From a598ae3ee009e375186625b34440bb06bc330dda Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:23:18 +0200 Subject: Merging debian version 1:9.7p1-4. Signed-off-by: Daniel Baumann --- debian/.git-dpm | 4 +- debian/changelog | 9 + debian/control | 1 - debian/patches/configure-cache-vars.patch | 137 ++++++++++++ debian/patches/debian-config.patch | 2 +- debian/patches/maxhostnamelen.patch | 2 +- debian/patches/regress-conch-dev-zero.patch | 2 +- debian/patches/restore-authorized_keys2.patch | 2 +- debian/patches/revert-ipqos-defaults.patch | 2 +- debian/patches/series | 1 + debian/patches/skip-utimensat-test-on-zfs.patch | 2 +- debian/patches/systemd-readiness.patch | 272 ++++++++++++++++++------ debian/patches/systemd-socket-activation.patch | 86 ++++++-- debian/patches/zero-call-used-regs-m68k.patch | 2 +- debian/rules | 7 +- 15 files changed, 439 insertions(+), 92 deletions(-) create mode 100644 debian/patches/configure-cache-vars.patch diff --git a/debian/.git-dpm b/debian/.git-dpm index 430b68a..c9f38ee 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -7dc177f6145fd9f52b0ba7a072c3fd4739720a65 -7dc177f6145fd9f52b0ba7a072c3fd4739720a65 +1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea +1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea cf05e8418c088a6e5712344cecaf6ee2d5eb550f cf05e8418c088a6e5712344cecaf6ee2d5eb550f openssh_9.7p1.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index b790dc3..11dd5cf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openssh (1:9.7p1-4) unstable; urgency=medium + + * Rework systemd readiness notification and socket activation patches to + not link against libsystemd (the former via an upstream patch). + * Force -fzero-call-used-regs=used not to be used on ppc64el (it's + unsupported, but configure fails to detect this). + + -- Colin Watson Wed, 03 Apr 2024 12:06:08 +0100 + openssh (1:9.7p1-3~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: diff --git a/debian/control b/debian/control index c21abfb..3e1d8eb 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,6 @@ Build-Depends: debhelper (>= 13.1~), libpam0g-dev | libpam-dev, libselinux1-dev [linux-any], libssl-dev (>= 1.1.1), - libsystemd-dev [linux-any] | libelogind-dev [linux-any], libwrap0-dev | libwrap-dev, pkgconf, zlib1g-dev, diff --git a/debian/patches/configure-cache-vars.patch b/debian/patches/configure-cache-vars.patch new file mode 100644 index 0000000..a79f5f1 --- /dev/null +++ b/debian/patches/configure-cache-vars.patch @@ -0,0 +1,137 @@ +From 1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Wed, 3 Apr 2024 11:52:04 +0100 +Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_* + +This allows overriding them on configure's command line in case the +automatic checks go wrong somehow. bz#3673 + +Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3 +Last-Update: 2024-04-03 + +Patch-Name: configure-cache-vars.patch +--- + m4/openssh.m4 | 42 ++++++++++++++++++++++++------------------ + 1 file changed, 24 insertions(+), 18 deletions(-) + +diff --git a/m4/openssh.m4 b/m4/openssh.m4 +index 176a8d1c9..f420146f1 100644 +--- a/m4/openssh.m4 ++++ b/m4/openssh.m4 +@@ -62,7 +62,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append + dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append + dnl 'check_flag'. + AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ +- AC_MSG_CHECKING([if $CC supports compile flag $1]) ++ ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1]) ++ AC_CACHE_CHECK([if $CC supports compile flag $1], [$ossh_cache_var], [ + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR $1" + _define_flag="$2" +@@ -71,22 +72,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ + [ + if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null + then +- AC_MSG_RESULT([no]) ++ eval "$ossh_cache_var=no" + CFLAGS="$saved_CFLAGS" + else + dnl If we are compiling natively, try running the program. + AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM], +- [ AC_MSG_RESULT([yes]) ++ [ eval "$ossh_cache_var=yes" + CFLAGS="$saved_CFLAGS $_define_flag" ], +- [ AC_MSG_RESULT([no, fails at run time]) ++ [ eval "$ossh_cache_var='no, fails at run time'" + CFLAGS="$saved_CFLAGS" ], +- [ AC_MSG_RESULT([yes]) ++ [ eval "$ossh_cache_var=yes" + CFLAGS="$saved_CFLAGS $_define_flag" ], + ) + fi], +- [ AC_MSG_RESULT([no]) ++ [ eval "$ossh_cache_var=no" + CFLAGS="$saved_CFLAGS" ] + ) ++ ]) + }]) + + dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +@@ -94,7 +96,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append + dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append + dnl 'check_flag'. + AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{ +- AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds]) ++ ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1]) ++ AC_CACHE_CHECK([if $CC supports compile flag $1 and linking succeeds], [$ossh_cache_var], [ + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR $1" + _define_flag="$2" +@@ -103,22 +106,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{ + [ + if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null + then +- AC_MSG_RESULT([no]) ++ eval "$ossh_cache_var=no" + CFLAGS="$saved_CFLAGS" + else + dnl If we are compiling natively, try running the program. + AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM], +- [ AC_MSG_RESULT([yes]) ++ [ eval "$ossh_cache_var=yes" + CFLAGS="$saved_CFLAGS $_define_flag" ], +- [ AC_MSG_RESULT([no, fails at run time]) ++ [ eval "$ossh_cache_var='no, fails at run time'" + CFLAGS="$saved_CFLAGS" ], +- [ AC_MSG_RESULT([yes]) ++ [ eval "$ossh_cache_var=yes" + CFLAGS="$saved_CFLAGS $_define_flag" ], + ) + fi], +- [ AC_MSG_RESULT([no]) ++ [ eval "$ossh_cache_var=no" + CFLAGS="$saved_CFLAGS" ] + ) ++ ]) + }]) + + dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag]) +@@ -126,7 +130,8 @@ dnl Check that $LD accepts a flag 'check_flag'. If it is supported append + dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append + dnl 'check_flag'. + AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ +- AC_MSG_CHECKING([if $LD supports link flag $1]) ++ ossh_cache_var=AS_TR_SH([ossh_cv_ldflag_$1]) ++ AC_CACHE_CHECK([if $LD supports link flag $1], [$ossh_cache_var], [ + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $WERROR $1" + _define_flag="$2" +@@ -135,22 +140,23 @@ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ + [ + if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null + then +- AC_MSG_RESULT([no]) ++ eval "$ossh_cache_var=no" + LDFLAGS="$saved_LDFLAGS" + else + dnl If we are compiling natively, try running the program. + AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM], +- [ AC_MSG_RESULT([yes]) ++ [ eval "$ossh_cache_var=yes" + LDFLAGS="$saved_LDFLAGS $_define_flag" ], +- [ AC_MSG_RESULT([no, fails at run time]) ++ [ eval "$ossh_cache_var='no, fails at run time'" + LDFLAGS="$saved_LDFLAGS" ], +- [ AC_MSG_RESULT([yes]) ++ [ eval "$ossh_cache_var=yes" + LDFLAGS="$saved_LDFLAGS $_define_flag" ] + ) + fi ], +- [ AC_MSG_RESULT([no]) ++ [ eval "$ossh_cache_var=no" + LDFLAGS="$saved_LDFLAGS" ] + ) ++ ]) + }]) + + dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index f53bac5..ce3c1c0 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch @@ -1,4 +1,4 @@ -From 4f52dcf6ce616f6e674d6af0ceebb3e2f6b147a3 Mon Sep 17 00:00:00 2001 +From 04acdcf452c7a88ac8c37ca6870a571125fbc8da Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch index 4cfe801..bd5733b 100644 --- a/debian/patches/maxhostnamelen.patch +++ b/debian/patches/maxhostnamelen.patch @@ -1,4 +1,4 @@ -From 25f238231292eefa02a723b84de6428baca3b7ab Mon Sep 17 00:00:00 2001 +From 8bc03da34ff88845e6b10631719f872e81eaea74 Mon Sep 17 00:00:00 2001 From: Svante Signell Date: Fri, 5 Nov 2021 23:22:53 +0000 Subject: Define MAXHOSTNAMELEN on GNU/Hurd diff --git a/debian/patches/regress-conch-dev-zero.patch b/debian/patches/regress-conch-dev-zero.patch index fed6e66..bdf1449 100644 --- a/debian/patches/regress-conch-dev-zero.patch +++ b/debian/patches/regress-conch-dev-zero.patch @@ -1,4 +1,4 @@ -From 7dc177f6145fd9f52b0ba7a072c3fd4739720a65 Mon Sep 17 00:00:00 2001 +From 6bd1413e583b16d600b39b15203b5b78a4e77f0a Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 31 Mar 2024 00:24:11 +0000 Subject: regress: Redirect conch stdin from /dev/zero diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch index a614c3c..9e540cf 100644 --- a/debian/patches/restore-authorized_keys2.patch +++ b/debian/patches/restore-authorized_keys2.patch @@ -1,4 +1,4 @@ -From 629d831d473ca49b8593e4a711012bb812e544b7 Mon Sep 17 00:00:00 2001 +From 06af6b2c9be423445bab0c964f4e85f439a91278 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 5 Mar 2017 02:02:11 +0000 Subject: Restore reading authorized_keys2 by default diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch index 619328b..0b33aee 100644 --- a/debian/patches/revert-ipqos-defaults.patch +++ b/debian/patches/revert-ipqos-defaults.patch @@ -1,4 +1,4 @@ -From c6529b6eeabc3312e7b0c00c8451a496eb5d8ae6 Mon Sep 17 00:00:00 2001 +From d9fbfaf30a64cff9b4fdad1ff0974e239f29f7db Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 8 Apr 2019 10:46:29 +0100 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP diff --git a/debian/patches/series b/debian/patches/series index 90ac393..311759a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -27,6 +27,7 @@ systemd-socket-activation.patch skip-utimensat-test-on-zfs.patch zero-call-used-regs-m68k.patch regress-conch-dev-zero.patch +configure-cache-vars.patch progress-linux/0001-ssh-keygen-default-rsa-size.patch progress-linux/0002-ssh-keygen-default-ecdsa-size.patch progress-linux/0003-ssh_config-update.patch diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch index 7707531..6a50e08 100644 --- a/debian/patches/skip-utimensat-test-on-zfs.patch +++ b/debian/patches/skip-utimensat-test-on-zfs.patch @@ -1,4 +1,4 @@ -From 4c1c5dc36c96a8e6dd34fd43caf83d292a33b797 Mon Sep 17 00:00:00 2001 +From c295622811895faaf4c0be0820cbb919c80b1143 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 11 Mar 2024 16:24:49 +0000 Subject: Skip utimensat test on ZFS diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index 8f1e1ae..883e35b 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch @@ -1,84 +1,224 @@ -From b939a041afc3938937a3e9d2495202cf1a7b90ab Mon Sep 17 00:00:00 2001 -From: Michael Biebl -Date: Mon, 21 Dec 2015 16:08:47 +0000 -Subject: Add systemd readiness notification support +From 3d48cca71737962972c5bbd0171919ecbc348443 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Wed, 3 Apr 2024 14:40:32 +1100 +Subject: notify systemd on listen and reload +Standalone implementation that does not depend on libsystemd. +With assistance from Luca Boccassi, and feedback/testing from Colin +Watson. bz2641 + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c Bug-Debian: https://bugs.debian.org/778913 -Forwarded: no -Last-Update: 2017-08-22 +Last-Update: 2024-04-03 Patch-Name: systemd-readiness.patch --- - configure.ac | 24 ++++++++++++++++++++++++ - sshd.c | 9 +++++++++ - 2 files changed, 33 insertions(+) + configure.ac | 1 + + openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- + openbsd-compat/port-linux.h | 5 ++ + platform.c | 11 +++++ + platform.h | 1 + + sshd.c | 2 + + 6 files changed, 115 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac -index 2b2c4f086..81f75eb85 100644 +index 2b2c4f086..c7b563ef2 100644 --- a/configure.ac +++ b/configure.ac -@@ -4950,6 +4950,29 @@ AC_SUBST([GSSLIBS]) - AC_SUBST([K5LIBS]) - AC_SUBST([CHANNELLIBS]) +@@ -939,6 +939,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) ++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 0394f4808..8e2824594 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -21,16 +21,23 @@ -+# Check whether user wants systemd support -+SYSTEMD_MSG="no" -+AC_ARG_WITH(systemd, -+ [ --with-systemd Enable systemd support], -+ [ if test "x$withval" != "xno" ; then -+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) -+ if test "$PKGCONFIG" != "no"; then -+ AC_MSG_CHECKING([for libsystemd]) -+ if $PKGCONFIG --exists libsystemd; then -+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` -+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" -+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" -+ AC_MSG_RESULT([yes]) -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) -+ SYSTEMD_MSG="yes" -+ else -+ AC_MSG_RESULT([no]) -+ fi -+ fi -+ fi ] -+) -+ - # Looking for programs, paths and files + #include "includes.h" - PRIVSEP_PATH=/var/empty -@@ -5769,6 +5792,7 @@ echo " libldns support: $LDNS_MSG" - echo " Solaris process contract support: $SPC_MSG" - echo " Solaris project support: $SP_MSG" - echo " Solaris privilege support: $SPP_MSG" -+echo " systemd support: $SYSTEMD_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" - echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" -diff --git a/sshd.c b/sshd.c -index 8fab51ebb..b981e7758 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -88,6 +88,10 @@ - #include +-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) ++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ ++ defined(SYSTEMD_NOTIFY) ++#include ++#include ++ + #include ++#include + #include + #include + #include + #include ++#include + + #include "log.h" + #include "xmalloc.h" + #include "port-linux.h" ++#include "misc.h" + + #ifdef WITH_SELINUX + #include +@@ -317,4 +324,90 @@ oom_adjust_restore(void) + return; + } + #endif /* LINUX_OOM_ADJUST */ +-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ ++ ++#ifdef SYSTEMD_NOTIFY ++ ++static void ssh_systemd_notify(const char *, ...) ++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); ++ ++static void ++ssh_systemd_notify(const char *fmt, ...) ++{ ++ char *s = NULL; ++ const char *path; ++ struct stat sb; ++ struct sockaddr_un addr; ++ int fd = -1; ++ va_list ap; ++ ++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) ++ return; ++ ++ va_start(ap, fmt); ++ xvasprintf(&s, fmt, ap); ++ va_end(ap); ++ ++ /* Only AF_UNIX is supported, with path or abstract sockets */ ++ if (path[0] != '/' && path[0] != '@') { ++ error_f("socket \"%s\" is not compatible with AF_UNIX", path); ++ goto out; ++ } ++ ++ if (path[0] == '/' && stat(path, &sb) != 0) { ++ error_f("socket \"%s\" stat: %s", path, strerror(errno)); ++ goto out; ++ } ++ ++ memset(&addr, 0, sizeof(addr)); ++ addr.sun_family = AF_UNIX; ++ if (strlcpy(addr.sun_path, path, ++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { ++ error_f("socket path \"%s\" too long", path); ++ goto out; ++ } ++ /* Support for abstract socket */ ++ if (addr.sun_path[0] == '@') ++ addr.sun_path[0] = 0; ++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { ++ error_f("socket \"%s\": %s", path, strerror(errno)); ++ goto out; ++ } ++ if (connect(fd, &addr, sizeof(addr)) != 0) { ++ error_f("socket \"%s\" connect: %s", path, strerror(errno)); ++ goto out; ++ } ++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { ++ error_f("socket \"%s\" write: %s", path, strerror(errno)); ++ goto out; ++ } ++ debug_f("socket \"%s\" notified %s", path, s); ++ out: ++ if (fd != -1) ++ close(fd); ++ free(s); ++} ++ ++void ++ssh_systemd_notify_ready(void) ++{ ++ ssh_systemd_notify("READY=1"); ++} ++ ++void ++ssh_systemd_notify_reload(void) ++{ ++ struct timespec now; ++ ++ monotime_ts(&now); ++ if (now.tv_sec < 0 || now.tv_nsec < 0) { ++ error_f("monotime returned negative value"); ++ ssh_systemd_notify("RELOADING=1"); ++ } else { ++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", ++ ((uint64_t)now.tv_sec * 1000000ULL) + ++ ((uint64_t)now.tv_nsec / 1000ULL)); ++ } ++} ++#endif /* SYSTEMD_NOTIFY */ ++ ++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index c88129428..6c4c37115 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -30,4 +30,9 @@ void oom_adjust_restore(void); + void oom_adjust_setup(void); #endif -+#ifdef HAVE_SYSTEMD -+#include ++#ifdef SYSTEMD_NOTIFY ++void ssh_systemd_notify_ready(void); ++void ssh_systemd_notify_reload(void); +#endif + - #include "xmalloc.h" - #include "ssh.h" - #include "ssh2.h" -@@ -2101,6 +2105,11 @@ main(int ac, char **av) - } - } + #endif /* ! _PORT_LINUX_H */ +diff --git a/platform.c b/platform.c +index 70c3a9b58..163a54a46 100644 +--- a/platform.c ++++ b/platform.c +@@ -44,6 +44,14 @@ platform_pre_listen(void) + #endif + } -+#ifdef HAVE_SYSTEMD -+ /* Signal systemd that we are ready to accept connections */ -+ sd_notify(0, "READY=1"); ++void ++platform_post_listen(void) ++{ ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_ready(); +#endif ++} ++ + void + platform_pre_fork(void) + { +@@ -55,6 +63,9 @@ platform_pre_fork(void) + void + platform_pre_restart(void) + { ++#ifdef SYSTEMD_NOTIFY ++ ssh_systemd_notify_reload(); ++#endif + #ifdef LINUX_OOM_ADJUST + oom_adjust_restore(); + #endif +diff --git a/platform.h b/platform.h +index 027fdfb51..1b77c3e3d 100644 +--- a/platform.h ++++ b/platform.h +@@ -21,6 +21,7 @@ + void platform_pre_listen(void); + void platform_pre_fork(void); + void platform_pre_restart(void); ++void platform_post_listen(void); + void platform_post_fork_parent(pid_t child_pid); + void platform_post_fork_child(void); + int platform_privileged_uidswap(void); +diff --git a/sshd.c b/sshd.c +index 8fab51ebb..a18b85d1d 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2085,6 +2085,8 @@ main(int ac, char **av) + ssh_signal(SIGTERM, sigterm_handler); + ssh_signal(SIGQUIT, sigterm_handler); + ++ platform_post_listen(); + - /* Accept a connection and return in a forked child */ - server_accept_loop(&sock_in, &sock_out, - &newsock, config_s); + /* + * Write out the pid file after the sigterm handler + * is setup and the listen sockets are bound diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch index 9867ccf..d2c5284 100644 --- a/debian/patches/systemd-socket-activation.patch +++ b/debian/patches/systemd-socket-activation.patch @@ -1,4 +1,4 @@ -From d4af38f9aa8f2daa0ae01b994666116f1420d305 Mon Sep 17 00:00:00 2001 +From f01545e3f9350c080a525c246b9d46ba71cb0d09 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Thu, 1 Sep 2022 16:03:37 +0100 Subject: Support systemd socket activation @@ -9,18 +9,32 @@ the child process handle the accept(). This lets us do delayed start of the sshd daemon without becoming incompatible with config options like ClientAliveCountMax. -Last-Update: 2022-09-01 +Author: Colin Watson +Last-Update: 2024-04-03 Patch-Name: systemd-socket-activation.patch --- - sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 75 insertions(+), 14 deletions(-) + configure.ac | 1 + + sshd.c | 131 +++++++++++++++++++++++++++++++++++++++++++++------ + 2 files changed, 118 insertions(+), 14 deletions(-) +diff --git a/configure.ac b/configure.ac +index c7b563ef2..cdfb505bf 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + AC_DEFINE([USE_BTMP]) + AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) + AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) ++ AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation]) + inet6_default_4in6=yes + case `uname -r` in + 1.*|2.0.*) diff --git a/sshd.c b/sshd.c -index b981e7758..565e17b16 100644 +index a18b85d1d..105c688e4 100644 --- a/sshd.c +++ b/sshd.c -@@ -140,10 +140,16 @@ int deny_severity; +@@ -136,10 +136,18 @@ int deny_severity; #endif /* LIBWRAP */ /* Re-exec fds */ @@ -28,8 +42,10 @@ index b981e7758..565e17b16 100644 -#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) -#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4) -+#ifdef HAVE_SYSTEMD -+#define SYSTEMD_OFFSET sd_listen_fds(0) ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++static int get_systemd_listen_fds(void); ++#define SYSTEMD_OFFSET get_systemd_listen_fds() ++#define SYSTEMD_LISTEN_FDS_START 3 +#else +#define SYSTEMD_OFFSET 0 +#endif @@ -41,11 +57,51 @@ index b981e7758..565e17b16 100644 extern char *__progname; -@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out) +@@ -1016,6 +1024,88 @@ server_accept_inetd(int *sock_in, int *sock_out) debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out); } -+#ifdef HAVE_SYSTEMD ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++/* ++ * Get file descriptors passed by systemd; this implements the protocol ++ * described in the NOTES section of sd_listen_fds(3). ++ * ++ * We deliberately return 0 on error, so that the return value can safely be ++ * added as part of the REEXEC_*_FD macros without extra checks. ++ */ ++static int ++get_systemd_listen_fds(void) ++{ ++ const char *listen_pid_str, *listen_fds_str; ++ pid_t listen_pid; ++ int listen_fds; ++ const char *errstr = NULL; ++ int fd; ++ ++ listen_pid_str = getenv("LISTEN_PID"); ++ if (listen_pid_str == NULL) ++ return 0; ++ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr); ++ if (errstr != NULL || getpid() != listen_pid) ++ return 0; ++ ++ listen_fds_str = getenv("LISTEN_FDS"); ++ if (listen_fds_str == NULL) ++ return 0; ++ listen_fds = (int)strtonum(listen_fds_str, 1, ++ INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr); ++ if (errstr != NULL) ++ return 0; ++ ++ for (fd = SYSTEMD_LISTEN_FDS_START; ++ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) { ++ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) ++ return 0; ++ } ++ ++ return listen_fds; ++} ++ +/* + * Configure our socket fds that were passed from systemd + */ @@ -90,11 +146,11 @@ index b981e7758..565e17b16 100644 /* * Listen for TCP connections */ -@@ -1099,22 +1147,35 @@ static void +@@ -1095,22 +1185,35 @@ static void server_listen(void) { u_int i; -+#ifdef HAVE_SYSTEMD ++#ifdef SYSTEMD_SOCKET_ACTIVATION + int systemd_socket_count; +#endif @@ -108,13 +164,13 @@ index b981e7758..565e17b16 100644 - free(options.listen_addrs[i].rdomain); - memset(&options.listen_addrs[i], 0, - sizeof(options.listen_addrs[i])); -+#ifdef HAVE_SYSTEMD -+ systemd_socket_count = sd_listen_fds(0); ++#ifdef SYSTEMD_SOCKET_ACTIVATION ++ systemd_socket_count = get_systemd_listen_fds(); + if (systemd_socket_count > 0) + { + int i; + for (i = 0; i < systemd_socket_count; i++) -+ setup_systemd_socket(SD_LISTEN_FDS_START + i); ++ setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i); + } else +#endif + { diff --git a/debian/patches/zero-call-used-regs-m68k.patch b/debian/patches/zero-call-used-regs-m68k.patch index 1e90eaa..84cd0a8 100644 --- a/debian/patches/zero-call-used-regs-m68k.patch +++ b/debian/patches/zero-call-used-regs-m68k.patch @@ -1,4 +1,4 @@ -From 781d9de6499eb979e9f1a66242bcf58250a1f21e Mon Sep 17 00:00:00 2001 +From f81c7307956c509e0638e8272454677d59961950 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Thu, 21 Mar 2024 10:20:21 +0000 Subject: Extend -fzero-call-used-regs check to catch m68k gcc bug diff --git a/debian/rules b/debian/rules index 6184bef..6431a78 100755 --- a/debian/rules +++ b/debian/rules @@ -68,6 +68,12 @@ endif # Always use the internal mkdtemp; see https://bugs.debian.org/1001186. confflags += ac_cv_func_mkdtemp=no +# ppc64el doesn't support -fzero-call-used-regs=used, but configure fails to +# detect that. +ifeq ($(DEB_HOST_ARCH),ppc64el) +confflags += ossh_cv_cflag__fzero_call_used_regs_used=no +endif + # Everything above here is common to the deb and udeb builds. confflags_udeb := $(confflags) @@ -80,7 +86,6 @@ confflags += --with-ssl-engine ifeq ($(DEB_HOST_ARCH_OS),linux) confflags += --with-selinux confflags += --with-audit=linux -confflags += --with-systemd confflags += --with-security-key-builtin endif -- cgit v1.2.3