Problems with UsePrivilegeSeparation (was: port fwd as user != root?

Tim Rice tim at multitalents.net
Wed May 29 07:22:41 EST 2002 

On Tue, 28 May 2002, Ben Lindstrom wrote:

> On Tue, 28 May 2002, Joshua Hill wrote:
>
> [..]
> >
> > Herein lies your problem.
> >
> > The flag combination (MAP_SHARED|MAP_ANONYMOUS) is not supported in
> > the linux 2.2 kernels.  Searching the linux-mm list archives reveals
> > that this can't be trivially added due the linux-2.2 VM's assumption
> > that all swap cache pages are read-only; see the linux-mm thread that
> > starts at http://mail.nl.linux.org/linux-mm/1999-01/msg00034.html for
> > some proposals for adding shared anonymous mappings to the linux 2.2 VM
> > that didn't quite work out
>
> There are too many issues in regards to SysV Shared Memory.  It leaks at
> best and is corrupted at worse.  Even under Solaris (I have too many UNIFY
> 'databases' roaming around that step all over SysV Memory.  It's a
> horrible design).
>
> The mmap() is only required is you wish to have compression support in the
> server.  Looking at our current code base I see we have not merged what is
> needed to handle lack of mmap() yet.
>
> You may want to focus our energy on a patch that would kill two birds with
> one stone.  The the lack mmap() (on cray and other OSes) and your issues
> by allowing the admin to disable compression at runtime.  This would allow
> for a lot more platform support.

For the platforms that have mmap but don't support MAP_ANON we can do
something like this.

--- monitor_mm.c.orig	Tue May 28 13:49:29 2002
+++ monitor_mm.c	Tue May 28 13:53:03 2002
@@ -84,9 +84,14 @@
 	 */
 	mm->mmalloc = mmalloc;

-#if  defined(HAVE_MMAP) && defined(MAP_ANON)
+#ifdef HAVE_MMAP
+#ifdef MAP_ANON
 	address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
 	    -1, 0);
+#else
+	address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE,
+	    open("/dev/zero", O_RDWR), 0);
+#endif
 	if (address == MAP_FAILED)
 		fatal("mmap(%lu)", (u_long)size);
 #else

The only stumbling block is that the unprivileged child calls initgroups()
and it's fatal.
--------< session.c >--------
/* Initialize the group list. */
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
        perror("initgroups");
        exit(1);
}

If I comment out the exit(1) call I can get privsep working on a platform
that has mmap but no MAP_ANON.
Any  clue how to tell if we are in the unprivileged child?

>
> - Ben
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

More information about the openssh-unix-dev mailing list