NetBSD Problem Report #23212

Received: (qmail 21168 invoked by uid 605); 21 Oct 2003 00:26:47 -0000
Message-Id: <20031021002646.8D1CD11152@narn.netbsd.org>
Date: Tue, 21 Oct 2003 00:26:46 +0000 (UTC)
From: wsimpson@greendragon.com
Sender: gnats-bugs-owner@NetBSD.org
Reply-To: wsimpson@greendragon.com
To: gnats-bugs@gnats.NetBSD.org
Subject: openssh /etc/moduli copied by postinstall should be etcupdate
X-Send-Pr-Version: www-1.0

>Number:         23212
>Category:       bin
>Synopsis:       openssh /etc/moduli copied by postinstall should be etcupdate
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kre
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 21 00:27:00 +0000 2003
>Closed-Date:    
>Last-Modified:  Wed Jun 19 20:15:02 +0000 2019
>Originator:     william allen simpson
>Release:        1.6ZD
>Organization:
daydreamer
>Environment:
NetBSD dreamer.citi.umich.edu 1.6ZD NetBSD 1.6ZD (GENERIC) #1: Mon Oct 20 12:54:15 EDT 2003  current@dreamer.citi.umich.edu:/usr/obj/sys/arch/i386/compile/GENERIC i386
>Description:
when running postinstall, saw:

ssh fix:
        Copied /home/current/src/crypto/dist/ssh/moduli to ///etc/moduli

This is a disaster!  Updating system will revert to old openssh moduli, instead of newer locally generated moduli.  This defeats the purpose of having a moduli file (not compiled list) in the first place!

Instead, /etc/moduli should be handled by etcupdate!

>How-To-Repeat:
./build.sh -O /usr/obj -T ../tools install=/ 
/home/current/src/etc/postinstall -s /home/current/src -d // fix rc ssh makedev obsolete


>Fix:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->kre
Responsible-Changed-By: kre@NetBSD.org
Responsible-Changed-When: Wed, 19 Jun 2019 01:20:32 +0000
Responsible-Changed-Why:
I am looking into this PR


From: Valery Ushakov <uwe@stderr.spb.ru>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/23212 (openssh /etc/moduli copied by postinstall should be
 etcupdate)
Date: Wed, 19 Jun 2019 19:37:22 +0300

 I have no clue about moduli(5) and why would you want to make local
 changes to it (I guess for most uses people are just ok with the
 defaults, but people who actually know their crypto might have valid
 reasons to change it), but this seems like exactly the kind of problem
 why I never use postinstall for anything but "obsolete" and
 "catpages", which are, arguably, completely orthogonal to the rest of
 the postinstall checks.

 Note that etcupdate should do the right thing here, asking to merge
 changes if there are any (new), so the solution is simple: do not run
 postinstall fix before etcupdate and when etcupdate runs postinstall
 check evaluate (and ignore :) its suggestions.  After successful
 etcupdate you should only need "postinstall fix obsolete catpages"
 anyway.

 Since postinstall doesn't have any means to do an interactive merge,
 I'd probably restrict the moduli check to only "check" and "diff" and
 skip it for "fix".

 -uwe

From: Robert Elz <kre@munnari.OZ.AU>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/23212 (openssh /etc/moduli copied by postinstall should be etcupdate)
Date: Thu, 20 Jun 2019 03:13:58 +0700

     Date:        Wed, 19 Jun 2019 16:40:01 +0000 (UTC)
     From:        Valery Ushakov <uwe@stderr.spb.ru>
     Message-ID:  <20190619164001.DA29B7A1E0@mollari.NetBSD.org>


   |  I have no clue about moduli(5) and why would you want to make local
   |  changes to it

 Me either.

   |  but people who actually know their crypto might have valid

 Bill Simpson would be one of those

   |  but this seems like exactly the kind of problem
   |  why I never use postinstall

 Personally, I typically run neither, these days ther doesn't seem to
 be much point bothering with catpages in the first place, so I don't
 need it for that, and I don't much care if a few other obsolete files
 get left lying around.   Updating the files in /etc I just do manually
 (it gives me more control, even if it does mean more work - and I tend
 to alter my filesys layout a bit from the normal as well.)

   |  Note that etcupdate should do the right thing here, asking to merge
   |  changes if there are any (new), so the solution is simple: do not run
   |  postinstall fix before etcupdate and when etcupdate runs postinstall
   |  check evaluate (and ignore :) its suggestions.  After successful
   |  etcupdate you should only need "postinstall fix obsolete catpages"
   |  anyway.

 Sounds reasonable to me.

 kre

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.