From 78a89e637c337e240678de3d1c0f1486b3affb93 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 13 Jan 2009 20:18:14 +0000 Subject: Check that /var/run/sshd.pid exists and that the process ID listed there corresponds to sshd before running '/etc/init.d/ssh reload' from if-up script; SIGHUP is racy if called at boot before sshd has a chance to install its signal handler, but fortunately the pid file is written after that which lets us avoid the race (closes: #502444). --- debian/changelog | 5 +++++ debian/control | 2 +- debian/openssh-server.if-up | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 049d0740b..a58cca063 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,11 @@ openssh (1:5.1p1-5) UNRELEASED; urgency=low * Backport from upstream CVS (Markus Friedl): - packet_disconnect() on padding error, too. Should reduce the success probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18. + * Check that /var/run/sshd.pid exists and that the process ID listed there + corresponds to sshd before running '/etc/init.d/ssh reload' from if-up + script; SIGHUP is racy if called at boot before sshd has a chance to + install its signal handler, but fortunately the pid file is written + after that which lets us avoid the race (closes: #502444). -- Colin Watson Mon, 01 Dec 2008 16:13:14 +0000 diff --git a/debian/control b/debian/control index 27b27e756..d87025778 100644 --- a/debian/control +++ b/debian/control @@ -37,7 +37,7 @@ Description: secure shell client, an rlogin/rsh/rcp replacement Package: openssh-server Priority: optional Architecture: any -Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.2-13), libssl0.9.8 (>= 0.9.8g-9), openssh-blacklist +Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.2-13), libssl0.9.8 (>= 0.9.8g-9), openssh-blacklist, procps Recommends: xauth, openssh-blacklist-extra Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5 diff --git a/debian/openssh-server.if-up b/debian/openssh-server.if-up index c44a4d257..9b2140352 100644 --- a/debian/openssh-server.if-up +++ b/debian/openssh-server.if-up @@ -25,6 +25,11 @@ if [ ! -e /usr/sbin/sshd ]; then exit 0 fi +if [ ! -f /var/run/sshd.pid ] || \ + [ "$(ps -p "$(cat /var/run/sshd.pid)" -o comm=)" = sshd ]; then + exit 0 +fi + /etc/init.d/ssh reload >/dev/null 2>&1 || true exit 0 -- cgit v1.2.3