Merge ~3v1n0/ubuntu/+source/openssh:ubuntu/drop-libsystemd into ubuntu/+source/openssh:ubuntu/devel
- Git
- lp:~3v1n0/ubuntu/+source/openssh
- ubuntu/drop-libsystemd
- Merge into ubuntu/devel
Status: | Needs review |
---|---|
Proposed branch: | ~3v1n0/ubuntu/+source/openssh:ubuntu/drop-libsystemd |
Merge into: | ubuntu/+source/openssh:ubuntu/devel |
Diff against target: |
580 lines (+315/-93) 5 files modified
debian/changelog (+17/-0) debian/control (+0/-1) debian/patches/systemd-readiness.patch (+205/-66) debian/patches/systemd-socket-activation.patch (+93/-25) debian/rules (+0/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Nick Rosbrook (community) | Approve | ||
Canonical Server Reporter | Pending | ||
git-ubuntu import | Pending | ||
Review via email: mp+463604@code.launchpad.net |
Commit message
Description of the change
Marco Trevisan (Treviño) (3v1n0) wrote : | # |
> It seems that this is not preserving important delta in the Ubuntu patch for
> systemd socket activation. Please see inline comments for specifics.
Yeah, I noticed this too late, after that I had submitted this, let me fix this.
Marco Trevisan (Treviño) (3v1n0) wrote : | # |
> > It seems that this is not preserving important delta in the Ubuntu patch for
> > systemd socket activation. Please see inline comments for specifics.
>
> Yeah, I noticed this too late, after that I had submitted this, let me fix
> this.
All this is handled and now the delta should be correct.
I've changed slightly the behavior of get_systemd_
Marco Trevisan (Treviño) (3v1n0) : | # |
Colin Watson (cjwatson) : | # |
Marco Trevisan (Treviño) (3v1n0) wrote : | # |
Addressed the comments
Nick Rosbrook (enr0n) wrote : | # |
Thanks, systemd-
On a practical note, I was working on preparing an openssh upload for some other things. Would you mind if I upload this with my other changes when ready?
Marco Trevisan (Treviño) (3v1n0) wrote : | # |
> On a practical note, I was working on preparing an openssh upload for some
> other things. Would you mind if I upload this with my other changes when
> ready?
As you prefer, I was wondering if could also be material for noble though, since we'd put us in an even safer position.
But it's your call.
Nick Rosbrook (enr0n) wrote : | # |
> > On a practical note, I was working on preparing an openssh upload for some
> > other things. Would you mind if I upload this with my other changes when
> > ready?
>
> As you prefer, I was wondering if could also be material for noble though,
> since we'd put us in an even safer position.
>
> But it's your call.
I meant that I am planning on doing a Noble upload (probably later today).
Marco Trevisan (Treviño) (3v1n0) wrote : | # |
> I meant that I am planning on doing a Noble upload (probably later today).
Fair enough then, do it whenever is more convenient to you!
Unmerged commits
- dbc4b57... by Marco Trevisan (Treviño)
-
Update changelog
- 6d38e12... by Marco Trevisan (Treviño)
-
debian: Remove dependency on libsystemd
As per the xz backdoor we learned that the least dependencies sshd have
the best it is, so avoid to plug libsystemd (which also brings various
other dependencies) inside sshd for no reason.Use both the upstream patch for notification support and the socket
activation refactor by Colin Watson.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 803393e..6c2e833 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,20 @@ |
6 | +openssh (1:9.6p1-3ubuntu13) UNRELEASED; urgency=medium |
7 | + |
8 | + * debian: Remove dependency on libsystemd |
9 | + As per the xz backdoor we learned that the least dependencies sshd have, |
10 | + the best it is, so avoid to plug libsystemd (which also brings various |
11 | + other dependencies) inside sshd for no reason: |
12 | + |
13 | + - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd |
14 | + dependency |
15 | + - d/p/systemd-socket-activation.patch: Import patch from debian that |
16 | + mimics the libsystemd sd_listen_fds() code, as refactored by Colin |
17 | + Watson. |
18 | + - d/control: Remove dependencies on libsystemd-dev | libelogind-dev |
19 | + - d/rules: Drop --with-systemd flag (new options are used by default) |
20 | + |
21 | + -- Marco Trevisan (Treviño) <marco@ubuntu.com> Wed, 03 Apr 2024 16:41:15 +0200 |
22 | + |
23 | openssh (1:9.6p1-3ubuntu12) noble; urgency=medium |
24 | |
25 | * No-change rebuild for CVE-2024-3094 |
26 | diff --git a/debian/control b/debian/control |
27 | index 58e9a89..abdb97e 100644 |
28 | --- a/debian/control |
29 | +++ b/debian/control |
30 | @@ -16,7 +16,6 @@ Build-Depends: debhelper (>= 13.1~), |
31 | libpam0g-dev | libpam-dev, |
32 | libselinux1-dev [linux-any], |
33 | libssl-dev (>= 1.1.1), |
34 | - libsystemd-dev [linux-any] | libelogind-dev [linux-any], |
35 | libwrap0-dev | libwrap-dev, |
36 | pkg-config, |
37 | zlib1g-dev, |
38 | diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch |
39 | index 59f63ab..799bd81 100644 |
40 | --- a/debian/patches/systemd-readiness.patch |
41 | +++ b/debian/patches/systemd-readiness.patch |
42 | @@ -1,84 +1,223 @@ |
43 | -From 997c7d972b8ad436dff3b9a482f7ce988b50114c Mon Sep 17 00:00:00 2001 |
44 | -From: Michael Biebl <biebl@debian.org> |
45 | -Date: Mon, 21 Dec 2015 16:08:47 +0000 |
46 | -Subject: Add systemd readiness notification support |
47 | +From: Damien Miller <djm@mindrot.org> |
48 | +Date: Wed, 3 Apr 2024 14:40:32 +1100 |
49 | +Subject: notify systemd on listen and reload |
50 | |
51 | +Standalone implementation that does not depend on libsystemd. |
52 | +With assistance from Luca Boccassi, and feedback/testing from Colin |
53 | +Watson. bz2641 |
54 | + |
55 | +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c |
56 | Bug-Debian: https://bugs.debian.org/778913 |
57 | -Forwarded: no |
58 | -Last-Update: 2017-08-22 |
59 | +Last-Update: 2024-04-03 |
60 | |
61 | Patch-Name: systemd-readiness.patch |
62 | --- |
63 | - configure.ac | 24 ++++++++++++++++++++++++ |
64 | - sshd.c | 9 +++++++++ |
65 | - 2 files changed, 33 insertions(+) |
66 | + configure.ac | 1 + |
67 | + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++++++++++- |
68 | + openbsd-compat/port-linux.h | 5 +++ |
69 | + platform.c | 11 +++++ |
70 | + platform.h | 1 + |
71 | + sshd.c | 2 + |
72 | + 6 files changed, 115 insertions(+), 2 deletions(-) |
73 | |
74 | diff --git a/configure.ac b/configure.ac |
75 | -index badfacf8f..5662c9e3a 100644 |
76 | +index badfacf..a431c8a 100644 |
77 | --- a/configure.ac |
78 | +++ b/configure.ac |
79 | -@@ -4922,6 +4922,29 @@ AC_SUBST([GSSLIBS]) |
80 | - AC_SUBST([K5LIBS]) |
81 | - AC_SUBST([CHANNELLIBS]) |
82 | +@@ -931,6 +931,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
83 | + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) |
84 | + AC_DEFINE([USE_BTMP]) |
85 | + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) |
86 | ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) |
87 | + inet6_default_4in6=yes |
88 | + case `uname -r` in |
89 | + 1.*|2.0.*) |
90 | +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
91 | +index 0394f48..8e28245 100644 |
92 | +--- a/openbsd-compat/port-linux.c |
93 | ++++ b/openbsd-compat/port-linux.c |
94 | +@@ -21,16 +21,23 @@ |
95 | |
96 | -+# Check whether user wants systemd support |
97 | -+SYSTEMD_MSG="no" |
98 | -+AC_ARG_WITH(systemd, |
99 | -+ [ --with-systemd Enable systemd support], |
100 | -+ [ if test "x$withval" != "xno" ; then |
101 | -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) |
102 | -+ if test "$PKGCONFIG" != "no"; then |
103 | -+ AC_MSG_CHECKING([for libsystemd]) |
104 | -+ if $PKGCONFIG --exists libsystemd; then |
105 | -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` |
106 | -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` |
107 | -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" |
108 | -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" |
109 | -+ AC_MSG_RESULT([yes]) |
110 | -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) |
111 | -+ SYSTEMD_MSG="yes" |
112 | -+ else |
113 | -+ AC_MSG_RESULT([no]) |
114 | -+ fi |
115 | -+ fi |
116 | -+ fi ] |
117 | -+) |
118 | -+ |
119 | - # Looking for programs, paths and files |
120 | + #include "includes.h" |
121 | |
122 | - PRIVSEP_PATH=/var/empty |
123 | -@@ -5731,6 +5754,7 @@ echo " libldns support: $LDNS_MSG" |
124 | - echo " Solaris process contract support: $SPC_MSG" |
125 | - echo " Solaris project support: $SP_MSG" |
126 | - echo " Solaris privilege support: $SPP_MSG" |
127 | -+echo " systemd support: $SYSTEMD_MSG" |
128 | - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" |
129 | - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
130 | - echo " BSD Auth support: $BSD_AUTH_MSG" |
131 | -diff --git a/sshd.c b/sshd.c |
132 | -index d56ba490b..356bd6c02 100644 |
133 | ---- a/sshd.c |
134 | -+++ b/sshd.c |
135 | -@@ -88,6 +88,10 @@ |
136 | - #include <prot.h> |
137 | +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) |
138 | ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ |
139 | ++ defined(SYSTEMD_NOTIFY) |
140 | ++#include <sys/socket.h> |
141 | ++#include <sys/un.h> |
142 | ++ |
143 | + #include <errno.h> |
144 | ++#include <inttypes.h> |
145 | + #include <stdarg.h> |
146 | + #include <string.h> |
147 | + #include <stdio.h> |
148 | + #include <stdlib.h> |
149 | ++#include <time.h> |
150 | + |
151 | + #include "log.h" |
152 | + #include "xmalloc.h" |
153 | + #include "port-linux.h" |
154 | ++#include "misc.h" |
155 | + |
156 | + #ifdef WITH_SELINUX |
157 | + #include <selinux/selinux.h> |
158 | +@@ -317,4 +324,90 @@ oom_adjust_restore(void) |
159 | + return; |
160 | + } |
161 | + #endif /* LINUX_OOM_ADJUST */ |
162 | +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ |
163 | ++ |
164 | ++#ifdef SYSTEMD_NOTIFY |
165 | ++ |
166 | ++static void ssh_systemd_notify(const char *, ...) |
167 | ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); |
168 | ++ |
169 | ++static void |
170 | ++ssh_systemd_notify(const char *fmt, ...) |
171 | ++{ |
172 | ++ char *s = NULL; |
173 | ++ const char *path; |
174 | ++ struct stat sb; |
175 | ++ struct sockaddr_un addr; |
176 | ++ int fd = -1; |
177 | ++ va_list ap; |
178 | ++ |
179 | ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) |
180 | ++ return; |
181 | ++ |
182 | ++ va_start(ap, fmt); |
183 | ++ xvasprintf(&s, fmt, ap); |
184 | ++ va_end(ap); |
185 | ++ |
186 | ++ /* Only AF_UNIX is supported, with path or abstract sockets */ |
187 | ++ if (path[0] != '/' && path[0] != '@') { |
188 | ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); |
189 | ++ goto out; |
190 | ++ } |
191 | ++ |
192 | ++ if (path[0] == '/' && stat(path, &sb) != 0) { |
193 | ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); |
194 | ++ goto out; |
195 | ++ } |
196 | ++ |
197 | ++ memset(&addr, 0, sizeof(addr)); |
198 | ++ addr.sun_family = AF_UNIX; |
199 | ++ if (strlcpy(addr.sun_path, path, |
200 | ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { |
201 | ++ error_f("socket path \"%s\" too long", path); |
202 | ++ goto out; |
203 | ++ } |
204 | ++ /* Support for abstract socket */ |
205 | ++ if (addr.sun_path[0] == '@') |
206 | ++ addr.sun_path[0] = 0; |
207 | ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { |
208 | ++ error_f("socket \"%s\": %s", path, strerror(errno)); |
209 | ++ goto out; |
210 | ++ } |
211 | ++ if (connect(fd, &addr, sizeof(addr)) != 0) { |
212 | ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); |
213 | ++ goto out; |
214 | ++ } |
215 | ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { |
216 | ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); |
217 | ++ goto out; |
218 | ++ } |
219 | ++ debug_f("socket \"%s\" notified %s", path, s); |
220 | ++ out: |
221 | ++ if (fd != -1) |
222 | ++ close(fd); |
223 | ++ free(s); |
224 | ++} |
225 | ++ |
226 | ++void |
227 | ++ssh_systemd_notify_ready(void) |
228 | ++{ |
229 | ++ ssh_systemd_notify("READY=1"); |
230 | ++} |
231 | ++ |
232 | ++void |
233 | ++ssh_systemd_notify_reload(void) |
234 | ++{ |
235 | ++ struct timespec now; |
236 | ++ |
237 | ++ monotime_ts(&now); |
238 | ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { |
239 | ++ error_f("monotime returned negative value"); |
240 | ++ ssh_systemd_notify("RELOADING=1"); |
241 | ++ } else { |
242 | ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", |
243 | ++ ((uint64_t)now.tv_sec * 1000000ULL) + |
244 | ++ ((uint64_t)now.tv_nsec / 1000ULL)); |
245 | ++ } |
246 | ++} |
247 | ++#endif /* SYSTEMD_NOTIFY */ |
248 | ++ |
249 | ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ |
250 | +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h |
251 | +index c881294..6c4c371 100644 |
252 | +--- a/openbsd-compat/port-linux.h |
253 | ++++ b/openbsd-compat/port-linux.h |
254 | +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); |
255 | + void oom_adjust_setup(void); |
256 | #endif |
257 | |
258 | -+#ifdef HAVE_SYSTEMD |
259 | -+#include <systemd/sd-daemon.h> |
260 | ++#ifdef SYSTEMD_NOTIFY |
261 | ++void ssh_systemd_notify_ready(void); |
262 | ++void ssh_systemd_notify_reload(void); |
263 | +#endif |
264 | + |
265 | - #include "xmalloc.h" |
266 | - #include "ssh.h" |
267 | - #include "ssh2.h" |
268 | -@@ -2101,6 +2105,11 @@ main(int ac, char **av) |
269 | - } |
270 | - } |
271 | + #endif /* ! _PORT_LINUX_H */ |
272 | +diff --git a/platform.c b/platform.c |
273 | +index 70c3a9b..163a54a 100644 |
274 | +--- a/platform.c |
275 | ++++ b/platform.c |
276 | +@@ -44,6 +44,14 @@ platform_pre_listen(void) |
277 | + #endif |
278 | + } |
279 | |
280 | -+#ifdef HAVE_SYSTEMD |
281 | -+ /* Signal systemd that we are ready to accept connections */ |
282 | -+ sd_notify(0, "READY=1"); |
283 | ++void |
284 | ++platform_post_listen(void) |
285 | ++{ |
286 | ++#ifdef SYSTEMD_NOTIFY |
287 | ++ ssh_systemd_notify_ready(); |
288 | +#endif |
289 | ++} |
290 | ++ |
291 | + void |
292 | + platform_pre_fork(void) |
293 | + { |
294 | +@@ -55,6 +63,9 @@ platform_pre_fork(void) |
295 | + void |
296 | + platform_pre_restart(void) |
297 | + { |
298 | ++#ifdef SYSTEMD_NOTIFY |
299 | ++ ssh_systemd_notify_reload(); |
300 | ++#endif |
301 | + #ifdef LINUX_OOM_ADJUST |
302 | + oom_adjust_restore(); |
303 | + #endif |
304 | +diff --git a/platform.h b/platform.h |
305 | +index 027fdfb..1b77c3e 100644 |
306 | +--- a/platform.h |
307 | ++++ b/platform.h |
308 | +@@ -21,6 +21,7 @@ |
309 | + void platform_pre_listen(void); |
310 | + void platform_pre_fork(void); |
311 | + void platform_pre_restart(void); |
312 | ++void platform_post_listen(void); |
313 | + void platform_post_fork_parent(pid_t child_pid); |
314 | + void platform_post_fork_child(void); |
315 | + int platform_privileged_uidswap(void); |
316 | +diff --git a/sshd.c b/sshd.c |
317 | +index d56ba49..ca47e7e 100644 |
318 | +--- a/sshd.c |
319 | ++++ b/sshd.c |
320 | +@@ -2085,6 +2085,8 @@ main(int ac, char **av) |
321 | + ssh_signal(SIGTERM, sigterm_handler); |
322 | + ssh_signal(SIGQUIT, sigterm_handler); |
323 | + |
324 | ++ platform_post_listen(); |
325 | + |
326 | - /* Accept a connection and return in a forked child */ |
327 | - server_accept_loop(&sock_in, &sock_out, |
328 | - &newsock, config_s); |
329 | + /* |
330 | + * Write out the pid file after the sigterm handler |
331 | + * is setup and the listen sockets are bound |
332 | diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch |
333 | index 8e1ce7c..c7682d0 100644 |
334 | --- a/debian/patches/systemd-socket-activation.patch |
335 | +++ b/debian/patches/systemd-socket-activation.patch |
336 | @@ -1,23 +1,53 @@ |
337 | +From: Steve Langasek <steve.langasek@ubuntu.com> |
338 | +Date: Thu, 1 Sep 2022 16:03:37 +0100 |
339 | +Subject: Support systemd socket activation |
340 | + |
341 | Description: support systemd socket activation |
342 | Unlike inetd socket activation, with systemd socket activation the |
343 | supervisor passes the listened-on socket to the child process and lets |
344 | the child process handle the accept(). This lets us do delayed start |
345 | of the sshd daemon without becoming incompatible with config options |
346 | like ClientAliveCountMax. |
347 | + |
348 | Author: Steve Langasek <steve.langasek@ubuntu.com> |
349 | Author: Nick Rosbrook <nick.rosbrook@canonical.com> |
350 | +Author: Colin Watson <cjwatson@debian.org> |
351 | +Author: Marco Trevisan <marco@ubuntu.com> |
352 | Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2011458 |
353 | -Last-Update: 2023-05-25 |
354 | +Last-Update: 2024-04-03 |
355 | |
356 | +--- |
357 | + configure.ac | 1 + |
358 | + sshd.c | 176 ++++++++++++++++++++++++++++++++++++++++++++++++++++------- |
359 | + 2 files changed, 156 insertions(+), 21 deletions(-) |
360 | + |
361 | +diff --git a/configure.ac b/configure.ac |
362 | +index a431c8a..64a44cb 100644 |
363 | +--- a/configure.ac |
364 | ++++ b/configure.ac |
365 | +@@ -932,6 +932,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
366 | + AC_DEFINE([USE_BTMP]) |
367 | + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) |
368 | + AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) |
369 | ++ AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation]) |
370 | + inet6_default_4in6=yes |
371 | + case `uname -r` in |
372 | + 1.*|2.0.*) |
373 | +diff --git a/sshd.c b/sshd.c |
374 | +index ca47e7e..9999c71 100644 |
375 | --- a/sshd.c |
376 | +++ b/sshd.c |
377 | -@@ -139,11 +139,14 @@ |
378 | +@@ -135,11 +135,18 @@ int allow_severity; |
379 | int deny_severity; |
380 | #endif /* LIBWRAP */ |
381 | |
382 | +/* This will only get set if we build with systemd. */ |
383 | +static int systemd_num_listen_fds; |
384 | + |
385 | ++#ifdef SYSTEMD_SOCKET_ACTIVATION |
386 | ++#define SYSTEMD_LISTEN_FDS_START 3 |
387 | ++#endif |
388 | ++ |
389 | /* Re-exec fds */ |
390 | -#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
391 | -#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
392 | @@ -30,7 +60,7 @@ Last-Update: 2023-05-25 |
393 | |
394 | extern char *__progname; |
395 | |
396 | -@@ -194,6 +197,7 @@ |
397 | +@@ -190,6 +197,7 @@ static char **rexec_argv; |
398 | */ |
399 | #define MAX_LISTEN_SOCKS 16 |
400 | static int listen_socks[MAX_LISTEN_SOCKS]; |
401 | @@ -38,7 +68,7 @@ Last-Update: 2023-05-25 |
402 | static int num_listen_socks = 0; |
403 | |
404 | /* Daemon's agent connection */ |
405 | -@@ -279,12 +283,16 @@ |
406 | +@@ -275,12 +283,16 @@ static char *listener_proctitle; |
407 | * Close all listening sockets |
408 | */ |
409 | static void |
410 | @@ -57,7 +87,7 @@ Last-Update: 2023-05-25 |
411 | num_listen_socks = 0; |
412 | } |
413 | |
414 | -@@ -322,7 +330,7 @@ |
415 | +@@ -318,7 +330,7 @@ sighup_restart(void) |
416 | if (options.pid_file != NULL) |
417 | unlink(options.pid_file); |
418 | platform_pre_restart(); |
419 | @@ -66,11 +96,50 @@ Last-Update: 2023-05-25 |
420 | close_startup_pipes(); |
421 | ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */ |
422 | execv(saved_argv[0], saved_argv); |
423 | -@@ -1020,6 +1028,65 @@ |
424 | +@@ -1016,6 +1028,104 @@ server_accept_inetd(int *sock_in, int *sock_out) |
425 | debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); |
426 | } |
427 | |
428 | -+#ifdef HAVE_SYSTEMD |
429 | ++#ifdef SYSTEMD_SOCKET_ACTIVATION |
430 | ++/* |
431 | ++ * Get file descriptors passed by systemd; this implements the protocol |
432 | ++ * described in the NOTES section of sd_listen_fds(3). |
433 | ++ */ |
434 | ++static int |
435 | ++get_systemd_listen_fds(void) |
436 | ++{ |
437 | ++ const char *listen_pid_str, *listen_fds_str; |
438 | ++ pid_t listen_pid; |
439 | ++ int listen_fds; |
440 | ++ const char *errstr = NULL; |
441 | ++ int fd; |
442 | ++ |
443 | ++ listen_pid_str = getenv("LISTEN_PID"); |
444 | ++ if (listen_pid_str == NULL) |
445 | ++ return 0; |
446 | ++ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr); |
447 | ++ if (errstr != NULL) |
448 | ++ return -errno; |
449 | ++ if (getpid() != listen_pid) |
450 | ++ return 0; |
451 | ++ |
452 | ++ listen_fds_str = getenv("LISTEN_FDS"); |
453 | ++ if (listen_fds_str == NULL) |
454 | ++ return 0; |
455 | ++ listen_fds = (int)strtonum(listen_fds_str, 1, |
456 | ++ INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr); |
457 | ++ if (errstr != NULL) |
458 | ++ return -errno; |
459 | ++ |
460 | ++ for (fd = SYSTEMD_LISTEN_FDS_START; |
461 | ++ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) { |
462 | ++ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) |
463 | ++ return -errno; |
464 | ++ } |
465 | ++ |
466 | ++ return listen_fds; |
467 | ++} |
468 | ++ |
469 | +/* |
470 | + * Configure our socket fds that were passed from systemd |
471 | + */ |
472 | @@ -132,7 +201,7 @@ Last-Update: 2023-05-25 |
473 | /* |
474 | * Listen for TCP connections |
475 | */ |
476 | -@@ -1104,17 +1171,26 @@ |
477 | +@@ -1100,17 +1210,26 @@ server_listen(void) |
478 | srclimit_init(options.max_startups, options.per_source_max_startups, |
479 | options.per_source_masklen_ipv4, options.per_source_masklen_ipv6); |
480 | |
481 | @@ -142,17 +211,12 @@ Last-Update: 2023-05-25 |
482 | - free(options.listen_addrs[i].rdomain); |
483 | - memset(&options.listen_addrs[i], 0, |
484 | - sizeof(options.listen_addrs[i])); |
485 | -- } |
486 | -- free(options.listen_addrs); |
487 | -- options.listen_addrs = NULL; |
488 | -- options.num_listen_addrs = 0; |
489 | -- |
490 | -+#ifdef HAVE_SYSTEMD |
491 | ++#ifdef SYSTEMD_SOCKET_ACTIVATION |
492 | + if (systemd_num_listen_fds > 0) |
493 | + { |
494 | + int i; |
495 | + for (i = 0; i < systemd_num_listen_fds; i++) |
496 | -+ setup_systemd_socket(SD_LISTEN_FDS_START + i); |
497 | ++ setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i); |
498 | + } else |
499 | +#endif |
500 | + { |
501 | @@ -166,11 +230,15 @@ Last-Update: 2023-05-25 |
502 | + free(options.listen_addrs); |
503 | + options.listen_addrs = NULL; |
504 | + options.num_listen_addrs = 0; |
505 | -+ } |
506 | + } |
507 | +- free(options.listen_addrs); |
508 | +- options.listen_addrs = NULL; |
509 | +- options.num_listen_addrs = 0; |
510 | +- |
511 | if (!num_listen_socks) |
512 | fatal("Cannot bind any address."); |
513 | } |
514 | -@@ -1169,7 +1245,7 @@ |
515 | +@@ -1165,7 +1284,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) |
516 | if (received_sigterm) { |
517 | logit("Received signal %d; terminating.", |
518 | (int) received_sigterm); |
519 | @@ -179,7 +247,7 @@ Last-Update: 2023-05-25 |
520 | if (options.pid_file != NULL) |
521 | unlink(options.pid_file); |
522 | exit(received_sigterm == SIGTERM ? 0 : 255); |
523 | -@@ -1183,7 +1259,7 @@ |
524 | +@@ -1179,7 +1298,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) |
525 | if (received_sighup) { |
526 | if (!lameduck) { |
527 | debug("Received SIGHUP; waiting for children"); |
528 | @@ -188,7 +256,7 @@ Last-Update: 2023-05-25 |
529 | lameduck = 1; |
530 | } |
531 | if (listening <= 0) { |
532 | -@@ -1310,7 +1386,7 @@ |
533 | +@@ -1306,7 +1425,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) |
534 | * connection without forking. |
535 | */ |
536 | debug("Server will not fork when running in debugging mode."); |
537 | @@ -197,7 +265,7 @@ Last-Update: 2023-05-25 |
538 | *sock_in = *newsock; |
539 | *sock_out = *newsock; |
540 | close(startup_p[0]); |
541 | -@@ -1344,7 +1420,7 @@ |
542 | +@@ -1340,7 +1459,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) |
543 | platform_post_fork_child(); |
544 | startup_pipe = startup_p[1]; |
545 | close_startup_pipes(); |
546 | @@ -206,18 +274,18 @@ Last-Update: 2023-05-25 |
547 | *sock_in = *newsock; |
548 | *sock_out = *newsock; |
549 | log_init(__progname, |
550 | -@@ -1715,6 +1791,21 @@ |
551 | +@@ -1711,6 +1830,21 @@ main(int ac, char **av) |
552 | break; |
553 | } |
554 | } |
555 | + |
556 | -+#ifdef HAVE_SYSTEMD |
557 | -+ /* We should call sd_listen_fds() exactly once. If we call |
558 | -+ * sd_listen_fds() more than once, then FD_CLOEXEC will be |
559 | ++#ifdef SYSTEMD_SOCKET_ACTIVATION |
560 | ++ /* We should call get_systemd_listen_fds() exactly once. If we call |
561 | ++ * get_systemd_listen_fds() more than once, then FD_CLOEXEC will be |
562 | + * re-configured for the passed fds, which will cause problems during |
563 | + * re-execution. The FD_CLOEXEC flag will be cleared by |
564 | + * setup_systemd_socket(). */ |
565 | -+ r = sd_listen_fds(0); |
566 | ++ r = get_systemd_listen_fds(); |
567 | + if (r < 0) |
568 | + fatal("Failed to get systemd socket fds: %s", strerror(-r)); |
569 | + |
570 | diff --git a/debian/rules b/debian/rules |
571 | index 54d82cb..1870fbe 100755 |
572 | --- a/debian/rules |
573 | +++ b/debian/rules |
574 | @@ -80,7 +80,6 @@ confflags += --with-ssl-engine |
575 | ifeq ($(DEB_HOST_ARCH_OS),linux) |
576 | confflags += --with-selinux |
577 | confflags += --with-audit=linux |
578 | -confflags += --with-systemd |
579 | confflags += --with-security-key-builtin |
580 | endif |
581 |
It seems that this is not preserving important delta in the Ubuntu patch for systemd socket activation. Please see inline comments for specifics.