[Bug 1831765] Re: Privilege Separation Directory default

Paride Legovini 1831765 at bugs.launchpad.net
Thu Jun 6 09:54:57 UTC 2019 

Thank you for taking the time to report this bug and helping to make
Ubuntu better. I think the description of the problem your are facing
and the workaround you found are missing one main fact: sshd in Ubuntu
is managed with systemd unit files, the legacy init scripts in
/etc/init.d/ are not used. The /run/sshd directory is created by systemd
because /lib/systemd/system/ssh.service contains the
RuntimeDirectory=sshd directive.

You can find pointers to get help with your specific need here:
http://www.ubuntu.com/support/community

As this is a configuration issue, rather than a bug a in Ubuntu, I'm
marking this bug as Invalid. If you believe that this is really a bug,
then you may find it helpful to read "How to report bugs effectively"
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then explain why you believe this is a bug in Ubuntu rather
than a configuration issue, and then change the bug status back to New.

** Changed in: openssh (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1831765

Title:
  Privilege Separation Directory default

Status in openssh package in Ubuntu:
  Invalid

Bug description:
  Ubuntu: 18.04.2 LTS
  OpenSSH: 7.6p1

  I am having a problem starting multiple sshd processes. The default location of the sshd privilege separation directory is hard-coded to /run/sshd (see man page). The original OpenSSH 7.6p1 located this file are /var/empty. Somehow the default location in the pathnames.h for _PATH_PRIVSEP_CHROOT_DIR has been changed from /var/empty to /run/sshd. I have asked OpenSSH to provision the ability to change this directory location from either the command-line or the sshd_config file; Theo de Raadt, et. al. pretty much said "NO!" using some rather provocative language.
  Here is the problem with using /run/sshd:
  1) Every time there is a boot, the /run directory is cleaned out.
  2) The /etc/init.d/ssh script is required to check and mkdir the /run/sshd directory.
  3) If you have multiple service scripts, like lan_ssh and wan_ssh, the 2 scripts conflict in the generation and creation of the /run/sshd directory.
  4) The only work-around I have found is to have a rc.local script mkdir the /run/sshd directory and remove the mkdir /run/sshd from the /etc/init.d/ scripts.
  If we revert back to the /var/empty directory approach and remove the "mkdir /run/sshd" operation from the /etc/init.d/ script(s), this problem goes away since the system does not recreate /var during every boot.
  This would require 1 of 2 changes to the existing release of sshd, specifically:
  1) Change the default location of the privilege separation directory from /run/sshd back to the original /var/empty. This would require the install script to create this directory if it does not already exist.
  2) Modify the sshd.c file to provision the ability to change the default location of the privilege separation directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1831765/+subscriptions

More information about the foundations-bugs mailing list