Bug#1080174: systemd: 20-systemd-ssh-proxy.conf cannot be customised or removed
Josh Triplett
josh at joshtriplett.org
Wed Oct 9 06:25:54 BST 2024
On Tue, 08 Oct 2024 22:00:34 +0100 Luca Boccassi <bluca at debian.org> wrote:
> On Sat, 31 Aug 2024 04:32:30 +0200 Christoph Anton Mitterer
> <calestyo at scientia.org> wrote:
> > Package: systemd
> > Version: 256.5-1
> > Severity: important
> >
> >
> > Hey.
> >
> > I think since version 256 there's systemd-ssh-generator and friends
> including
> > /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf which is a non-
> conffile that
> > is a symlink to:
> > /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf
> >
> > as such, it cannot be modified by the user or removed, as it will be
> re-installed
> > on upgrade (and there even overwriting any manually created
> > 20-systemd-ssh-proxy.conf that is not a symlinks).
> >
> > I don't think this should happen, and wouldn't be too surprised if it
> was a policy
> > violation (though too lazy to check ^^).
>
> It is most certainly not. This is necessary to ensure ssh via
> vsock/afunix works out of the box. You can set up a local dpkg
> diversion if you want to.
/etc is owned by the sysadmin. It's absolutely reasonable for systemd to
install this configuration file by default, but if the sysadmin removes
it (perhaps because for some reason they don't want to allow SSH access
over vsock or unix sockets), that's a configuration change that
shouldn't be overwritten. dpkg-divert is for modifications to things
that *aren't* configuration files, like files in /usr; it should never
be required for files in /etc.
This could be trivially fixed by marking the file as a conffile, so that
when the user removes it that change will be preserved, and so that if
the user modifies it they'll get prompted if the upstream version
changes.
More information about the Pkg-systemd-maintainers
mailing list