From ggm@mirin.apnic.net  Wed Apr 18 17:09:44 2007
Return-Path: <ggm@mirin.apnic.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CBBC216A401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Apr 2007 17:09:44 +0000 (UTC)
	(envelope-from ggm@mirin.apnic.net)
Received: from mirin.apnic.net (mirin.apnic.net [203.119.0.113])
	by mx1.freebsd.org (Postfix) with ESMTP id 666D613C458
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Apr 2007 17:09:44 +0000 (UTC)
	(envelope-from ggm@mirin.apnic.net)
Received: from mirin.apnic.net (localhost.apnic.net [127.0.0.1])
	by mirin.apnic.net (8.13.8/8.13.8) with ESMTP id l3I05vrX059927
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Apr 2007 10:05:57 +1000 (EST)
	(envelope-from ggm@mirin.apnic.net)
Received: (from root@localhost)
	by mirin.apnic.net (8.13.8/8.13.8/Submit) id l3I05uPK059926;
	Wed, 18 Apr 2007 10:05:56 +1000 (EST)
	(envelope-from ggm)
Message-Id: <200704180005.l3I05uPK059926@mirin.apnic.net>
Date: Wed, 18 Apr 2007 10:05:56 +1000 (EST)
From: ggm@apnic.net
Reply-To: ggm@apnic.net
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: sshd and ports/www/apache22 rcorder looks risky..
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         111820
>Category:       misc
>Synopsis:       sshd and ports/www/apache22 rcorder looks risky..
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 18 17:10:01 GMT 2007
>Closed-Date:    Wed Apr 18 17:12:23 GMT 2007
>Last-Modified:  Wed Apr 18 17:12:23 GMT 2007
>Originator:     George Michaelson
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
APNIC
>Environment:
System: FreeBSD mirin.apnic.net 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Thu Feb 8 11:28:59 EST 2007 root@mirin.apnic.net:/usr/obj/usr/src/sys/MIRIN i386


	
>Description:
	we had a bad apache22 config, which hung at console for ssl passphrase.
	yes, this is a local bad. But, because of REQUIRE/BEFORE dependencies
	that serializes the /etc/rc.d and /usr/local/etc/rc.d dependencies
	sshd is started long long after the DAEMON rcorder of apache22, sshd
	depends on LOGIN.

	this means that any remote box, with ports installed apache22 or in
	fact any daemon which 'fubars' and hangs the rc.d boot init sequence
	cannot be talked to, beacause sshd has not yet started. Its an
	in-the-room only fix.
>How-To-Repeat:
	install apache22, enable ssl without removing key from server.key
	and reboot. 
	
>Fix:
	I believe this one comes down to strongly held views, I am not
	expecting a "fix" per se, but I do wonder is sshd something which
	should start well before daemons? is the DAEMON/LOGIN dependency
	chaining sequence not very risky? equally, should /usr/local/rc.d
	rcorder be able to override sequences of system installed daemons
	like sshd?

	

	I haven't yet tried it, but altering the REQUIRE deps for apache22
	looks like a way out, to put it behind LOGIN.

	(yes, I removed the passphrase. But, any ports/ installed s/w could
	 put an rc.d instance in, and become a potential locker before sshd
	 is live)

-George
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Wed Apr 18 17:12:13 UTC 2007 
State-Changed-Why:  
This is not a problem, this is a question, please refer to the questions 
mailinglist on 
http://lists.freebsd.org/mailman/listinfo/freebsd-questions/ for more 
information. Thanks for using FreeBSD 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111820 
>Unformatted:
