL shared libraries
ii  libwrap0              7.6.q-15           Wietse Venema's TCP wrappers libra
ii  lsb-base              3.2-12             Linux Standard Base 3.2 init scrip
ii  openssh-blacklist     0.4.1              list of default blacklisted OpenSS
ii  openssh-client        1:4.7p1-12         secure shell client, an rlogin/rsh
ii  zlib1g                1:1.2.3.3.dfsg-12  compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

-- debconf information excluded

--- End Message ---

--- Begin Message ---

• To: 487325-close@bugs.debian.org
• Subject: Bug#487325: fixed in openssh 1:4.7p1-13
• From: Colin Watson <cjwatson@debian.org>
• Date: Mon, 21 Jul 2008 11:32:05 +0000
• Message-id: <E1KKtcb-0004nh-Hf@ries.debian.org>

Source: openssh
Source-Version: 1:4.7p1-13

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.7p1-13_i386.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.7p1-13_i386.udeb
openssh-client_4.7p1-13_i386.deb
  to pool/main/o/openssh/openssh-client_4.7p1-13_i386.deb
openssh-server-udeb_4.7p1-13_i386.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.7p1-13_i386.udeb
openssh-server_4.7p1-13_i386.deb
  to pool/main/o/openssh/openssh-server_4.7p1-13_i386.deb
openssh_4.7p1-13.diff.gz
  to pool/main/o/openssh/openssh_4.7p1-13.diff.gz
openssh_4.7p1-13.dsc
  to pool/main/o/openssh/openssh_4.7p1-13.dsc
ssh-askpass-gnome_4.7p1-13_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.7p1-13_i386.deb
ssh-krb5_4.7p1-13_all.deb
  to pool/main/o/openssh/ssh-krb5_4.7p1-13_all.deb
ssh_4.7p1-13_all.deb
  to pool/main/o/openssh/ssh_4.7p1-13_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487325@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 Jul 2008 12:18:28 +0100
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:4.7p1-13
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 483756 484404 484451 485415 487325
Changes: 
 openssh (1:4.7p1-13) unstable; urgency=low
 .
   * Add some helpful advice to the end of ssh-vulnkey's output if there are
     unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
   * Check compromised key blacklist in ssh or ssh-add, as well as in the
     server (LP: #232391). To override the blacklist check in ssh
     temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override
     for the blacklist check in ssh-add.
   * Add cross-references to ssh-vulnkey(1) to ssh(1), ssh-add(1),
     ssh-keygen(1), and sshd(8) (closes: #484451).
   * Change openssh-client-udeb's Installer-Menu-Item from 99900 to 99999
     (thanks, Frans Pop).
   * Drop openssh-client-udeb isinstallable hack, as main-menu (>= 1.26) now
     takes care of that (thanks, Frans Pop; closes: #484404).
   * Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0.
   * Add documentation on removing openssh-blacklist locally (see #484269).
   * Clarify documentation of SSHD_OOM_ADJUST, and make setting it to the
     empty string actually skip adjustment as intended (closes: #487325).
   * Remove empty /usr/share/applications directory in ssh-askpass-gnome.
   * debconf template translations:
     - Update Romanian (thanks, Cătălin Feștilă; closes: #485415).
Checksums-Sha1: 
 0c795ce18a6e7485b4c3bce9d05e3c761ffddcda 1504 openssh_4.7p1-13.dsc
 2e1b90897edb478a562160d4bba0e2c0343dfacf 215208 openssh_4.7p1-13.diff.gz
 4969f71b147b63543c3f9963528001f5b048e4ca 1042 ssh_4.7p1-13_all.deb
 6480c85a547528d8da02b2325e8235e874ab80e2 89998 ssh-krb5_4.7p1-13_all.deb
 286a819a08cd55a9617ad0b4ad92d2f967c6f058 721498 openssh-client_4.7p1-13_i386.deb
 2a3a28a13763aeaede074e25c7a62c564d1dc27d 261480 openssh-server_4.7p1-13_i386.deb
 810635455a7d6710c1d158caa41ae9fdd43070c3 97482 ssh-askpass-gnome_4.7p1-13_i386.deb
 ae49e22cc231d445835b709e7910fb6ffabfc099 159502 openssh-client-udeb_4.7p1-13_i386.udeb
 24e4e6ac0400c4d785397730ce9e86d7ddf4ea44 173024 openssh-server-udeb_4.7p1-13_i386.udeb
Checksums-Sha256: 
 3570d43e2bce08bc98493f07f0954c2f9b2d04ce16d5042074fc71a63e71e8d3 1504 openssh_4.7p1-13.dsc
 5c6e8695e2af17b7744479dcf1912a89e392e984c57bbd10196b8f389cc22d43 215208 openssh_4.7p1-13.diff.gz
 5b4af0b0ffd314c97a35409205e9b48d97832964c2f079cedfa1c8ae93a2ffde 1042 ssh_4.7p1-13_all.deb
 2565b6846d0cc9058d4088b44d0293bfd31b5eef06fdbad2e13fecefa0fed076 89998 ssh-krb5_4.7p1-13_all.deb
 10e035282b8626fb11bf102ca2ddac3ec1e831f974f1e494216ce0cff2d7e6b2 721498 openssh-client_4.7p1-13_i386.deb
 1669deb01ab10b3871e596c875441d6cc8da7245327250a117b5e1082b6e3366 261480 openssh-server_4.7p1-13_i386.deb
 60fa7516aa2699ae2671d1c416e73c4b80410081c07157edf1621fa14112635a 97482 ssh-askpass-gnome_4.7p1-13_i386.deb
 3277f7781f5a90d3603ca28cc80e7df2ff9390ff91ec39e67667b2644d486f45 159502 openssh-client-udeb_4.7p1-13_i386.udeb
 1407c0b0da7e91245e3c890a4f529cb4e29f4b064ac7789c95fd87dd3311ed76 173024 openssh-server-udeb_4.7p1-13_i386.udeb
Files: 
 77e96fe444882281deeb3f3c829602bf 1504 net standard openssh_4.7p1-13.dsc
 5c1b6759596d3f583d58424e7cdf178b 215208 net standard openssh_4.7p1-13.diff.gz
 345d10be6218747e5bf4108d49ce0a22 1042 net extra ssh_4.7p1-13_all.deb
 eb019d3eaf93276882cff336f7ae8650 89998 net extra ssh-krb5_4.7p1-13_all.deb
 97801920d8ebdffbd4732a8da91eba10 721498 net standard openssh-client_4.7p1-13_i386.deb
 285dcbcd52248d92af7463c715975729 261480 net optional openssh-server_4.7p1-13_i386.deb
 1a36e66cdeb3d00415b756f74111646d 97482 gnome optional ssh-askpass-gnome_4.7p1-13_i386.deb
 c00ca8e31a567888f69a21422d2ea3bd 159502 debian-installer optional openssh-client-udeb_4.7p1-13_i386.udeb
 7284a936bdf9f474aacefb4a81464d19 173024 debian-installer optional openssh-server-udeb_4.7p1-13_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFIhHEh9t0zAhD6TNERArXUAJ98Zh9ZHab1faqWfw+P3cNbVfaQCwCfYz7J
SdXDBTGU6nuHgvwWqPKG3q0=
=z89n
-----END PGP SIGNATURE-----

--- End Message ---