Bug#575582: openssh-server: privsep directory disappeared on upgrade
On Wed, Nov 24, 2010 at 03:07:31PM -0800, Russ Allbery wrote: Simon McVittie s...@debian.org writes: On Fri, 19 Nov 2010 at 11:29:05 +0200, Stefano Rivera wrote: The problem seems to be that /var/run/sshd is removed on unpacking but only recreated in postinst. One cannot ssh in to the machine in-between. I consider this to be release-critical and am bumping the bug appropriately. It sounds as though the solution would be to ship the directory in the package again, *and* create it in the init script? This is just a one-time transition problem because older versions of the package included the directory in the package and newer ones use the postinst script, right? If so, how about touching a .placeholder file in /var/run/sshd in the preinst script of the current package on upgrades, and then removing that file again in the postinst? The presence of the file will prevent dpkg from removing the directory, and then we don't have to carry the directory in the package forever going forward. That definitely sounds better than having to keep the directory forever. If nobody objects I'll go ahead with Russ' plan. Something like this? === modified file 'debian/openssh-server.postinst' --- debian/openssh-server.postinst 2010-04-28 21:09:13 + +++ debian/openssh-server.postinst 2010-11-25 15:51:57 + @@ -473,6 +473,9 @@ commit_mv_conffile /etc/pam.d/ssh /etc/p if dpkg --compare-versions $2 lt 1:4.7p1-1; then rm -f /etc/ssh/primes fi +if dpkg --compare-versions $2 lt 1:5.5p1-6; then +rm -f /var/run/sshd/.placeholder +fi db_stop === modified file 'debian/openssh-server.preinst' --- debian/openssh-server.preinst 2009-07-31 15:16:19 + +++ debian/openssh-server.preinst 2010-11-25 15:51:29 + @@ -134,6 +134,12 @@ EOF if dpkg --compare-versions $version lt 1:4.7p1-4; then prepare_mv_conffile /etc/pam.d/ssh fi + + if dpkg --compare-versions $version lt 1:5.5p1-6 \ + [ -d /var/run/sshd ]; then +# make sure /var/run/sshd is not removed on upgrades +touch /var/run/sshd/.placeholder + fi fi #DEBHELPER# -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575582: openssh-server: privsep directory disappeared on upgrade
On Fri, 19 Nov 2010 at 11:29:05 +0200, Stefano Rivera wrote: The problem seems to be that /var/run/sshd is removed on unpacking but only recreated in postinst. One cannot ssh in to the machine in-between. I consider this to be release-critical and am bumping the bug appropriately. It sounds as though the solution would be to ship the directory in the package again, *and* create it in the init script? Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575582: openssh-server: privsep directory disappeared on upgrade
Simon McVittie s...@debian.org writes: On Fri, 19 Nov 2010 at 11:29:05 +0200, Stefano Rivera wrote: The problem seems to be that /var/run/sshd is removed on unpacking but only recreated in postinst. One cannot ssh in to the machine in-between. I consider this to be release-critical and am bumping the bug appropriately. It sounds as though the solution would be to ship the directory in the package again, *and* create it in the init script? This is just a one-time transition problem because older versions of the package included the directory in the package and newer ones use the postinst script, right? If so, how about touching a .placeholder file in /var/run/sshd in the preinst script of the current package on upgrades, and then removing that file again in the postinst? The presence of the file will prevent dpkg from removing the directory, and then we don't have to carry the directory in the package forever going forward. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575582: openssh-server: privsep directory disappeared on upgrade
found 575582 1:5.1p1-5 severity 575582 serious affects 575582 upgrade-reports thanks I just ran into this on a remote upgrade. I was upgrading a (fortunately not too remote) machine using ssh + screen from my laptop. When I switched wifi AP and tried to reattach my screen, I couldn't: | $ ssh dreamcoat -t screen -DR | ssh_exchange_identification: Connection closed by remote host And in auth.log: | sshd[16271]: fatal: Missing privilege separation directory: /var/run/sshd I had to reattach from a VT and continue the upgrade there, until it got to openssh-server's postinst and I could ssh in again. There were pending debconf questions, I couldn't simply wait for it to start working again. I can easily reproduce this in a minimal VM with openssh-server installed. The problem seems to be that /var/run/sshd is removed on unpacking but only recreated in postinst. One cannot ssh in to the machine in-between. I consider this to be release-critical and am bumping the bug appropriately. SR -- Stefano Rivera http://tumbleweed.org.za/ H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575582: openssh-server: privsep directory disappeared on upgrade
On Sat, Mar 27, 2010 at 08:30:11PM +1100, Russell Coker wrote: I have just upgraded a system to Debian/Testing and sshd started failing. The directory /var/run/sshd had disappeared as part of the upgrade process. Are you not using /etc/init.d/ssh to start sshd? It ensures that /var/run/sshd exists before starting the daemon. This directory is no longer shipped by the package because /var/run may be a tmpfs (cf. policy 9.3.2) and so the init script has to create the directory dynamically anyway. Regards, -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#575582: openssh-server: privsep directory disappeared on upgrade
Package: openssh-server Version: 1:5.3p1-3 Severity: normal I have just upgraded a system to Debian/Testing and sshd started failing. The directory /var/run/sshd had disappeared as part of the upgrade process. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.18-164.11.1.el5xen (SMP w/1 CPU core) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser 3.112add and remove users and groups ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy ii dpkg1.15.5.6 Debian package management system ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.11-1common error description library pn libgssapi-krb5-2none (no description available) pn libkrb5-3 none (no description available) ii libpam-modules 1.1.1-2 Pluggable Authentication Modules f ii libpam-runtime 1.1.1-2 Runtime support for the PAM librar ii libpam0g1.1.1-2 Pluggable Authentication Modules l ii libselinux1 2.0.89-4 SELinux runtime shared libraries pn libssl0.9.8 none (no description available) pn libwrap0none (no description available) ii lsb-base3.2-23 Linux Standard Base 3.2 init scrip ii openssh-blacklist 0.4.1list of default blacklisted OpenSS pn openssh-client none (no description available) pn procps none (no description available) ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-server recommends: ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op pn xauth none (no description available) Versions of packages openssh-server suggests: pn molly-guard none (no description available) pn rssh none (no description available) pn ssh-askpass none (no description available) pn ufw none (no description available) -- debconf information: ssh/vulnerable_host_keys: ssh/new_config: true * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org