Date: Thu, 30 Oct 2025 13:41:07 -0700 From: Dan Mahoney <freebsd@gushi.org> To: Lexi Winter <ivy@freebsd.org> Cc: pkgbase@freebsd.org Subject: Re: a sad story about /usr/sbin/sshd and pkg triggers Message-ID: <DEE87FF9-F90A-4130-9592-4B784992F9AC@gushi.org> In-Reply-To: <aQPJwdWtN-f5qF_D@amaryllis.le-fay.org>
index | next in thread | previous in thread | raw e-mail
Fire off an atrun? -Dan Sent from my iPhone > On Oct 30, 2025, at 13:25, Lexi Winter <ivy@freebsd.org> wrote: > > hello, > > there is a known issue in sshd(8) where, if you replace the sshd binary > on disk, but do not restart sshd, it will no longer accept connections > until the service is restarted. > > for freebsd-update, we solve this by restarting the sshd service if the > sshd binary is updated. > > for pkgbase, i wanted to do this with a trigger, but it seems like this > doesn't work because pkg only considers directories when evaluating > triggers, i.e. you can't say 'path: "/usr/sbin/sshd"' since the trigger > will never be matched. > > this means that future security updates to sshd in 15.0 might lock > people out of their system when we don't restart sshd. > > does anyone have a specific, actionable suggestion on how we can fix > this today for 15.0? > > note, we cannot use a post-install script since pkg kills all > subprocesses of the post-install script before exiting. > <signature.asc>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DEE87FF9-F90A-4130-9592-4B784992F9AC>