privsep patch, Please test (take 3)
Tim Rice
tim at multitalents.net
Fri Jun 7 10:49:13 EST 2002
On Thu, 6 Jun 2002, Kevin Steves wrote:
> On Wed, Jun 05, 2002 at 06:22:39PM -0700, Tim Rice wrote:
[snip]
> > +#elif defined(HAVE_MMAP_DEV_ZERO_PRIVATE)
> > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE,
> > + open("/dev/zero", O_RDWR), 0);
> > +#endif
> > if (address == MAP_FAILED)
> > fatal("mmap(%lu)", (u_long)size);
> > #else
>
> hmm, more ifdefs. can there be xmmap() so there's one line of diff
> between openbsd? and again, i think we should use mm if possible.
Privsep may be important enough to introduce another library dependency.
It seems like it may address the platforms that have no mmap.
Ben said he didn't like the idea of requiring another library.
We haven't heard from Damien yet.
>
> > --- openssh/session.c.old Sun May 12 20:25:02 2002
> > +++ openssh/session.c Wed May 29 07:39:22 2002
> > @@ -1089,10 +1089,11 @@
> > exit(1);
> > }
> > /* Initialize the group list. */
> > - if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> > - perror("initgroups");
> > - exit(1);
> > - }
> > + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER))
> > + if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> > + perror("initgroups");
> > + exit(1);
> > + }
>
> why are we doing this?
On some platforms initgroups() fails in the chroot child. As initgroups
is unnecessary for the sshd user, this fixes that problem. I'm open
to any better ways.
--
Tim Rice Multitalents (707) 887-1469
tim at multitalents.net
More information about the openssh-unix-dev
mailing list