1 files changed, 71 insertions, 15 deletions

diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
index 9867ccf..d2c5284 100644
--- a/debian/patches/systemd-socket-activation.patch
+++ b/debian/patches/systemd-socket-activation.patch
@@ -1,4 +1,4 @@
-From d4af38f9aa8f2daa0ae01b994666116f1420d305 Mon Sep 17 00:00:00 2001
+From f01545e3f9350c080a525c246b9d46ba71cb0d09 Mon Sep 17 00:00:00 2001
 From: Steve Langasek <steve.langasek@ubuntu.com>
 Date: Thu, 1 Sep 2022 16:03:37 +0100
 Subject: Support systemd socket activation
@@ -9,18 +9,32 @@ the child process handle the accept().  This lets us do delayed start
 of the sshd daemon without becoming incompatible with config options
 like ClientAliveCountMax.
 
-Last-Update: 2022-09-01
+Author: Colin Watson <cjwatson@debian.org>
+Last-Update: 2024-04-03
 
 Patch-Name: systemd-socket-activation.patch
 ---
- sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 75 insertions(+), 14 deletions(-)
+ configure.ac |   1 +
+ sshd.c       | 131 +++++++++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 118 insertions(+), 14 deletions(-)
 
+diff --git a/configure.ac b/configure.ac
+index c7b563ef2..cdfb505bf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ 	AC_DEFINE([USE_BTMP])
+ 	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
+ 	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
++	AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation])
+ 	inet6_default_4in6=yes
+ 	case `uname -r` in
+ 	1.*|2.0.*)
 diff --git a/sshd.c b/sshd.c
-index b981e7758..565e17b16 100644
+index a18b85d1d..105c688e4 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -140,10 +140,16 @@ int deny_severity;
+@@ -136,10 +136,18 @@ int deny_severity;
  #endif /* LIBWRAP */
  
  /* Re-exec fds */
@@ -28,8 +42,10 @@ index b981e7758..565e17b16 100644
 -#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
 -#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
 -#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
-+#ifdef HAVE_SYSTEMD
-+#define SYSTEMD_OFFSET sd_listen_fds(0)
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++static int get_systemd_listen_fds(void);
++#define SYSTEMD_OFFSET get_systemd_listen_fds()
++#define SYSTEMD_LISTEN_FDS_START 3
 +#else
 +#define SYSTEMD_OFFSET 0
 +#endif
@@ -41,11 +57,51 @@ index b981e7758..565e17b16 100644
  
  extern char *__progname;
  
-@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out)
+@@ -1016,6 +1024,88 @@ server_accept_inetd(int *sock_in, int *sock_out)
  	debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
  }
  
-+#ifdef HAVE_SYSTEMD
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++/*
++ * Get file descriptors passed by systemd; this implements the protocol
++ * described in the NOTES section of sd_listen_fds(3).
++ *
++ * We deliberately return 0 on error, so that the return value can safely be
++ * added as part of the REEXEC_*_FD macros without extra checks.
++ */
++static int
++get_systemd_listen_fds(void)
++{
++	const char *listen_pid_str, *listen_fds_str;
++	pid_t listen_pid;
++	int listen_fds;
++	const char *errstr = NULL;
++	int fd;
++
++	listen_pid_str = getenv("LISTEN_PID");
++	if (listen_pid_str == NULL)
++		return 0;
++	listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
++	if (errstr != NULL || getpid() != listen_pid)
++		return 0;
++
++	listen_fds_str = getenv("LISTEN_FDS");
++	if (listen_fds_str == NULL)
++		return 0;
++	listen_fds = (int)strtonum(listen_fds_str, 1,
++	    INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr);
++	if (errstr != NULL)
++		return 0;
++
++	for (fd = SYSTEMD_LISTEN_FDS_START;
++	    fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
++		if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
++			return 0;
++	}
++
++	return listen_fds;
++}
++
 +/*
 + * Configure our socket fds that were passed from systemd
 + */
@@ -90,11 +146,11 @@ index b981e7758..565e17b16 100644
  /*
   * Listen for TCP connections
   */
-@@ -1099,22 +1147,35 @@ static void
+@@ -1095,22 +1185,35 @@ static void
  server_listen(void)
  {
  	u_int i;
-+#ifdef HAVE_SYSTEMD
++#ifdef SYSTEMD_SOCKET_ACTIVATION
 +	int systemd_socket_count;
 +#endif
  
@@ -108,13 +164,13 @@ index b981e7758..565e17b16 100644
 -		free(options.listen_addrs[i].rdomain);
 -		memset(&options.listen_addrs[i], 0,
 -		    sizeof(options.listen_addrs[i]));
-+#ifdef HAVE_SYSTEMD
-+	systemd_socket_count = sd_listen_fds(0);
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++	systemd_socket_count = get_systemd_listen_fds();
 +	if (systemd_socket_count > 0)
 +	{
 +		int i;
 +		for (i = 0; i < systemd_socket_count; i++)
-+			setup_systemd_socket(SD_LISTEN_FDS_START + i);
++			setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i);
 +	} else
 +#endif
 +	{