Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Apr 2007 10:05:56 +1000 (EST)
From:      ggm@apnic.net
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   misc/111820: sshd and ports/www/apache22 rcorder looks risky..
Message-ID:  <200704180005.l3I05uPK059926@mirin.apnic.net>
Resent-Message-ID: <200704181710.l3IHA275099217@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         111820
>Category:       misc
>Synopsis:       sshd and ports/www/apache22 rcorder looks risky..
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 18 17:10:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     George Michaelson
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
APNIC
>Environment:
System: FreeBSD mirin.apnic.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Thu Feb 8 11:28:59 EST 2007 root@mirin.apnic.net:/usr/obj/usr/src/sys/MIRIN i386


	
>Description:
	we had a bad apache22 config, which hung at console for ssl passphrase.
	yes, this is a local bad. But, because of REQUIRE/BEFORE dependencies
	that serializes the /etc/rc.d and /usr/local/etc/rc.d dependencies
	sshd is started long long after the DAEMON rcorder of apache22, sshd
	depends on LOGIN.

	this means that any remote box, with ports installed apache22 or in
	fact any daemon which 'fubars' and hangs the rc.d boot init sequence
	cannot be talked to, beacause sshd has not yet started. Its an
	in-the-room only fix.
>How-To-Repeat:
	install apache22, enable ssl without removing key from server.key
	and reboot. 
	
>Fix:
	I believe this one comes down to strongly held views, I am not
	expecting a "fix" per se, but I do wonder is sshd something which
	should start well before daemons? is the DAEMON/LOGIN dependency
	chaining sequence not very risky? equally, should /usr/local/rc.d
	rcorder be able to override sequences of system installed daemons
	like sshd?

	

	I haven't yet tried it, but altering the REQUIRE deps for apache22
	looks like a way out, to put it behind LOGIN.

	(yes, I removed the passphrase. But, any ports/ installed s/w could
	 put an rc.d instance in, and become a potential locker before sshd
	 is live)

-George
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704180005.l3I05uPK059926>