Tries to start sshd on port 1022 even in chroot, crashes if unable

Bug #1399914 reported by Roman Odaisky
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

When running do-release-upgrade inside a chroot, it insists on starting an emergency sshd on port 1022. If it’s not possible, for the likely reason that openssh-server is not installed inside the chroot, the upgrade process crashes.

In a chroot environment, starting such an sshd is not needed because there’s supposed to be one outside the chroot which the upgrade process shouldn’t be able to affect; also it’s a security issue because permissions inside the chroot may be lax due to the fact one needs to be root to get into the chroot in the first place (for example, I have an Ubuntu chroot environment on a Debian stable server for experimenting; I’ve given my user sudo NOPASSWD privileges, which is in itself safe but becomes a liability when the port 1022 sshd launches inside the chroot).

Given that the DistUpgrade module already has inside_chroot() detection function, I suggest that the module only perform its _sshMagic() if no chroot is detected. Additionally, I suggest a command-line option to disable the port 1022 sshd if the administrator so desires.

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: python3-distupgrade 1:14.10.9
ProcVersionSignature: Ubuntu 3.16.0-25.33-generic 3.16.7
Uname: Linux 3.16.0-25-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.14.7-0ubuntu8
Architecture: i386
CrashDB: ubuntu
CurrentDesktop: KDE
Date: Sat Dec 6 13:27:54 2014
PackageArchitecture: all
SourcePackage: ubuntu-release-upgrader
UpgradeStatus: Upgraded to utopic on 2014-11-30 (5 days ago)

Revision history for this message
Roman Odaisky (rdaysky) wrote :
Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: vivid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.