Merge ~enr0n/ubuntu/+source/openssh:lp-2071815 into ubuntu/+source/openssh:ubuntu/devel

Proposed by Nick Rosbrook
Status: Merged
Merged at revision: f86ed72d49940e8e33300ba50beaf46e2c37ce6c
Proposed branch: ~enr0n/ubuntu/+source/openssh:lp-2071815
Merge into: ubuntu/+source/openssh:ubuntu/devel
Diff against target: 231 lines (+49/-46)
2 files modified
debian/changelog (+13/-0)
debian/patches/systemd-socket-activation.patch (+36/-46)
Reviewer Review Type Date Requested Status
Marc Deslauriers (community) Approve
Review via email: mp+470124@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Marc - asking for your review if you have the time since you opened the bug in question.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK, per discussion, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b67e29e..d15c812 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,16 @@
6+openssh (1:9.6p1-3ubuntu18) oracular; urgency=medium
7+
8+ * d/p/systemd-socket-activation.patch: don't clear rexec_flag
9+ It was pointed out that this is generally not a good idea, so undo this
10+ change. In order to do this, we need to restore the logic to ensure
11+ that when we have been re-executed, we ignore $LISTEN_PID because it
12+ won't match, but we still need to know $LISTEN_FDS. And, do not set
13+ FD_CLOEXEC on the fds passed from systemd, because we want them to
14+ survive the re-execution. (LP: #2071815)
15+ * d/p/systemd-socket-activation.patch: refresh patch
16+
17+ -- Nick Rosbrook <enr0n@ubuntu.com> Fri, 26 Jul 2024 11:54:36 -0400
18+
19 openssh (1:9.6p1-3ubuntu17) oracular; urgency=medium
20
21 * Remove deprecated user_readenv=1 setting (LP: #2059859):
22diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
23index c7682d0..5e6d994 100644
24--- a/debian/patches/systemd-socket-activation.patch
25+++ b/debian/patches/systemd-socket-activation.patch
26@@ -21,11 +21,9 @@ Last-Update: 2024-04-03
27 sshd.c | 176 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------
28 2 files changed, 156 insertions(+), 21 deletions(-)
29
30-diff --git a/configure.ac b/configure.ac
31-index a431c8a..64a44cb 100644
32 --- a/configure.ac
33 +++ b/configure.ac
34-@@ -932,6 +932,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
35+@@ -932,6 +932,7 @@
36 AC_DEFINE([USE_BTMP])
37 AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
38 AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
39@@ -33,11 +31,9 @@ index a431c8a..64a44cb 100644
40 inet6_default_4in6=yes
41 case `uname -r` in
42 1.*|2.0.*)
43-diff --git a/sshd.c b/sshd.c
44-index ca47e7e..9999c71 100644
45 --- a/sshd.c
46 +++ b/sshd.c
47-@@ -135,11 +135,18 @@ int allow_severity;
48+@@ -135,11 +135,18 @@
49 int deny_severity;
50 #endif /* LIBWRAP */
51
52@@ -60,7 +56,7 @@ index ca47e7e..9999c71 100644
53
54 extern char *__progname;
55
56-@@ -190,6 +197,7 @@ static char **rexec_argv;
57+@@ -190,6 +197,7 @@
58 */
59 #define MAX_LISTEN_SOCKS 16
60 static int listen_socks[MAX_LISTEN_SOCKS];
61@@ -68,7 +64,7 @@ index ca47e7e..9999c71 100644
62 static int num_listen_socks = 0;
63
64 /* Daemon's agent connection */
65-@@ -275,12 +283,16 @@ static char *listener_proctitle;
66+@@ -275,12 +283,16 @@
67 * Close all listening sockets
68 */
69 static void
70@@ -87,7 +83,7 @@ index ca47e7e..9999c71 100644
71 num_listen_socks = 0;
72 }
73
74-@@ -318,7 +330,7 @@ sighup_restart(void)
75+@@ -318,7 +330,7 @@
76 if (options.pid_file != NULL)
77 unlink(options.pid_file);
78 platform_pre_restart();
79@@ -96,14 +92,15 @@ index ca47e7e..9999c71 100644
80 close_startup_pipes();
81 ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */
82 execv(saved_argv[0], saved_argv);
83-@@ -1016,6 +1028,104 @@ server_accept_inetd(int *sock_in, int *sock_out)
84+@@ -1016,6 +1028,103 @@
85 debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
86 }
87
88 +#ifdef SYSTEMD_SOCKET_ACTIVATION
89 +/*
90 + * Get file descriptors passed by systemd; this implements the protocol
91-+ * described in the NOTES section of sd_listen_fds(3).
92++ * described in the NOTES section of sd_listen_fds(3), with a few exceptions
93++ * to handle our needs in sshd.
94 + */
95 +static int
96 +get_systemd_listen_fds(void)
97@@ -114,14 +111,18 @@ index ca47e7e..9999c71 100644
98 + const char *errstr = NULL;
99 + int fd;
100 +
101-+ listen_pid_str = getenv("LISTEN_PID");
102-+ if (listen_pid_str == NULL)
103-+ return 0;
104-+ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
105-+ if (errstr != NULL)
106-+ return -errno;
107-+ if (getpid() != listen_pid)
108-+ return 0;
109++ /* When we have been re-executed, do not check $LISTEN_PID because it will
110++ * not match, but we still need to check $LISTEN_FDS. */
111++ if (!rexeced_flag) {
112++ listen_pid_str = getenv("LISTEN_PID");
113++ if (listen_pid_str == NULL)
114++ return 0;
115++ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
116++ if (errstr != NULL)
117++ return -errno;
118++ if (getpid() != listen_pid)
119++ return 0;
120++ }
121 +
122 + listen_fds_str = getenv("LISTEN_FDS");
123 + if (listen_fds_str == NULL)
124@@ -131,12 +132,6 @@ index ca47e7e..9999c71 100644
125 + if (errstr != NULL)
126 + return -errno;
127 +
128-+ for (fd = SYSTEMD_LISTEN_FDS_START;
129-+ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
130-+ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
131-+ return -errno;
132-+ }
133-+
134 + return listen_fds;
135 +}
136 +
137@@ -201,7 +196,7 @@ index ca47e7e..9999c71 100644
138 /*
139 * Listen for TCP connections
140 */
141-@@ -1100,17 +1210,26 @@ server_listen(void)
142+@@ -1100,17 +1209,26 @@
143 srclimit_init(options.max_startups, options.per_source_max_startups,
144 options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
145
146@@ -211,6 +206,11 @@ index ca47e7e..9999c71 100644
147 - free(options.listen_addrs[i].rdomain);
148 - memset(&options.listen_addrs[i], 0,
149 - sizeof(options.listen_addrs[i]));
150+- }
151+- free(options.listen_addrs);
152+- options.listen_addrs = NULL;
153+- options.num_listen_addrs = 0;
154+-
155 +#ifdef SYSTEMD_SOCKET_ACTIVATION
156 + if (systemd_num_listen_fds > 0)
157 + {
158@@ -230,15 +230,11 @@ index ca47e7e..9999c71 100644
159 + free(options.listen_addrs);
160 + options.listen_addrs = NULL;
161 + options.num_listen_addrs = 0;
162- }
163-- free(options.listen_addrs);
164-- options.listen_addrs = NULL;
165-- options.num_listen_addrs = 0;
166--
167++ }
168 if (!num_listen_socks)
169 fatal("Cannot bind any address.");
170 }
171-@@ -1165,7 +1284,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
172+@@ -1165,7 +1283,7 @@
173 if (received_sigterm) {
174 logit("Received signal %d; terminating.",
175 (int) received_sigterm);
176@@ -247,7 +243,7 @@ index ca47e7e..9999c71 100644
177 if (options.pid_file != NULL)
178 unlink(options.pid_file);
179 exit(received_sigterm == SIGTERM ? 0 : 255);
180-@@ -1179,7 +1298,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
181+@@ -1179,7 +1297,7 @@
182 if (received_sighup) {
183 if (!lameduck) {
184 debug("Received SIGHUP; waiting for children");
185@@ -256,7 +252,7 @@ index ca47e7e..9999c71 100644
186 lameduck = 1;
187 }
188 if (listening <= 0) {
189-@@ -1306,7 +1425,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
190+@@ -1306,7 +1424,7 @@
191 * connection without forking.
192 */
193 debug("Server will not fork when running in debugging mode.");
194@@ -265,7 +261,7 @@ index ca47e7e..9999c71 100644
195 *sock_in = *newsock;
196 *sock_out = *newsock;
197 close(startup_p[0]);
198-@@ -1340,7 +1459,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
199+@@ -1340,7 +1458,7 @@
200 platform_post_fork_child();
201 startup_pipe = startup_p[1];
202 close_startup_pipes();
203@@ -274,23 +270,17 @@ index ca47e7e..9999c71 100644
204 *sock_in = *newsock;
205 *sock_out = *newsock;
206 log_init(__progname,
207-@@ -1711,6 +1830,21 @@ main(int ac, char **av)
208+@@ -1711,6 +1829,15 @@
209 break;
210 }
211 }
212 +
213 +#ifdef SYSTEMD_SOCKET_ACTIVATION
214-+ /* We should call get_systemd_listen_fds() exactly once. If we call
215-+ * get_systemd_listen_fds() more than once, then FD_CLOEXEC will be
216-+ * re-configured for the passed fds, which will cause problems during
217-+ * re-execution. The FD_CLOEXEC flag will be cleared by
218-+ * setup_systemd_socket(). */
219-+ r = get_systemd_listen_fds();
220-+ if (r < 0)
221-+ fatal("Failed to get systemd socket fds: %s", strerror(-r));
222++ r = get_systemd_listen_fds();
223++ if (r < 0)
224++ fatal("Failed to get systemd socket fds: %s", strerror(-r));
225 +
226-+ systemd_num_listen_fds = r;
227-+ rexec_flag = 0;
228++ systemd_num_listen_fds = r;
229 +#endif
230 +
231 if (rexeced_flag || inetd_flag)

Subscribers

People subscribed via source and target branches