Am 24.02.2012 09:55, schrieb Colin Watson:
On Tue, Oct 18, 2011 at 06:56:07PM +0200, Dirk Heinrichs wrote:
I'm running sshd with priviledge separation enabled from inetd, but
since some time I can't login anymore after reboot.
In /var/log/auth.log, I see the followin message:
fatal: Missing privilege separation directory: /var/run/sshd
The reason for this is that /var/run is now a symlink to /run, which
is mounted as a tmpfs, thus it doesn't survive a reboot.
I'm not sure what I can do about this. The init script ensures that
/var/run/sshd exists; isn't it your responsibility to make suitable
arrangements when locally configuring sshd to start from inetd?
Well, that's what I did, of course. I've put this into /etc/rc.local:
[[ -d /run/sshd ]] || mkdir -p /run/sshd
(I suppose you could argue that the Debian packaging should set the
privsep path to /var/lib/sshd instead. That seems quite difficult to
change now though ...)
Hmm, why has it been changed from the default (/var/empty) in the first
place?
If the package would simply do what README.privsep says, everything
would be fine, no matter how sshd is finally invoked. From README.privsep:
"You should do something like the following to prepare the privsep
preauth environment:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
configure supports the following options to change the default
privsep user and chroot directory:
--with-privsep-path=xxx Path for privilege separation chroot
--with-privsep-user=user Specify non-privileged user for privilege
separation"
Bye...
Dirk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org