Re: openssh-server's default config is dangerous

To: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Stefan Monnier <monnier@iro.umontreal.ca>
Date: Tue, 12 Jul 2016 18:32:39 -0400
Message-id: <[🔎] jwvmvlm1og0.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] 20160712094456.GB3967049@phare.normalesup.org> <[🔎] 12072016125119.e0b410e7ce2c@desktop.copernicus.demon.co.uk> <[🔎] 20160712130633.GA4054640@phare.normalesup.org> <[🔎] 12072016143713.ab9150842167@desktop.copernicus.demon.co.uk> <[🔎] 20160712143549.GA4087782@phare.normalesup.org> <[🔎] 20160712150845.GG20714@geta> <[🔎] 20160712182236.GA3293@phare.normalesup.org> <[🔎] 20160712190431.GO20714@geta> <[🔎] 20160712191246.GA22642@phare.normalesup.org> <[🔎] jwv4m7u37it.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] 20160712220754.GU20714@geta>

>> I often need something like this when running inside a chroot and
>> always have trouble finding the clean&easy way to do it
> Here's one example that mk-sbuild uses:
> (jessie-amd64)$ cat /usr/sbin/policy-rc.d
> #!/bin/sh
> while true; do
>     case "$1" in
>       -*) shift ;;
>       makedev) exit 0;;
>       x11-common) exit 0;;
>       *) exit 101;;
>     esac
> done

Pretty far from my ideal of having some boolean setting under /etc somewhere.

> In this particular case, the issue isn't dpkg, but the package
> maintainer scripts. Those all operate using invoke-rc.d, and are
> blissfully unaware of whether they are operating inside of a chroot or
> outside. [Indeed, there's no reliable way of identifying whether you're
> actually in a chroot or not unless you're root and can compare your root
> to init's root.]

It's actually worse: in some of my chroots (such as LilDebi's) I do want
daemons to be started&stopped, while in others (typically when I mount
some external disk that holds some other machine's (broken) root
filesystem, in order to fix it) I don't.

So even if we could reliably identify that we're in a chroot jail, it
wouldn't tell us whether daemons should be started/stopped.


        Stefan

Reply to:

Follow-Ups:
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>

References:
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>

Prev by Date: Re: openssh-server's default config is dangerous
Next by Date: Re: Wheezy to Jessie update problem: packages with bugs
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Re: openssh-server's default config is dangerous
Index(es):
- Date
- Thread