[arch-dev-public] WARNING: openntpd upgrade breaks openssh on next restart
Hey, I made a screwup on the openntpd package which nastily reveals a weakness in openssh and filesystems. I moved away from using /var/empty/ as a privsep directory, and removed the directory from the package. But since it's empty, it got removed from the system as well in the upgrade. So if you're using openntpd and openssh, BE EXTRA CAREFUL with your next upgrade. openssh does not start if /var/empty/ is not there. Quick fix: after doing pacman -Suy, do mkdir /var/empty as root. Longer fix: openssh, or perhaps the filesystems package should create /var/empty/ and put a hidden file in it so idiots like me won't cause accidents in the future. --vk
On Mon, Nov 2, 2009 at 09:48, Vesa Kaihlavirta <vpkaihla@gmail.com> wrote:
Hey,
I made a screwup on the openntpd package which nastily reveals a weakness in openssh and filesystems. I moved away from using /var/empty/ as a privsep directory, and removed the directory from the package. But since it's empty, it got removed from the system as well in the upgrade.
So if you're using openntpd and openssh, BE EXTRA CAREFUL with your next upgrade. openssh does not start if /var/empty/ is not there.
Quick fix: after doing pacman -Suy, do mkdir /var/empty as root.
Longer fix: openssh, or perhaps the filesystems package should create /var/empty/ and put a hidden file in it so idiots like me won't cause accidents in the future.
Correction: the latest openssh package (3.5p1-2) works around missing /var/empty by creating it in rc.d daemon. P.S.: I'm not sure putting a hidden file in /var/empty is not against it's purpose (which I suppose is "to be empty"). We are discussing ways to eliminate the problem completely. -- Roman Kyrylych (Роман Кирилич)
Roman Kyrylych schrieb:
Correction: the latest openssh package (3.5p1-2) works around missing /var/empty by creating it in rc.d daemon.
We should do that everywhere when a daemon absolutely needs a directory/file to exist. We should not rely on it being present on the file system in such critical cases. pacman suffers from a similar problem: running pacman on an empty file system will result in an error message indicating there is no local database directory - you have to create it first manually. While this is not critical, it is still annoying.
participants (3)
-
Roman Kyrylych
-
Thomas Bächler
-
Vesa Kaihlavirta