Re: openssh-server's default config is dangerous

To: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Don Armstrong <don@debian.org>
Date: Tue, 12 Jul 2016 17:07:54 -0500
Message-id: <[🔎] 20160712220754.GU20714@geta>
In-reply-to: <[🔎] jwv4m7u37it.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] 20160712094456.GB3967049@phare.normalesup.org> <[🔎] 12072016125119.e0b410e7ce2c@desktop.copernicus.demon.co.uk> <[🔎] 20160712130633.GA4054640@phare.normalesup.org> <[🔎] 12072016143713.ab9150842167@desktop.copernicus.demon.co.uk> <[🔎] 20160712143549.GA4087782@phare.normalesup.org> <[🔎] 20160712150845.GG20714@geta> <[🔎] 20160712182236.GA3293@phare.normalesup.org> <[🔎] 20160712190431.GO20714@geta> <[🔎] 20160712191246.GA22642@phare.normalesup.org> <[🔎] jwv4m7u37it.fsf-monnier+gmane.linux.debian.user@gnu.org>

On Tue, 12 Jul 2016, Stefan Monnier wrote:
> I often need something like this when running inside a chroot and
> always have trouble finding the clean&easy way to do it

Here's one example that mk-sbuild uses:

(jessie-amd64)$ cat /usr/sbin/policy-rc.d
#!/bin/sh
while true; do
    case "$1" in
      -*) shift ;;
      makedev) exit 0;;
      x11-common) exit 0;;
      *) exit 101;;
    esac
done

For future reference, this is all covered in Debian Policy §9.3.3
"Interfacing with the initscript system" and invoke-rc.d(8).

> (IIUC dpkg should figure out on its own that it's running in a chroot,
> but it doesn't seem to work reliably enough in my experience, or maybe
> I misunderstood how "running in chroot" is expected to affect dpkg's
> behavior by default).

In this particular case, the issue isn't dpkg, but the package
maintainer scripts. Those all operate using invoke-rc.d, and are
blissfully unaware of whether they are operating inside of a chroot or
outside. [Indeed, there's no reliable way of identifying whether you're
actually in a chroot or not unless you're root and can compare your root
to init's root.]

-- 
Don Armstrong                      https://www.donarmstrong.com

If it jams, force it. If it breaks, it needed replacing anyway.
 -- Lowery's Law

Reply to:

Follow-Ups:
- Re: openssh-server's default config is dangerous
  - From: Stefan Monnier <monnier@iro.umontreal.ca>

References:
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Stefan Monnier <monnier@iro.umontreal.ca>

Prev by Date: Re: openssh-server's default config is dangerous
Next by Date: Re: openssh-server's default config is dangerous
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Re: openssh-server's default config is dangerous
Index(es):
- Date
- Thread