diff options
| author | Colin Watson <cjwatson@debian.org> | 2019-02-25 16:52:57 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2019-02-25 16:52:59 +0000 |
| commit | 7699f33633d5ba2e68d35ac51173ad6bb2c3a521 (patch) | |
| tree | 8d9c3953d9dd34cc199a7f57576a8023cf4b7c6e | |
| parent | cced428470dd10eef1c6153b654dc1c70e0a77bc (diff) | |
Tighten up start-stop-daemon invocations
Pass "--exec /usr/sbin/sshd" to start-stop-daemon on stop as well as
start and pass "--chuid 0:0" on start, to avoid problems with non-root
groups leaking into the ownership of /run/sshd.pid.
Closes: #922365
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rwxr-xr-x[-rw-r--r--] | debian/openssh-server.ssh.init | 12 |
2 files changed, 9 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog index 04b0914ac..c7b93aaf5 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -4,6 +4,9 @@ openssh (1:7.9p1-7) UNRELEASED; urgency=medium | |||
| 4 | libpam-systemd (closes: #923199). (I've retained libpam-systemd as an | 4 | libpam-systemd (closes: #923199). (I've retained libpam-systemd as an |
| 5 | alternative for a while to avoid backporting accidents, although it can | 5 | alternative for a while to avoid backporting accidents, although it can |
| 6 | be removed later.) | 6 | be removed later.) |
| 7 | * Pass "--exec /usr/sbin/sshd" to start-stop-daemon on stop as well as | ||
| 8 | start and pass "--chuid 0:0" on start, to avoid problems with non-root | ||
| 9 | groups leaking into the ownership of /run/sshd.pid (closes: #922365). | ||
| 7 | 10 | ||
| 8 | -- Colin Watson <cjwatson@debian.org> Mon, 25 Feb 2019 16:26:28 +0000 | 11 | -- Colin Watson <cjwatson@debian.org> Mon, 25 Feb 2019 16:26:28 +0000 |
| 9 | 12 | ||
diff --git a/debian/openssh-server.ssh.init b/debian/openssh-server.ssh.init index f25000883..620af70e0 100644..100755 --- a/debian/openssh-server.ssh.init +++ b/debian/openssh-server.ssh.init | |||
| @@ -80,7 +80,7 @@ case "$1" in | |||
| 80 | check_for_no_start | 80 | check_for_no_start |
| 81 | check_dev_null | 81 | check_dev_null |
| 82 | log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true | 82 | log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true |
| 83 | if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then | 83 | if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then |
| 84 | log_end_msg 0 || true | 84 | log_end_msg 0 || true |
| 85 | else | 85 | else |
| 86 | log_end_msg 1 || true | 86 | log_end_msg 1 || true |
| @@ -88,7 +88,7 @@ case "$1" in | |||
| 88 | ;; | 88 | ;; |
| 89 | stop) | 89 | stop) |
| 90 | log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true | 90 | log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true |
| 91 | if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid; then | 91 | if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then |
| 92 | log_end_msg 0 || true | 92 | log_end_msg 0 || true |
| 93 | else | 93 | else |
| 94 | log_end_msg 1 || true | 94 | log_end_msg 1 || true |
| @@ -110,10 +110,10 @@ case "$1" in | |||
| 110 | check_privsep_dir | 110 | check_privsep_dir |
| 111 | check_config | 111 | check_config |
| 112 | log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true | 112 | log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true |
| 113 | start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid | 113 | start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd |
| 114 | check_for_no_start log_end_msg | 114 | check_for_no_start log_end_msg |
| 115 | check_dev_null log_end_msg | 115 | check_dev_null log_end_msg |
| 116 | if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then | 116 | if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then |
| 117 | log_end_msg 0 || true | 117 | log_end_msg 0 || true |
| 118 | else | 118 | else |
| 119 | log_end_msg 1 || true | 119 | log_end_msg 1 || true |
| @@ -125,13 +125,13 @@ case "$1" in | |||
| 125 | check_config | 125 | check_config |
| 126 | log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true | 126 | log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true |
| 127 | RET=0 | 127 | RET=0 |
| 128 | start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid || RET="$?" | 128 | start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd || RET="$?" |
| 129 | case $RET in | 129 | case $RET in |
| 130 | 0) | 130 | 0) |
| 131 | # old daemon stopped | 131 | # old daemon stopped |
| 132 | check_for_no_start log_end_msg | 132 | check_for_no_start log_end_msg |
| 133 | check_dev_null log_end_msg | 133 | check_dev_null log_end_msg |
| 134 | if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then | 134 | if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then |
| 135 | log_end_msg 0 || true | 135 | log_end_msg 0 || true |
| 136 | else | 136 | else |
| 137 | log_end_msg 1 || true | 137 | log_end_msg 1 || true |