Hi, > This file now lives in openssh-server, since it's only needed by sshd. > Unfortunately I'd forgotten that moving conffiles between packages > requires some non-trivial effort, and so this is going to involve some > complexity in maintainer scripts.
How about the attached approach? It uses dpkg-maintscript-helper in openssh-client to remove the conffile. dpkg-maintscript=helper does all the magic to determine whether the file was changed by the user. Here, we use the fact that in preinst, it only moves the file to a backup location, and this location is different when the file is user-modified. In postinst of openssh-server, we then check for the backup file and move it back in place if it exists. This… …fixes the obsolete conffile, …avoids an annoying question on upgrade whether to overwrite the file, is it was user-modified, …still keeps user modifications intact. I tested the following: 1. Only openssh-client, upgrading from 1:7.9p1-4 to 1:7.9p1-6.1 --------------------------------------------------------------- File gets correctly removed. If it was user-modified, it remains as moduli.dpkg-bak unless purged. 2. openssh-client and openssh-server installed, file not modified ----------------------------------------------------------------- Ownership is correctly transferred to openssh-server, purging this removes the conffile. 3. openssh-client and openssh-server installed, file user-modified ------------------------------------------------------------------ Ownership is correctly transferred to openssh-server, purging this removes the conffile, user modifications remain intact. If you like this approach, feel free to take it, or add me to the team to do a team upload ;). Cheers, Nik
diff -Nru openssh-7.9p1/debian/changelog openssh-7.9p1/debian/changelog
--- openssh-7.9p1/debian/changelog 2019-02-08 17:26:35.000000000 +0100
+++ openssh-7.9p1/debian/changelog 2019-02-26 23:54:57.000000000 +0100
@@ -1,3 +1,10 @@
+openssh (1:7.9p1-6.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Correctly handle conffile move to openssh-server. (Closes: #919344)
+
+ -- Dominik George <naturesha...@debian.org> Tue, 26 Feb 2019 23:54:57 +0100
+
openssh (1:7.9p1-6) unstable; urgency=medium
* CVE-2019-6109: Apply upstream patches to sanitize scp filenames via
diff -Nru openssh-7.9p1/debian/openssh-client.maintscript
openssh-7.9p1/debian/openssh-client.maintscript
--- openssh-7.9p1/debian/openssh-client.maintscript 1970-01-01
01:00:00.000000000 +0100
+++ openssh-7.9p1/debian/openssh-client.maintscript 2019-02-26
23:54:10.000000000 +0100
@@ -0,0 +1 @@
+rm_conffile /etc/ssh/moduli 1:7.9p1-6.1~
diff -Nru openssh-7.9p1/debian/openssh-server.postinst
openssh-7.9p1/debian/openssh-server.postinst
--- openssh-7.9p1/debian/openssh-server.postinst 2019-02-08
17:26:35.000000000 +0100
+++ openssh-7.9p1/debian/openssh-server.postinst 2019-02-26
23:54:50.000000000 +0100
@@ -148,6 +148,11 @@
# restart it under systemd.
start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid
--exec /usr/sbin/sshd || true
fi
+ if dpkg --compare-versions "$2" lt-nl 1:7.9p1-5 && \
+ [ -f /etc/ssh/moduli.dpkg-bak ]; then
+ # move backup made by preinst of openssh-client back in place
+ mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
+ fi
fi
#DEBHELPER#
signature.asc
Description: PGP signature
