summaryrefslogtreecommitdiffstats
path: root/debian/patches/systemd-socket-activation.patch
blob: bd7aca32f0d2ccde941b0c4366d4f56d3fb3afe5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
From 496d8d99583423c054311e85738102a5d9185016 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation

Unlike inetd socket activation, with systemd socket activation the
supervisor passes the listened-on socket to the child process and lets
the child process handle the accept().  This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.

Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2024-07-03

Patch-Name: systemd-socket-activation.patch
---
 configure.ac |   1 +
 sshd.c       | 131 +++++++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 118 insertions(+), 14 deletions(-)

diff --git a/configure.ac b/configure.ac
index f6bca2631..ee6aca972 100644
--- a/configure.ac
+++ b/configure.ac
@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE([USE_BTMP])
 	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
 	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+	AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation])
 	inet6_default_4in6=yes
 	case `uname -r` in
 	1.*|2.0.*)
diff --git a/sshd.c b/sshd.c
index 54c65dfe6..bc0127c9c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -93,10 +93,18 @@
 #include "srclimit.h"
 
 /* Re-exec fds */
-#define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
-#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
-#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+static int get_systemd_listen_fds(void);
+#define SYSTEMD_OFFSET get_systemd_listen_fds()
+#define SYSTEMD_LISTEN_FDS_START 3
+#else
+#define SYSTEMD_OFFSET 0
+#endif
+
+#define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1 + SYSTEMD_OFFSET)
+#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2 + SYSTEMD_OFFSET)
+#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3 + SYSTEMD_OFFSET)
+#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4 + SYSTEMD_OFFSET)
 
 extern char *__progname;
 
@@ -733,6 +741,88 @@ send_rexec_state(int fd, struct sshbuf *conf)
 	debug3_f("done");
 }
 
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+/*
+ * Get file descriptors passed by systemd; this implements the protocol
+ * described in the NOTES section of sd_listen_fds(3).
+ *
+ * We deliberately return 0 on error, so that the return value can safely be
+ * added as part of the REEXEC_*_FD macros without extra checks.
+ */
+static int
+get_systemd_listen_fds(void)
+{
+	const char *listen_pid_str, *listen_fds_str;
+	pid_t listen_pid;
+	int listen_fds;
+	const char *errstr = NULL;
+	int fd;
+
+	listen_pid_str = getenv("LISTEN_PID");
+	if (listen_pid_str == NULL)
+		return 0;
+	listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
+	if (errstr != NULL || getpid() != listen_pid)
+		return 0;
+
+	listen_fds_str = getenv("LISTEN_FDS");
+	if (listen_fds_str == NULL)
+		return 0;
+	listen_fds = (int)strtonum(listen_fds_str, 1,
+	    INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr);
+	if (errstr != NULL)
+		return 0;
+
+	for (fd = SYSTEMD_LISTEN_FDS_START;
+	    fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
+		if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
+			return 0;
+	}
+
+	return listen_fds;
+}
+
+/*
+ * Configure our socket fds that were passed from systemd
+ */
+static void
+setup_systemd_socket(int listen_sock)
+{
+	int ret;
+	struct sockaddr_storage addr;
+	socklen_t len = sizeof(addr);
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+
+	if (getsockname(listen_sock, (struct sockaddr *)&addr, &len) != 0)
+		return;
+
+	if (((struct sockaddr *)&addr)->sa_family != AF_INET
+	    && ((struct sockaddr *)&addr)->sa_family != AF_INET6)
+		return;
+	if (num_listen_socks >= MAX_LISTEN_SOCKS)
+		fatal("Too many listen sockets. "
+		    "Enlarge MAX_LISTEN_SOCKS");
+	if ((ret = getnameinfo((struct sockaddr *)&addr, len, ntop,
+	                       sizeof(ntop), strport, sizeof(strport),
+	                       NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
+		error("getnameinfo failed: %.100s",
+		    ssh_gai_strerror(ret));
+		return;
+	}
+	if (set_nonblock(listen_sock) == -1) {
+		close(listen_sock);
+		return;
+	}
+	/* Socket options */
+	set_reuseaddr(listen_sock);
+
+	listen_socks[num_listen_socks] = listen_sock;
+	num_listen_socks++;
+
+	logit("Server listening on %s port %s.", ntop, strport);
+}
+#endif
+
 /*
  * Listen for TCP connections
  */
@@ -812,6 +902,9 @@ static void
 server_listen(void)
 {
 	u_int i;
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+	int systemd_socket_count;
+#endif
 
 	/* Initialise per-source limit tracking. */
 	srclimit_init(options.max_startups,
@@ -821,17 +914,27 @@ server_listen(void)
 	    &options.per_source_penalty,
 	    options.per_source_penalty_exempt);
 
-	for (i = 0; i < options.num_listen_addrs; i++) {
-		listen_on_addrs(&options.listen_addrs[i]);
-		freeaddrinfo(options.listen_addrs[i].addrs);
-		free(options.listen_addrs[i].rdomain);
-		memset(&options.listen_addrs[i], 0,
-		    sizeof(options.listen_addrs[i]));
+#ifdef SYSTEMD_SOCKET_ACTIVATION
+	systemd_socket_count = get_systemd_listen_fds();
+	if (systemd_socket_count > 0)
+	{
+		int i;
+		for (i = 0; i < systemd_socket_count; i++)
+			setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i);
+	} else
+#endif
+	{
+		for (i = 0; i < options.num_listen_addrs; i++) {
+			listen_on_addrs(&options.listen_addrs[i]);
+			freeaddrinfo(options.listen_addrs[i].addrs);
+			free(options.listen_addrs[i].rdomain);
+			memset(&options.listen_addrs[i], 0,
+			    sizeof(options.listen_addrs[i]));
+		}
+		free(options.listen_addrs);
+		options.listen_addrs = NULL;
+		options.num_listen_addrs = 0;
 	}
-	free(options.listen_addrs);
-	options.listen_addrs = NULL;
-	options.num_listen_addrs = 0;
-
 	if (!num_listen_socks)
 		fatal("Cannot bind any address.");
 }