Date: Thu, 30 Oct 2025 20:43:46 +0000 From: Lexi Winter <ivy@freebsd.org> To: pkgbase@freebsd.org Subject: Re: a sad story about /usr/sbin/sshd and pkg triggers Message-ID: <aQPOAgefY2UpR234@amaryllis.le-fay.org> In-Reply-To: <DEE87FF9-F90A-4130-9592-4B784992F9AC@gushi.org> References: <aQPJwdWtN-f5qF_D@amaryllis.le-fay.org> <DEE87FF9-F90A-4130-9592-4B784992F9AC@gushi.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Dan Mahoney wrote in <DEE87FF9-F90A-4130-9592-4B784992F9AC@gushi.org>: > > On Oct 30, 2025, at 13:25, Lexi Winter <ivy@freebsd.org> wrote: > > > > hello, > > > > there is a known issue in sshd(8) where, if you replace the sshd binary > > on disk, but do not restart sshd, it will no longer accept connections > > until the service is restarted. > > > > for freebsd-update, we solve this by restarting the sshd service if the > > sshd binary is updated. > > > > for pkgbase, i wanted to do this with a trigger, but it seems like this > > doesn't work because pkg only considers directories when evaluating > > triggers, i.e. you can't say 'path: "/usr/sbin/sshd"' since the trigger > > will never be matched. > > > > this means that future security updates to sshd in 15.0 might lock > > people out of their system when we don't restart sshd. > > > > does anyone have a specific, actionable suggestion on how we can fix > > this today for 15.0? > > > > note, we cannot use a post-install script since pkg kills all > > subprocesses of the post-install script before exiting. > > <signature.asc> > Fire off an atrun? i don't think this will work reliably since cron may not be running, particularly in jails. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaQPOAgAKCRD1nT63mIK/ YGw4AP4wQsEcMe8LWGHhPjRfixnOgfUOmaPw3tkbnHtSKQL21AEAm4CdXdDrz5Hh VXr+2pk+MaBNDzsy3C0SsXTm/ELSkws= =kmnf -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aQPOAgefY2UpR234>