FS#15668 - [openntpd] 3.9p1-7 uninstall removes /var/empty

Attached to Project: Community Packages
Opened by Kleborp (kleborp) - Friday, 24 July 2009, 14:22 GMT
Last edited by Vesa Kaihlavirta (vegai) - Wednesday, 28 October 2009, 19:51 GMT
Task Type Bug Report
Category
Status Closed
Assigned To Vesa Kaihlavirta (vegai)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
When uninstalling the openntpd package, /var/empty is removed upon uninstallation. This directory is required by OpenSSH to function correctly, resulting in sshd being unable to restart/start.

'/etc/rc.d/sshd start' will fail with "Missing privilege separation directory: /var/empty"

The problem is fixed when /var/empty is not empty, so I guess it's an uninstall script that deletes directories used by the package if they are empty.

Additional info:
* community/openntpd 3.9p1-7
* core/openssh 5.2p1-1


Steps to reproduce:
1. Install openntpd (pacman -Sy openntpd)
2. Uninstall openntpd (pacman -R openntdp)
3. Start sshd (/etc/rc.d/sshd start (or restart))
4. sshd won't start, fails because /var/empty is gone
5. If the machine is headless, hope that your ssh session doesn't die while you recreate /var/empty ;)
This task depends upon

Closed by  Vesa Kaihlavirta (vegai)
Wednesday, 28 October 2009, 19:51 GMT
Reason for closing:  Fixed
Comment by tinmrn (tinmrn) - Friday, 24 July 2009, 14:38 GMT
I've had the exact same problem, can't gather details though because it's a headless system and i don't want to lose it
Comment by tinmrn (tinmrn) - Friday, 24 July 2009, 14:40 GMT
a suggested fix however would be for the openssh package to create a file in /var/empty, such as '.keep_this_dir'. That would indeed prevent the openntpd deinstall from removing the /var/empty directory itsself.
Comment by Gerardo Exequiel Pozzi (djgera) - Friday, 24 July 2009, 20:22 GMT
Sounds like problem with pacman than with these packages. Tested with the pacman.git and do the same. with a simple test case.
The problem is if both packages installs the same dir, and this dir is empty, when removing one of these pkgs, pacman removes the empty dir.

I will ask to the mailing list...
Comment by Kleborp (kleborp) - Friday, 24 July 2009, 20:31 GMT
Ah, I figured it'd be something like that, seeing as I couldn't find anything related to the removal of the directory in the pkgbuild or .install of openntpd.

I guess it usually makes sense to remove directories that are empty (and presumed to not be used anymore), but in this case it breaks another package.

I noticed on a gentoo box that I have that they solved it by keeping a file in /var/empty, like tinmrn suggested:
# ls -a /var/empty/
. .. .keep_net-misc_openssh-0
Comment by Gerardo Exequiel Pozzi (djgera) - Friday, 24 July 2009, 20:41 GMT
The mail is here http://www.archlinux.org/pipermail/pacman-dev/2009-July/009008.html ;)

Thanks for reporting this.
Comment by Dan McGee (toofishes) - Saturday, 25 July 2009, 22:32 GMT
openntpd should use !emptydirs as I replied on the pacman-dev ML in an associated thread.
http://www.archlinux.org/pipermail/pacman-dev/2009-July/009014.html
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 25 July 2009, 22:39 GMT
  • Field changed: Summary (openntpd 3.9p1-7 uninstall removes /var/empty → [openntpd] 3.9p1-7 uninstall removes /var/empty)
  • Field changed: Status (Waiting on Response → Assigned)
  • Task assigned to Vesa Kaihlavirta (vegai)
@Dan: openntpd should use !emptydirs only and only if don't use /var/empty, otherwise can break the program.
@Vesa: I think that openntpd acording to the ML should put a file like /var/empty/.openntpd.pacman or something like this.

Edit: ignore this comment. See below.
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 25 July 2009, 22:45 GMT
mmm no:
man from sshd says:

/var/empty
chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files
and must be owned by root and not group or world-writable.
Comment by Dan McGee (toofishes) - Saturday, 25 July 2009, 22:49 GMT
No no no no no.

/var/empty/ is installed by filesystem, so it has no bearing whether this package uses it.

If a directory is named empty, it is empty for good reason. Leave it that way and no hidden files; I covered this in my email.
Comment by Dan McGee (toofishes) - Saturday, 25 July 2009, 22:50 GMT
Err apparently it is not installed by filesystem. Does only ssh install this directory? If multiple packages need it, we should put it in filesystem.
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 25 July 2009, 22:54 GMT
@Dan: yes, as said recently in the ML, only openssh and openntpd create this directory.
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 25 July 2009, 23:00 GMT
I think that in this case the best is --with-privsep-path=/var/run/openntpd/empty or directly --with-privsep-path=/var/run/openntpd to avoid conflicts with openssh.
Comment by Vesa Kaihlavirta (vegai) - Wednesday, 28 October 2009, 08:15 GMT
Changed privsep-path to /var/run/openntpd in -8

Loading...