FS#3644 - ssh upgrade should not overwrite config

Attached to Project: Arch Linux
Opened by jan willem (jw) - Wednesday, 21 December 2005, 09:36 GMT
Last edited by Paul Mattal (paul) - Thursday, 09 February 2006, 16:07 GMT
Task Type Bug Report
Category Packages: Current
Status Closed
Assigned To Judd Vinet (judd)
Architecture not specified
Severity High
Priority Normal
Reported Version 0.7 Wombat
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

It seems that certain upgrades of ssh move the sshd_config file to sshd_config.pacsave and replace it with the default shipped version (4.1p1-1 -> 4.2p1-1 and 4.0p1-1 -> 4.1p1-1 in my log).

This is somewhat a matter of opinion, but I consider this an important security risk. This is why: If some users have weak passwords one might have restricted ssh login with AllowUsers or AllowGroups. If these settings unwittingly get overwritten by an upgrade the system becomes VERY vulnerable. I know there is a notice that the config has been moved to a .pacsave, but when upgrading a large number of packages this is easy to miss.

I'm not sure what the best alternative would be, but I would prefer writing the config to a .pacnew file. I guess there are security implications for this as well, but I would consider these less severe.
This task depends upon

Closed by  Judd Vinet (judd)
Thursday, 09 February 2006, 18:49 GMT
Reason for closing:  Fixed
Comment by arjan timmerman (blaasvis) - Thursday, 22 December 2005, 08:12 GMT
to solve this use the /etc/pacman.conf.
Add "NoUpgrade etc/ssh/sshd_config" to it

The bug you describe is the default way of working for any package.
If you add the NoUgrade flag the new config is saved to .pacnew ;)
Comment by Roman Kyrylych (Romashka) - Thursday, 22 December 2005, 10:53 GMT
IMO saving any new config file to .pacnew should be the DEFAULT behaviour!
Now I must add almost all my /etc to NoUgrade. I added hosts, hosts.allow, hosts.deny, host.conf, even issue!

IMO it would be better to change the default behaviour to not replacing ANY config files and add new option AllowUpgrade to allow pacman to upgrade some config files, saving old config file as .pacsave

I think most users will prefer this behaviour. In MOST cases old configs would work with newer version of package. Why would anyone need that his/her configs be replaced with default configs of upgraded package? Especially on a server? Or if someone want's to automatically upgrade his/her system, why he/she must place almost all config files in NoUpgrade?
Comment by jan willem (jw) - Thursday, 22 December 2005, 12:05 GMT
Arjan, thanks for the tip about pacman.conf, I will try that.

Nonetheless, I agree with Roman that saving to .pacnew by DEFAULT seems like safer behaviour. I'd prefer pacman to notify me that a shipped config file differs from a the last shipped version (ie. defaults have changed, or new values were added) and save the new default config to a .pacnew, so I can do a diff to see what's changed.

Btw, does pacman currently always overwrite, or just when the shipped config file has actually changed wrt the last version?
Comment by Roman Kyrylych (Romashka) - Thursday, 22 December 2005, 12:34 GMT
Pacman does not track changes in default config files. So it always overwrite

Another bad thing with current upgrading system: when upgrading filesystem package my /etc/issue was overwritten and no issue.pacsave created! This is really BAD behaviour!
Comment by Roman Kyrylych (Romashka) - Thursday, 22 December 2005, 12:36 GMT
Tracking changes in default config files is not Pacman's job.
Packages can provide tracking of changes in default config files but this is done only for really important packages like kerned, filesystem, udev etc.
Comment by arjan timmerman (blaasvis) - Thursday, 22 December 2005, 12:39 GMT
no it is not.
I hate the way gentoo does it, you need too change ALL config changes by hand.
Most of us only change 10 of the /etc files max right ?
so why should i change all other updates by hand ?

Would you like to update all dbus/hal/udev/hotplug changes always by hand ?
hmmm the issue.pacsave thing is a bug probably...
Comment by arjan timmerman (blaasvis) - Thursday, 22 December 2005, 12:43 GMT
i looked at the issue thing, it is package bug.
i will notify apeiro of it.
etc/issue needs to be added to the backup array.
Comment by jan willem (jw) - Wednesday, 28 December 2005, 09:03 GMT
I'm not sure we understood eachother correctly.. What I was saying is that a packager can see whether the default config file has changed wrt default file from the previous version. So in principle, pacman only has to overwrite the old config when there are actually new settings or changes to the defaults.

However, when I thought about this again just now I thought of the following issue: This method wouldn't work if a user misses a few upgrades. In order to make this behaviour work correctly one would have track the package version where the current shipped config was introduced. The config file would then be updated is version of the config file in the new package is higher than the version in the installed package. This becomes a bit akward, but not impossibly so.

Anyway, what to do with config files by default is a separate discussion. My request here is that the openssh package is modified not to overwrite by default. The ssh config, like hosts.allow and hosts.deny is critical to system security, so I think it is a bad idea to silently overwrite it.
Comment by Roman Kyrylych (Romashka) - Wednesday, 28 December 2005, 09:43 GMT
IMO the best solution would be to change the behaviour of Pacman when upgrading packages:
* Pacman should not replace config files, saving them in .pacsave!
* it should save new config files in .pacnew BY DEFAULT!
* add new option AllowUpgrade

About tracking changed in default config files (if this will be implemented ever):
* every config file should have a string like #version: 20051207 (or version: 20051207-2 if there were two changes in the same day)
* pacman should compare versions of existing config file and the default config of upgraded package, and if default config has changed it should alert user like this way: "NOTE: default config files in package-x.y.z changed!"
Comment by Paul Mattal (paul) - Saturday, 21 January 2006, 12:45 GMT
Actually, this is something I had been meaning to bring up; awhile ago, there was a very good suggestion which I think could make everyone happy: add an option in the pacman.conf to switch to "pacnew by default" behavior. (I would use this for my servers.) By DEFAULT, have that setting turned off (that is to say, do the current "pacsave by default" behavior.)

I'm willing to take a stab at implementing this if nobody else has got the time. It really gives people on each side of this issue (or both sides, like me!) the best set of solutions.
Comment by Roman Kyrylych (Romashka) - Saturday, 21 January 2006, 13:37 GMT
If you are going to implement this please see bug #3620, especially comments aftr this:
http://bugs.archlinux.org/task/3620#comment7761
Comment by Paul Mattal (paul) - Thursday, 09 February 2006, 16:05 GMT
So this fix is in pacman 2.9.8, universally, as I understand it.
Can we close this bug?
Comment by Judd Vinet (judd) - Thursday, 09 February 2006, 18:49 GMT
Yep, 2.9.8 will not overwrite your config files anymore.

Loading...