Bug 1343

Summary:

Privilege separation does not work on QNX

Product:

Portable OpenSSH

Reporter:

Matt Kraai <kraai>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

dtucker

Priority:

Version:

4.6p1

Hardware:

Other

OS:

Other

Bug Depends on:

Bug Blocks:

1289, 1305

Attachments:

Description	Flags
Define DISABLE_FD_PASSING on QNX systems	none
Disable fd passing only on qnx6.	none

Description Matt Kraai 2007-07-22 05:04:09 AEST

Privilege separation does not work on QNX: recvmsg returns -1 and sets errno to EPERM when it is called to receive a file descriptor.

Comment 1 Matt Kraai 2007-07-22 05:12:15 AEST

Created attachment 1328 [details]
Define DISABLE_FD_PASSING on QNX systems

The attached patch fixes this problem by defining DISABLE_FD_PASSING on QNX systems.

Comment 2 Darren Tucker 2007-07-22 13:14:22 AEST

Seems reasonable, however I don't have access to QNX to confirm.  I also wonder if this applies to specific QNX versions or all of them.  Which version did you observe the behaviour on?

Comment 3 Matt Kraai 2007-07-22 14:34:30 AEST

(In reply to comment #2)
> Seems reasonable, however I don't have access to QNX to confirm.  I
> also wonder if this applies to specific QNX versions or all of them. 
> Which version did you observe the behaviour on?

6.3.0.  I think it's been this way since 6.0.0, the first NTO version, but I don't have access to a system running that version to verify.

Comment 4 Darren Tucker 2007-07-22 15:18:18 AEST

Created attachment 1330 [details]
Disable fd passing only on qnx6.

> 6.3.0.  I think it's been this way since 6.0.0,

In that case I would prefer to see it set only for the versions known to need it.  Other versions can be added if it proves necessary.

Could you please confirm that this patch does the right thing?  Thanks.

Comment 5 Matt Kraai 2007-07-22 15:31:27 AEST

(In reply to comment #4)
> Created an attachment (id=1330) [details]
> Disable fd passing only on qnx6.
> 
> > 6.3.0.  I think it's been this way since 6.0.0,
> 
> In that case I would prefer to see it set only for the versions known
> to need it.  Other versions can be added if it proves necessary.
> 
> Could you please confirm that this patch does the right thing?  Thanks.

Sure, I'll test it Monday.

NTO only matches QNX 6, so the only difference this patch makes is to skip this definition for future versions.

Comment 6 Matt Kraai 2007-07-24 16:00:25 AEST

(In reply to comment #4)
> Created an attachment (id=1330) [details]
> Disable fd passing only on qnx6.
...
> Could you please confirm that this patch does the right thing?  Thanks.

I had to hand-regenerate configure, but after I did so, the problem was fixed.  Thanks.

Comment 7 Darren Tucker 2007-07-24 16:18:58 AEST

(In reply to comment #6)
> I had to hand-regenerate configure, but after I did so,

We don't automatically regenerate configure so you need to either run "autoreconf" or "make -f Makefile.in distprep"

>  the problem was fixed.  Thanks.

Thanks for confirming, we will put this in for the next release.

Comment 8 Darren Tucker 2007-08-10 14:36:37 AEST

Applied, thanks.  It will be in the 4.7 release.

Comment 9 Damien Miller 2008-04-04 10:00:12 AEDT

Close resolved bugs after release.