misc/111820: sshd and ports/www/apache22 rcorder looks risky..
ggm at apnic.net
ggm at apnic.net
Wed Apr 18 17:10:02 UTC 2007
>Number: 111820
>Category: misc
>Synopsis: sshd and ports/www/apache22 rcorder looks risky..
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 18 17:10:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: George Michaelson
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
APNIC
>Environment:
System: FreeBSD mirin.apnic.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Thu Feb 8 11:28:59 EST 2007 root at mirin.apnic.net:/usr/obj/usr/src/sys/MIRIN i386
>Description:
we had a bad apache22 config, which hung at console for ssl passphrase.
yes, this is a local bad. But, because of REQUIRE/BEFORE dependencies
that serializes the /etc/rc.d and /usr/local/etc/rc.d dependencies
sshd is started long long after the DAEMON rcorder of apache22, sshd
depends on LOGIN.
this means that any remote box, with ports installed apache22 or in
fact any daemon which 'fubars' and hangs the rc.d boot init sequence
cannot be talked to, beacause sshd has not yet started. Its an
in-the-room only fix.
>How-To-Repeat:
install apache22, enable ssl without removing key from server.key
and reboot.
>Fix:
I believe this one comes down to strongly held views, I am not
expecting a "fix" per se, but I do wonder is sshd something which
should start well before daemons? is the DAEMON/LOGIN dependency
chaining sequence not very risky? equally, should /usr/local/rc.d
rcorder be able to override sequences of system installed daemons
like sshd?
I haven't yet tried it, but altering the REQUIRE deps for apache22
looks like a way out, to put it behind LOGIN.
(yes, I removed the passphrase. But, any ports/ installed s/w could
put an rc.d instance in, and become a potential locker before sshd
is live)
-George
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list