Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock openssh 1:7.4p1-10, which has already built everywhere
and passed on ci.debian.net. This has one RC bug fix (#858252) and one
that I think verges on RC (#760422/#856825) since it causes some very
confusing problems for anyone with a separate /var. The fix for the
latter is a bit lengthy but it's almost entirely a mechanical
search-and-replace, with the sole exception being the addition of
--with-pid-dir=/run (the default is /var/run).
diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm 2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm 2017-03-30 11:18:22.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-35b2ea77a74348b575d680061f35ec7992b26ec8
-35b2ea77a74348b575d680061f35ec7992b26ec8
+904bc482ad87648a2c799c441dc6a8449f24e15a
+904bc482ad87648a2c799c441dc6a8449f24e15a
971a7653746a6972b907dfe0ce139c06e4a6f482
971a7653746a6972b907dfe0ce139c06e4a6f482
openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2017-03-16 13:43:15.000000000 +0000
+++ openssh-7.4p1/debian/changelog 2017-03-30 11:19:04.000000000 +0100
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10) unstable; urgency=medium
+
+ * Move privilege separation directory and PID file from /var/run/ to /run/
+ (closes: #760422, #856825).
+ * Unbreak Unix domain socket forwarding for root (closes: #858252).
+
+ -- Colin Watson <cjwat...@debian.org> Thu, 30 Mar 2017 11:19:04 +0100
+
openssh (1:7.4p1-9) unstable; urgency=medium
* Fix null pointer dereference in ssh-keygen; this fixes an autopkgtest
diff -Nru openssh-7.4p1/debian/openssh-server-udeb.dirs
openssh-7.4p1/debian/openssh-server-udeb.dirs
--- openssh-7.4p1/debian/openssh-server-udeb.dirs 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server-udeb.dirs 2017-03-30
11:18:21.000000000 +0100
@@ -1 +1 @@
-var/run/sshd
+run/sshd
diff -Nru openssh-7.4p1/debian/openssh-server.if-up
openssh-7.4p1/debian/openssh-server.if-up
--- openssh-7.4p1/debian/openssh-server.if-up 2017-03-16 13:42:18.000000000
+0000
+++ openssh-7.4p1/debian/openssh-server.if-up 2017-03-30 11:18:21.000000000
+0100
@@ -25,8 +25,8 @@
exit 0
fi
-if [ ! -f /var/run/sshd.pid ] || \
- [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" != sshd ]; then
+if [ ! -f /run/sshd.pid ] || \
+ [ "$(ps -p "$(cat /run/sshd.pid)" -o comm=)" != sshd ]; then
exit 0
fi
diff -Nru openssh-7.4p1/debian/openssh-server.postinst
openssh-7.4p1/debian/openssh-server.postinst
--- openssh-7.4p1/debian/openssh-server.postinst 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.postinst 2017-03-30
11:18:21.000000000 +0100
@@ -111,7 +111,7 @@
setup_sshd_user() {
if ! getent passwd sshd >/dev/null; then
- adduser --quiet --system --no-create-home --home /var/run/sshd
--shell /usr/sbin/nologin sshd
+ adduser --quiet --system --no-create-home --home /run/sshd
--shell /usr/sbin/nologin sshd
fi
}
@@ -125,14 +125,14 @@
rm -f /etc/ssh/primes
fi
if dpkg --compare-versions "$2" lt-nl 1:5.5p1-6; then
- rm -f /var/run/sshd/.placeholder
+ rm -f /run/sshd/.placeholder
fi
if dpkg --compare-versions "$2" lt-nl 1:6.2p2-3 && \
which initctl >/dev/null && initctl version 2>/dev/null | grep -q
upstart && \
! status ssh 2>/dev/null | grep -q ' start/'; then
# We must stop the sysvinit-controlled sshd before we can
# restart it under Upstart.
- start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/sshd.pid || true
+ start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid
|| true
fi
if dpkg --compare-versions "$2" lt-nl 1:6.5p1-2 && \
deb-systemd-helper debian-installed ssh.socket && \
@@ -146,7 +146,7 @@
[ -d /run/systemd/system ]; then
# We must stop the sysvinit-controlled sshd before we can
# restart it under systemd.
- start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd || true
+ start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd || true
fi
fi
diff -Nru openssh-7.4p1/debian/openssh-server.preinst
openssh-7.4p1/debian/openssh-server.preinst
--- openssh-7.4p1/debian/openssh-server.preinst 2017-03-16 13:42:18.000000000
+0000
+++ openssh-7.4p1/debian/openssh-server.preinst 2017-03-30 11:18:21.000000000
+0100
@@ -7,9 +7,9 @@
if [ "$action" = upgrade ] || [ "$action" = install ]
then
if dpkg --compare-versions "$version" lt 1:5.5p1-6 && \
- [ -d /var/run/sshd ]; then
- # make sure /var/run/sshd is not removed on upgrades
- touch /var/run/sshd/.placeholder
+ [ -d /run/sshd ]; then
+ # make sure /run/sshd is not removed on upgrades
+ touch /run/sshd/.placeholder
fi
fi
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.init
openssh-7.4p1/debian/openssh-server.ssh.init
--- openssh-7.4p1/debian/openssh-server.ssh.init 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.init 2017-03-30
11:18:21.000000000 +0100
@@ -66,9 +66,9 @@
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
- if [ ! -d /var/run/sshd ]; then
- mkdir /var/run/sshd
- chmod 0755 /var/run/sshd
+ if [ ! -d /run/sshd ]; then
+ mkdir /run/sshd
+ chmod 0755 /run/sshd
fi
}
@@ -87,7 +87,7 @@
check_for_no_start
check_dev_null
log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
- if start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+ if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -96,7 +96,7 @@
stop)
check_for_upstart 0
log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
- if start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/sshd.pid; then
+ if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid;
then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -108,7 +108,7 @@
check_for_no_start
check_config
log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration"
"sshd" || true
- if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd; then
+ if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile
/run/sshd.pid --exec /usr/sbin/sshd; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -120,10 +120,10 @@
check_privsep_dir
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
- start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/var/run/sshd.pid
+ start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
/run/sshd.pid
check_for_no_start log_end_msg
check_dev_null log_end_msg
- if start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+ if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -136,13 +136,13 @@
check_config
log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
RET=0
- start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid
|| RET="$?"
+ start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid ||
RET="$?"
case $RET in
0)
# old daemon stopped
check_for_no_start log_end_msg
check_dev_null log_end_msg
- if start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
+ if start-stop-daemon --start --quiet --oknodo --pidfile
/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
else
log_end_msg 1 || true
@@ -163,7 +163,7 @@
status)
check_for_upstart 1
- status_of_proc -p /var/run/sshd.pid /usr/sbin/sshd sshd && exit 0 ||
exit $?
+ status_of_proc -p /run/sshd.pid /usr/sbin/sshd sshd && exit 0 || exit $?
;;
*)
diff -Nru openssh-7.4p1/debian/openssh-server.ssh.upstart
openssh-7.4p1/debian/openssh-server.ssh.upstart
--- openssh-7.4p1/debian/openssh-server.ssh.upstart 2017-03-16
13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/openssh-server.ssh.upstart 2017-03-30
11:18:21.000000000 +0100
@@ -21,7 +21,7 @@
test -x /usr/sbin/sshd || { stop; exit 0; }
test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
- mkdir -p -m0755 /var/run/sshd
+ mkdir -p -m0755 /run/sshd
end script
# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
diff -Nru openssh-7.4p1/debian/patches/series
openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2017-03-16 13:42:23.000000000 +0000
+++ openssh-7.4p1/debian/patches/series 2017-03-30 11:18:21.000000000 +0100
@@ -33,3 +33,4 @@
ssh-keygen-hash-corruption.patch
ssh-keyscan-hash-port.patch
ssh-keygen-null-deref.patch
+unbreak-unix-forwarding-for-root.patch
diff -Nru openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
--- openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/unbreak-unix-forwarding-for-root.patch
2017-03-30 11:18:22.000000000 +0100
@@ -0,0 +1,80 @@
+From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" <d...@openbsd.org>
+Date: Wed, 4 Jan 2017 05:37:40 +0000
+Subject: upstream commit
+
+unbreak Unix domain socket forwarding for root; ok
+markus@
+
+Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
+
+Origin:
https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
+Bug-Debian: https://bugs.debian.org/858252
+Last-Update: 2017-03-30
+
+Patch-Name: unbreak-unix-forwarding-for-root.patch
+---
+ serverloop.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/serverloop.c b/serverloop.c
+index c4e4699d..c55d203b 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
+ Channel *c = NULL;
+ char *target, *originator;
+ u_short originator_port;
++ struct passwd *pw = the_authctxt->pw;
++
++ if (pw == NULL || !the_authctxt->valid)
++ fatal("server_input_global_request: no/invalid user");
+
+ target = packet_get_string(NULL);
+ originator = packet_get_string(NULL);
+@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
+ /* XXX fine grained permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+ !no_port_forwarding_flag && !options.disable_forwarding &&
+- use_privsep) {
++ (pw->pw_uid == 0 || use_privsep)) {
+ c = channel_connect_to_path(target,
+ "direct-streamlo...@openssh.com", "direct-streamlocal");
+ } else {
+@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void
*ctxt)
+ int want_reply;
+ int r, success = 0, allocated_listen_port = 0;
+ struct sshbuf *resp = NULL;
++ struct passwd *pw = the_authctxt->pw;
++
++ if (pw == NULL || !the_authctxt->valid)
++ fatal("server_input_global_request: no/invalid user");
+
+ rtype = packet_get_string(NULL);
+ want_reply = packet_get_char();
+@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void
*ctxt)
+
+ /* -R style forwarding */
+ if (strcmp(rtype, "tcpip-forward") == 0) {
+- struct passwd *pw;
+ struct Forward fwd;
+
+- pw = the_authctxt->pw;
+- if (pw == NULL || !the_authctxt->valid)
+- fatal("server_input_global_request: no/invalid user");
+ memset(&fwd, 0, sizeof(fwd));
+ fwd.listen_host = packet_get_string(NULL);
+ fwd.listen_port = (u_short)packet_get_int();
+@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void
*ctxt)
+ /* check permissions */
+ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+ || no_port_forwarding_flag || options.disable_forwarding ||
+- !use_privsep) {
++ (pw->pw_uid != 0 && !use_privsep)) {
+ success = 0;
+- packet_send_debug("Server has disabled port
forwarding.");
++ packet_send_debug("Server has disabled "
++ "streamlocal forwarding.");
+ } else {
+ /* Start listening on the socket */
+ success = channel_setup_remote_fwd_listener(
diff -Nru openssh-7.4p1/debian/rules openssh-7.4p1/debian/rules
--- openssh-7.4p1/debian/rules 2017-03-16 13:42:18.000000000 +0000
+++ openssh-7.4p1/debian/rules 2017-03-30 11:18:21.000000000 +0100
@@ -68,7 +68,8 @@
confflags += --disable-strip
confflags += --with-mantype=doc
confflags += --with-4in6
-confflags += --with-privsep-path=/var/run/sshd
+confflags += --with-privsep-path=/run/sshd
+confflags += --with-pid-dir=/run
# The Hurd needs libcrypt for res_query et al.
ifeq ($(DEB_HOST_ARCH_OS),hurd)
diff -Nru openssh-7.4p1/debian/systemd/sshd.conf
openssh-7.4p1/debian/systemd/sshd.conf
--- openssh-7.4p1/debian/systemd/sshd.conf 2017-03-16 13:42:18.000000000
+0000
+++ openssh-7.4p1/debian/systemd/sshd.conf 2017-03-30 11:18:21.000000000
+0100
@@ -1 +1 @@
-d /var/run/sshd 0755 root root
+d /run/sshd 0755 root root
unblock openssh/1:7.4p1-10
--
Colin Watson [cjwat...@debian.org]
signature.asc
Description: Digital signature
