Missing privilege separation directory: /var/run/sshd

Bug #45234 reported by Mircea MITU on 2006-05-17
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Medium
Colin Watson

Bug Description

$ dpkg -l openssh-server
ii openssh-server 4.2p1-7ubuntu2
$ sudo /etc/init.d/ssh restart
Password:
 * Restarting OpenBSD Secure Shell server...
Missing privilege separation directory: /var/run/sshd
$ mount|grep /var
varrun on /var/run type tmpfs (rw)
$ ls -al /var/run/|grep ssh; echo $?
1
$ sudo mkdir /var/run/sshd
$ sudo /etc/init.d/ssh restart
 * Restarting OpenBSD Secure Shell server... [ ok ]

Colin Watson (cjwatson) wrote :

Could you attach the /etc/init.d/ssh file from your machine, please?

Changed in openssh:
status: Unconfirmed → Needs Info
Mircea MITU (mache) wrote :

Here it is:

#! /bin/sh
set -e

# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon

test -x /usr/sbin/sshd || exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0

if test -f /etc/default/ssh; then
    . /etc/default/ssh
fi

. /lib/lsb/init-functions

check_for_no_start() {
    # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
    if [ -e /etc/ssh/sshd_not_to_be_run ]; then
        log_end_msg 0
        log_warning_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
        exit 0
    fi }

check_privsep_dir() {
    # Create the PrivSep empty dir if necessary
    if [ ! -d /var/run/sshd ]; then
        mkdir /var/run/sshd
        chmod 0755 /var/run/sshd
    fi
}

check_config() {
    if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
        /usr/sbin/sshd -t || exit 1
    fi
}

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
case "$1" in
  start)
        log_begin_msg "Starting OpenBSD Secure Shell server..."
        check_for_no_start
        check_privsep_dir
        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS || log_end_msg 1
        log_end_msg 0
        ;;
  stop)
        log_begin_msg "Stopping OpenBSD Secure Shell server..."
        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid || log_end_msg 1
        log_end_msg 0
        ;;

  reload|force-reload)
        log_begin_msg "Reloading OpenBSD Secure Shell server's configuration"
        check_for_no_start
        check_config
        start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || log_end_msg 1
        log_end_msg 0
        ;;

  restart)
        log_begin_msg "Restarting OpenBSD Secure Shell server..."
        check_config
        start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid
        check_for_no_start
        check_privsep_dir
        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS || log_end_msg 1
        log_end_msg 0
        ;;

  *)
        log_success_msg "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
        exit 1
esac

exit 0

Is the message not generated by "sshd -t" in check_config ?

Colin Watson (cjwatson) wrote :

Scott hit the nail on the head. Thanks!

openssh (1:4.2p1-7ubuntu3) dapper; urgency=low

  * On '/etc/init.d/ssh restart', create /var/run/sshd before checking the
    server configuration, as otherwise 'sshd -t' will complain about the
    lack of /var/run/sshd (closes: Malone #45234).

 -- Colin Watson <email address hidden> Wed, 17 May 2006 23:24:18 +0100

Changed in openssh:
assignee: nobody → kamion
status: Needs Info → Fix Released
OlivierAJ (olivieraj) wrote :

Hi,

when sshd is started thought xinetd, same issue appear, and this message is added to "/var/log/auth.log" :

Mar 25 18:31:58 xxxxx sshd[21619]: fatal: Missing privilege separation directory: /var/run/sshd

Root cause is that in xinetd openssd-server configuration, "/etc/init.d/ssh" is not started, an so "/var/run/sshd" folder is not created.

This should be fixed by adding in "/etc/init.d/bootmisc.sh" :

[ -d /var/run/sshd ] || mkdir /var/run/sshd

  Regards,

                                  Olivier

Christian Kujau (christiank) wrote :

Still here with 8.04.1: when sshd is started via inetd, /var/run/sshd won't be created. How about a patch as OlivierAJ suggested back in 03/2007?

OlivierAJ (olivieraj) wrote :

Hi,

  I did not test this issue on lastest Ubuntu.

  For information, in Debian Lenny/Testing this issue is fixed into "/etc/rc.local" :

<code>
# Create the PrivSep empty dir if necessary
if [ ! -d /var/run/sshd ]; then
   mkdir /var/run/sshd
   chmod 0755 /var/run/sshd
fi
</code>

  See full file in attachment

   Regards,

                              Olivier

Christian Kujau (christiank) wrote :

rc.local, bootmisc.sh - either way, it's seems trivial enough to me (yet I managed to get my patch wrong, aaargh!) and I hope this will be fixed soon.

Btw, Debian had this fixed in 4.3p2-2 (05/2006) where they were referencing the LP bug and #453285 (when starting sshd from inetd) has been fixed with 4.7p1-1 (12/2007).

Thanks,
Christian.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453285

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.