From owner-freebsd-bugs@FreeBSD.ORG Wed Apr 18 17:10:02 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5CDD516A402 for ; Wed, 18 Apr 2007 17:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3CEF013C44C for ; Wed, 18 Apr 2007 17:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3IHA2lB099219 for ; Wed, 18 Apr 2007 17:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3IHA275099217; Wed, 18 Apr 2007 17:10:02 GMT (envelope-from gnats) Resent-Date: Wed, 18 Apr 2007 17:10:02 GMT Resent-Message-Id: <200704181710.l3IHA275099217@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, ggm@apnic.net Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CBBC216A401 for ; Wed, 18 Apr 2007 17:09:44 +0000 (UTC) (envelope-from ggm@mirin.apnic.net) Received: from mirin.apnic.net (mirin.apnic.net [203.119.0.113]) by mx1.freebsd.org (Postfix) with ESMTP id 666D613C458 for ; Wed, 18 Apr 2007 17:09:44 +0000 (UTC) (envelope-from ggm@mirin.apnic.net) Received: from mirin.apnic.net (localhost.apnic.net [127.0.0.1]) by mirin.apnic.net (8.13.8/8.13.8) with ESMTP id l3I05vrX059927 for ; Wed, 18 Apr 2007 10:05:57 +1000 (EST) (envelope-from ggm@mirin.apnic.net) Received: (from root@localhost) by mirin.apnic.net (8.13.8/8.13.8/Submit) id l3I05uPK059926; Wed, 18 Apr 2007 10:05:56 +1000 (EST) (envelope-from ggm) Message-Id: <200704180005.l3I05uPK059926@mirin.apnic.net> Date: Wed, 18 Apr 2007 10:05:56 +1000 (EST) From: ggm@apnic.net To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: misc/111820: sshd and ports/www/apache22 rcorder looks risky.. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ggm@apnic.net List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 17:10:02 -0000 >Number: 111820 >Category: misc >Synopsis: sshd and ports/www/apache22 rcorder looks risky.. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Apr 18 17:10:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: George Michaelson >Release: FreeBSD 7.0-CURRENT i386 >Organization: APNIC >Environment: System: FreeBSD mirin.apnic.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Thu Feb 8 11:28:59 EST 2007 root@mirin.apnic.net:/usr/obj/usr/src/sys/MIRIN i386 >Description: we had a bad apache22 config, which hung at console for ssl passphrase. yes, this is a local bad. But, because of REQUIRE/BEFORE dependencies that serializes the /etc/rc.d and /usr/local/etc/rc.d dependencies sshd is started long long after the DAEMON rcorder of apache22, sshd depends on LOGIN. this means that any remote box, with ports installed apache22 or in fact any daemon which 'fubars' and hangs the rc.d boot init sequence cannot be talked to, beacause sshd has not yet started. Its an in-the-room only fix. >How-To-Repeat: install apache22, enable ssl without removing key from server.key and reboot. >Fix: I believe this one comes down to strongly held views, I am not expecting a "fix" per se, but I do wonder is sshd something which should start well before daemons? is the DAEMON/LOGIN dependency chaining sequence not very risky? equally, should /usr/local/rc.d rcorder be able to override sequences of system installed daemons like sshd? I haven't yet tried it, but altering the REQUIRE deps for apache22 looks like a way out, to put it behind LOGIN. (yes, I removed the passphrase. But, any ports/ installed s/w could put an rc.d instance in, and become a potential locker before sshd is live) -George >Release-Note: >Audit-Trail: >Unformatted: