Ubuntu
openssh package

Merge ~3v1n0/ubuntu/+source/openssh:ubuntu/drop-libsystemd into ubuntu/+source/openssh:ubuntu/devel

  1. Git
  2. lp:~3v1n0/ubuntu/+source/openssh
  3. ubuntu/drop-libsystemd
  4. Merge into ubuntu/devel
Proposed by Marco Trevisan (Treviño)
Status: Needs review
Proposed branch: ~3v1n0/ubuntu/+source/openssh:ubuntu/drop-libsystemd
Merge into: ubuntu/+source/openssh:ubuntu/devel
Diff against target: 580 lines (+315/-93)
5 files modified
debian/changelog (+17/-0)
debian/control (+0/-1)
debian/patches/systemd-readiness.patch (+205/-66)
debian/patches/systemd-socket-activation.patch (+93/-25)
debian/rules (+0/-1)
Reviewer Review Type Date Requested Status
Nick Rosbrook (community) Approve
Canonical Server Reporter Pending
git-ubuntu import Pending
Review via email: mp+463604@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Nick Rosbrook (enr0n) wrote :

It seems that this is not preserving important delta in the Ubuntu patch for systemd socket activation. Please see inline comments for specifics.

review: Needs Fixing
Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

> It seems that this is not preserving important delta in the Ubuntu patch for
> systemd socket activation. Please see inline comments for specifics.

Yeah, I noticed this too late, after that I had submitted this, let me fix this.

Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

> > It seems that this is not preserving important delta in the Ubuntu patch for
> > systemd socket activation. Please see inline comments for specifics.
>
> Yeah, I noticed this too late, after that I had submitted this, let me fix
> this.

All this is handled and now the delta should be correct.

I've changed slightly the behavior of get_systemd_listen_fds () from debian to return `-errno` in the fd cases failures cases so that we can keep fail early.

Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) :
Reply
Revision history for this message
Colin Watson (cjwatson) :
Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Addressed the comments

Reply
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Thanks, systemd-socket-activation.patch looks good to me now.

On a practical note, I was working on preparing an openssh upload for some other things. Would you mind if I upload this with my other changes when ready?

review: Approve
Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

> On a practical note, I was working on preparing an openssh upload for some
> other things. Would you mind if I upload this with my other changes when
> ready?

As you prefer, I was wondering if could also be material for noble though, since we'd put us in an even safer position.

But it's your call.

Reply
Revision history for this message
Nick Rosbrook (enr0n) wrote :

> > On a practical note, I was working on preparing an openssh upload for some
> > other things. Would you mind if I upload this with my other changes when
> > ready?
>
> As you prefer, I was wondering if could also be material for noble though,
> since we'd put us in an even safer position.
>
> But it's your call.

I meant that I am planning on doing a Noble upload (probably later today).

Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

> I meant that I am planning on doing a Noble upload (probably later today).

Fair enough then, do it whenever is more convenient to you!

Reply

Unmerged commits

dbc4b57... by Marco Trevisan (Treviño)

Update changelog

6d38e12... by Marco Trevisan (Treviño)

debian: Remove dependency on libsystemd

As per the xz backdoor we learned that the least dependencies sshd have
the best it is, so avoid to plug libsystemd (which also brings various
other dependencies) inside sshd for no reason.

Use both the upstream patch for notification support and the socket
activation refactor by Colin Watson.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 803393e..6c2e833 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,20 @@
6+openssh (1:9.6p1-3ubuntu13) UNRELEASED; urgency=medium
7+
8+ * debian: Remove dependency on libsystemd
9+ As per the xz backdoor we learned that the least dependencies sshd have,
10+ the best it is, so avoid to plug libsystemd (which also brings various
11+ other dependencies) inside sshd for no reason:
12+
13+ - d/p/systemd-readiness.patch: Use upstream patch with no libsystemd
14+ dependency
15+ - d/p/systemd-socket-activation.patch: Import patch from debian that
16+ mimics the libsystemd sd_listen_fds() code, as refactored by Colin
17+ Watson.
18+ - d/control: Remove dependencies on libsystemd-dev | libelogind-dev
19+ - d/rules: Drop --with-systemd flag (new options are used by default)
20+
21+ -- Marco Trevisan (Treviño) <marco@ubuntu.com> Wed, 03 Apr 2024 16:41:15 +0200
22+
23 openssh (1:9.6p1-3ubuntu12) noble; urgency=medium
24
25 * No-change rebuild for CVE-2024-3094
26diff --git a/debian/control b/debian/control
27index 58e9a89..abdb97e 100644
28--- a/debian/control
29+++ b/debian/control
30@@ -16,7 +16,6 @@ Build-Depends: debhelper (>= 13.1~),
31 libpam0g-dev | libpam-dev,
32 libselinux1-dev [linux-any],
33 libssl-dev (>= 1.1.1),
34- libsystemd-dev [linux-any] | libelogind-dev [linux-any],
35 libwrap0-dev | libwrap-dev,
36 pkg-config,
37 zlib1g-dev,
38diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
39index 59f63ab..799bd81 100644
40--- a/debian/patches/systemd-readiness.patch
41+++ b/debian/patches/systemd-readiness.patch
42@@ -1,84 +1,223 @@
43-From 997c7d972b8ad436dff3b9a482f7ce988b50114c Mon Sep 17 00:00:00 2001
44-From: Michael Biebl <biebl@debian.org>
45-Date: Mon, 21 Dec 2015 16:08:47 +0000
46-Subject: Add systemd readiness notification support
47+From: Damien Miller <djm@mindrot.org>
48+Date: Wed, 3 Apr 2024 14:40:32 +1100
49+Subject: notify systemd on listen and reload
50
51+Standalone implementation that does not depend on libsystemd.
52+With assistance from Luca Boccassi, and feedback/testing from Colin
53+Watson. bz2641
54+
55+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c
56 Bug-Debian: https://bugs.debian.org/778913
57-Forwarded: no
58-Last-Update: 2017-08-22
59+Last-Update: 2024-04-03
60
61 Patch-Name: systemd-readiness.patch
62 ---
63- configure.ac | 24 ++++++++++++++++++++++++
64- sshd.c | 9 +++++++++
65- 2 files changed, 33 insertions(+)
66+ configure.ac | 1 +
67+ openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++++++++++-
68+ openbsd-compat/port-linux.h | 5 +++
69+ platform.c | 11 +++++
70+ platform.h | 1 +
71+ sshd.c | 2 +
72+ 6 files changed, 115 insertions(+), 2 deletions(-)
73
74 diff --git a/configure.ac b/configure.ac
75-index badfacf8f..5662c9e3a 100644
76+index badfacf..a431c8a 100644
77 --- a/configure.ac
78 +++ b/configure.ac
79-@@ -4922,6 +4922,29 @@ AC_SUBST([GSSLIBS])
80- AC_SUBST([K5LIBS])
81- AC_SUBST([CHANNELLIBS])
82+@@ -931,6 +931,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
83+ AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
84+ AC_DEFINE([USE_BTMP])
85+ AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
86++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
87+ inet6_default_4in6=yes
88+ case `uname -r` in
89+ 1.*|2.0.*)
90+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
91+index 0394f48..8e28245 100644
92+--- a/openbsd-compat/port-linux.c
93++++ b/openbsd-compat/port-linux.c
94+@@ -21,16 +21,23 @@
95
96-+# Check whether user wants systemd support
97-+SYSTEMD_MSG="no"
98-+AC_ARG_WITH(systemd,
99-+ [ --with-systemd Enable systemd support],
100-+ [ if test "x$withval" != "xno" ; then
101-+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
102-+ if test "$PKGCONFIG" != "no"; then
103-+ AC_MSG_CHECKING([for libsystemd])
104-+ if $PKGCONFIG --exists libsystemd; then
105-+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
106-+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
107-+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
108-+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
109-+ AC_MSG_RESULT([yes])
110-+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
111-+ SYSTEMD_MSG="yes"
112-+ else
113-+ AC_MSG_RESULT([no])
114-+ fi
115-+ fi
116-+ fi ]
117-+)
118-+
119- # Looking for programs, paths and files
120+ #include "includes.h"
121
122- PRIVSEP_PATH=/var/empty
123-@@ -5731,6 +5754,7 @@ echo " libldns support: $LDNS_MSG"
124- echo " Solaris process contract support: $SPC_MSG"
125- echo " Solaris project support: $SP_MSG"
126- echo " Solaris privilege support: $SPP_MSG"
127-+echo " systemd support: $SYSTEMD_MSG"
128- echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
129- echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
130- echo " BSD Auth support: $BSD_AUTH_MSG"
131-diff --git a/sshd.c b/sshd.c
132-index d56ba490b..356bd6c02 100644
133---- a/sshd.c
134-+++ b/sshd.c
135-@@ -88,6 +88,10 @@
136- #include <prot.h>
137+-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
138++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
139++ defined(SYSTEMD_NOTIFY)
140++#include <sys/socket.h>
141++#include <sys/un.h>
142++
143+ #include <errno.h>
144++#include <inttypes.h>
145+ #include <stdarg.h>
146+ #include <string.h>
147+ #include <stdio.h>
148+ #include <stdlib.h>
149++#include <time.h>
150+
151+ #include "log.h"
152+ #include "xmalloc.h"
153+ #include "port-linux.h"
154++#include "misc.h"
155+
156+ #ifdef WITH_SELINUX
157+ #include <selinux/selinux.h>
158+@@ -317,4 +324,90 @@ oom_adjust_restore(void)
159+ return;
160+ }
161+ #endif /* LINUX_OOM_ADJUST */
162+-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
163++
164++#ifdef SYSTEMD_NOTIFY
165++
166++static void ssh_systemd_notify(const char *, ...)
167++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
168++
169++static void
170++ssh_systemd_notify(const char *fmt, ...)
171++{
172++ char *s = NULL;
173++ const char *path;
174++ struct stat sb;
175++ struct sockaddr_un addr;
176++ int fd = -1;
177++ va_list ap;
178++
179++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
180++ return;
181++
182++ va_start(ap, fmt);
183++ xvasprintf(&s, fmt, ap);
184++ va_end(ap);
185++
186++ /* Only AF_UNIX is supported, with path or abstract sockets */
187++ if (path[0] != '/' && path[0] != '@') {
188++ error_f("socket \"%s\" is not compatible with AF_UNIX", path);
189++ goto out;
190++ }
191++
192++ if (path[0] == '/' && stat(path, &sb) != 0) {
193++ error_f("socket \"%s\" stat: %s", path, strerror(errno));
194++ goto out;
195++ }
196++
197++ memset(&addr, 0, sizeof(addr));
198++ addr.sun_family = AF_UNIX;
199++ if (strlcpy(addr.sun_path, path,
200++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
201++ error_f("socket path \"%s\" too long", path);
202++ goto out;
203++ }
204++ /* Support for abstract socket */
205++ if (addr.sun_path[0] == '@')
206++ addr.sun_path[0] = 0;
207++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
208++ error_f("socket \"%s\": %s", path, strerror(errno));
209++ goto out;
210++ }
211++ if (connect(fd, &addr, sizeof(addr)) != 0) {
212++ error_f("socket \"%s\" connect: %s", path, strerror(errno));
213++ goto out;
214++ }
215++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
216++ error_f("socket \"%s\" write: %s", path, strerror(errno));
217++ goto out;
218++ }
219++ debug_f("socket \"%s\" notified %s", path, s);
220++ out:
221++ if (fd != -1)
222++ close(fd);
223++ free(s);
224++}
225++
226++void
227++ssh_systemd_notify_ready(void)
228++{
229++ ssh_systemd_notify("READY=1");
230++}
231++
232++void
233++ssh_systemd_notify_reload(void)
234++{
235++ struct timespec now;
236++
237++ monotime_ts(&now);
238++ if (now.tv_sec < 0 || now.tv_nsec < 0) {
239++ error_f("monotime returned negative value");
240++ ssh_systemd_notify("RELOADING=1");
241++ } else {
242++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
243++ ((uint64_t)now.tv_sec * 1000000ULL) +
244++ ((uint64_t)now.tv_nsec / 1000ULL));
245++ }
246++}
247++#endif /* SYSTEMD_NOTIFY */
248++
249++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
250+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
251+index c881294..6c4c371 100644
252+--- a/openbsd-compat/port-linux.h
253++++ b/openbsd-compat/port-linux.h
254+@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
255+ void oom_adjust_setup(void);
256 #endif
257
258-+#ifdef HAVE_SYSTEMD
259-+#include <systemd/sd-daemon.h>
260++#ifdef SYSTEMD_NOTIFY
261++void ssh_systemd_notify_ready(void);
262++void ssh_systemd_notify_reload(void);
263 +#endif
264 +
265- #include "xmalloc.h"
266- #include "ssh.h"
267- #include "ssh2.h"
268-@@ -2101,6 +2105,11 @@ main(int ac, char **av)
269- }
270- }
271+ #endif /* ! _PORT_LINUX_H */
272+diff --git a/platform.c b/platform.c
273+index 70c3a9b..163a54a 100644
274+--- a/platform.c
275++++ b/platform.c
276+@@ -44,6 +44,14 @@ platform_pre_listen(void)
277+ #endif
278+ }
279
280-+#ifdef HAVE_SYSTEMD
281-+ /* Signal systemd that we are ready to accept connections */
282-+ sd_notify(0, "READY=1");
283++void
284++platform_post_listen(void)
285++{
286++#ifdef SYSTEMD_NOTIFY
287++ ssh_systemd_notify_ready();
288 +#endif
289++}
290++
291+ void
292+ platform_pre_fork(void)
293+ {
294+@@ -55,6 +63,9 @@ platform_pre_fork(void)
295+ void
296+ platform_pre_restart(void)
297+ {
298++#ifdef SYSTEMD_NOTIFY
299++ ssh_systemd_notify_reload();
300++#endif
301+ #ifdef LINUX_OOM_ADJUST
302+ oom_adjust_restore();
303+ #endif
304+diff --git a/platform.h b/platform.h
305+index 027fdfb..1b77c3e 100644
306+--- a/platform.h
307++++ b/platform.h
308+@@ -21,6 +21,7 @@
309+ void platform_pre_listen(void);
310+ void platform_pre_fork(void);
311+ void platform_pre_restart(void);
312++void platform_post_listen(void);
313+ void platform_post_fork_parent(pid_t child_pid);
314+ void platform_post_fork_child(void);
315+ int platform_privileged_uidswap(void);
316+diff --git a/sshd.c b/sshd.c
317+index d56ba49..ca47e7e 100644
318+--- a/sshd.c
319++++ b/sshd.c
320+@@ -2085,6 +2085,8 @@ main(int ac, char **av)
321+ ssh_signal(SIGTERM, sigterm_handler);
322+ ssh_signal(SIGQUIT, sigterm_handler);
323+
324++ platform_post_listen();
325 +
326- /* Accept a connection and return in a forked child */
327- server_accept_loop(&sock_in, &sock_out,
328- &newsock, config_s);
329+ /*
330+ * Write out the pid file after the sigterm handler
331+ * is setup and the listen sockets are bound
332diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
333index 8e1ce7c..c7682d0 100644
334--- a/debian/patches/systemd-socket-activation.patch
335+++ b/debian/patches/systemd-socket-activation.patch
336@@ -1,23 +1,53 @@
337+From: Steve Langasek <steve.langasek@ubuntu.com>
338+Date: Thu, 1 Sep 2022 16:03:37 +0100
339+Subject: Support systemd socket activation
340+
341 Description: support systemd socket activation
342 Unlike inetd socket activation, with systemd socket activation the
343 supervisor passes the listened-on socket to the child process and lets
344 the child process handle the accept(). This lets us do delayed start
345 of the sshd daemon without becoming incompatible with config options
346 like ClientAliveCountMax.
347+
348 Author: Steve Langasek <steve.langasek@ubuntu.com>
349 Author: Nick Rosbrook <nick.rosbrook@canonical.com>
350+Author: Colin Watson <cjwatson@debian.org>
351+Author: Marco Trevisan <marco@ubuntu.com>
352 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2011458
353-Last-Update: 2023-05-25
354+Last-Update: 2024-04-03
355
356+---
357+ configure.ac | 1 +
358+ sshd.c | 176 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
359+ 2 files changed, 156 insertions(+), 21 deletions(-)
360+
361+diff --git a/configure.ac b/configure.ac
362+index a431c8a..64a44cb 100644
363+--- a/configure.ac
364++++ b/configure.ac
365+@@ -932,6 +932,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
366+ AC_DEFINE([USE_BTMP])
367+ AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
368+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
369++ AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation])
370+ inet6_default_4in6=yes
371+ case `uname -r` in
372+ 1.*|2.0.*)
373+diff --git a/sshd.c b/sshd.c
374+index ca47e7e..9999c71 100644
375 --- a/sshd.c
376 +++ b/sshd.c
377-@@ -139,11 +139,14 @@
378+@@ -135,11 +135,18 @@ int allow_severity;
379 int deny_severity;
380 #endif /* LIBWRAP */
381
382 +/* This will only get set if we build with systemd. */
383 +static int systemd_num_listen_fds;
384 +
385++#ifdef SYSTEMD_SOCKET_ACTIVATION
386++#define SYSTEMD_LISTEN_FDS_START 3
387++#endif
388++
389 /* Re-exec fds */
390 -#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
391 -#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
392@@ -30,7 +60,7 @@ Last-Update: 2023-05-25
393
394 extern char *__progname;
395
396-@@ -194,6 +197,7 @@
397+@@ -190,6 +197,7 @@ static char **rexec_argv;
398 */
399 #define MAX_LISTEN_SOCKS 16
400 static int listen_socks[MAX_LISTEN_SOCKS];
401@@ -38,7 +68,7 @@ Last-Update: 2023-05-25
402 static int num_listen_socks = 0;
403
404 /* Daemon's agent connection */
405-@@ -279,12 +283,16 @@
406+@@ -275,12 +283,16 @@ static char *listener_proctitle;
407 * Close all listening sockets
408 */
409 static void
410@@ -57,7 +87,7 @@ Last-Update: 2023-05-25
411 num_listen_socks = 0;
412 }
413
414-@@ -322,7 +330,7 @@
415+@@ -318,7 +330,7 @@ sighup_restart(void)
416 if (options.pid_file != NULL)
417 unlink(options.pid_file);
418 platform_pre_restart();
419@@ -66,11 +96,50 @@ Last-Update: 2023-05-25
420 close_startup_pipes();
421 ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */
422 execv(saved_argv[0], saved_argv);
423-@@ -1020,6 +1028,65 @@
424+@@ -1016,6 +1028,104 @@ server_accept_inetd(int *sock_in, int *sock_out)
425 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
426 }
427
428-+#ifdef HAVE_SYSTEMD
429++#ifdef SYSTEMD_SOCKET_ACTIVATION
430++/*
431++ * Get file descriptors passed by systemd; this implements the protocol
432++ * described in the NOTES section of sd_listen_fds(3).
433++ */
434++static int
435++get_systemd_listen_fds(void)
436++{
437++ const char *listen_pid_str, *listen_fds_str;
438++ pid_t listen_pid;
439++ int listen_fds;
440++ const char *errstr = NULL;
441++ int fd;
442++
443++ listen_pid_str = getenv("LISTEN_PID");
444++ if (listen_pid_str == NULL)
445++ return 0;
446++ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
447++ if (errstr != NULL)
448++ return -errno;
449++ if (getpid() != listen_pid)
450++ return 0;
451++
452++ listen_fds_str = getenv("LISTEN_FDS");
453++ if (listen_fds_str == NULL)
454++ return 0;
455++ listen_fds = (int)strtonum(listen_fds_str, 1,
456++ INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr);
457++ if (errstr != NULL)
458++ return -errno;
459++
460++ for (fd = SYSTEMD_LISTEN_FDS_START;
461++ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
462++ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
463++ return -errno;
464++ }
465++
466++ return listen_fds;
467++}
468++
469 +/*
470 + * Configure our socket fds that were passed from systemd
471 + */
472@@ -132,7 +201,7 @@ Last-Update: 2023-05-25
473 /*
474 * Listen for TCP connections
475 */
476-@@ -1104,17 +1171,26 @@
477+@@ -1100,17 +1210,26 @@ server_listen(void)
478 srclimit_init(options.max_startups, options.per_source_max_startups,
479 options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
480
481@@ -142,17 +211,12 @@ Last-Update: 2023-05-25
482 - free(options.listen_addrs[i].rdomain);
483 - memset(&options.listen_addrs[i], 0,
484 - sizeof(options.listen_addrs[i]));
485-- }
486-- free(options.listen_addrs);
487-- options.listen_addrs = NULL;
488-- options.num_listen_addrs = 0;
489--
490-+#ifdef HAVE_SYSTEMD
491++#ifdef SYSTEMD_SOCKET_ACTIVATION
492 + if (systemd_num_listen_fds > 0)
493 + {
494 + int i;
495 + for (i = 0; i < systemd_num_listen_fds; i++)
496-+ setup_systemd_socket(SD_LISTEN_FDS_START + i);
497++ setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i);
498 + } else
499 +#endif
500 + {
501@@ -166,11 +230,15 @@ Last-Update: 2023-05-25
502 + free(options.listen_addrs);
503 + options.listen_addrs = NULL;
504 + options.num_listen_addrs = 0;
505-+ }
506+ }
507+- free(options.listen_addrs);
508+- options.listen_addrs = NULL;
509+- options.num_listen_addrs = 0;
510+-
511 if (!num_listen_socks)
512 fatal("Cannot bind any address.");
513 }
514-@@ -1169,7 +1245,7 @@
515+@@ -1165,7 +1284,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
516 if (received_sigterm) {
517 logit("Received signal %d; terminating.",
518 (int) received_sigterm);
519@@ -179,7 +247,7 @@ Last-Update: 2023-05-25
520 if (options.pid_file != NULL)
521 unlink(options.pid_file);
522 exit(received_sigterm == SIGTERM ? 0 : 255);
523-@@ -1183,7 +1259,7 @@
524+@@ -1179,7 +1298,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
525 if (received_sighup) {
526 if (!lameduck) {
527 debug("Received SIGHUP; waiting for children");
528@@ -188,7 +256,7 @@ Last-Update: 2023-05-25
529 lameduck = 1;
530 }
531 if (listening <= 0) {
532-@@ -1310,7 +1386,7 @@
533+@@ -1306,7 +1425,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
534 * connection without forking.
535 */
536 debug("Server will not fork when running in debugging mode.");
537@@ -197,7 +265,7 @@ Last-Update: 2023-05-25
538 *sock_in = *newsock;
539 *sock_out = *newsock;
540 close(startup_p[0]);
541-@@ -1344,7 +1420,7 @@
542+@@ -1340,7 +1459,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
543 platform_post_fork_child();
544 startup_pipe = startup_p[1];
545 close_startup_pipes();
546@@ -206,18 +274,18 @@ Last-Update: 2023-05-25
547 *sock_in = *newsock;
548 *sock_out = *newsock;
549 log_init(__progname,
550-@@ -1715,6 +1791,21 @@
551+@@ -1711,6 +1830,21 @@ main(int ac, char **av)
552 break;
553 }
554 }
555 +
556-+#ifdef HAVE_SYSTEMD
557-+ /* We should call sd_listen_fds() exactly once. If we call
558-+ * sd_listen_fds() more than once, then FD_CLOEXEC will be
559++#ifdef SYSTEMD_SOCKET_ACTIVATION
560++ /* We should call get_systemd_listen_fds() exactly once. If we call
561++ * get_systemd_listen_fds() more than once, then FD_CLOEXEC will be
562 + * re-configured for the passed fds, which will cause problems during
563 + * re-execution. The FD_CLOEXEC flag will be cleared by
564 + * setup_systemd_socket(). */
565-+ r = sd_listen_fds(0);
566++ r = get_systemd_listen_fds();
567 + if (r < 0)
568 + fatal("Failed to get systemd socket fds: %s", strerror(-r));
569 +
570diff --git a/debian/rules b/debian/rules
571index 54d82cb..1870fbe 100755
572--- a/debian/rules
573+++ b/debian/rules
574@@ -80,7 +80,6 @@ confflags += --with-ssl-engine
575 ifeq ($(DEB_HOST_ARCH_OS),linux)
576 confflags += --with-selinux
577 confflags += --with-audit=linux
578-confflags += --with-systemd
579 confflags += --with-security-key-builtin
580 endif
581

Subscribers

People subscribed via source and target branches