1343 – Privilege separation does not work on QNX

Bug 1343 - Privilege separation does not work on QNX

Summary: Privilege separation does not work on QNX

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	4.6p1
Hardware:	Other Other

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_4_7 V_4_6_P2
	Show dependency tree / graph

Reported:	2007-07-22 05:04 AEST by Matt Kraai
Modified:	2008-04-04 10:00 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Define DISABLE_FD_PASSING on QNX systems (474 bytes, patch) 2007-07-22 05:12 AEST, Matt Kraai	no flags	Details \| Diff
Disable fd passing only on qnx6. (594 bytes, patch) 2007-07-22 15:18 AEST, Darren Tucker	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Kraai 2007-07-22 05:04:09 AEST

Privilege separation does not work on QNX: recvmsg returns -1 and sets errno to EPERM when it is called to receive a file descriptor.

Comment 1 Matt Kraai 2007-07-22 05:12:15 AEST

Created attachment 1328 [details]
Define DISABLE_FD_PASSING on QNX systems

The attached patch fixes this problem by defining DISABLE_FD_PASSING on QNX systems.

Comment 2 Darren Tucker 2007-07-22 13:14:22 AEST

Seems reasonable, however I don't have access to QNX to confirm.  I also wonder if this applies to specific QNX versions or all of them.  Which version did you observe the behaviour on?

Comment 3 Matt Kraai 2007-07-22 14:34:30 AEST

(In reply to comment #2)
> Seems reasonable, however I don't have access to QNX to confirm.  I
> also wonder if this applies to specific QNX versions or all of them. 
> Which version did you observe the behaviour on?

6.3.0.  I think it's been this way since 6.0.0, the first NTO version, but I don't have access to a system running that version to verify.

Comment 4 Darren Tucker 2007-07-22 15:18:18 AEST

Created attachment 1330 [details]
Disable fd passing only on qnx6.

> 6.3.0.  I think it's been this way since 6.0.0,

In that case I would prefer to see it set only for the versions known to need it.  Other versions can be added if it proves necessary.

Could you please confirm that this patch does the right thing?  Thanks.

Comment 5 Matt Kraai 2007-07-22 15:31:27 AEST

(In reply to comment #4)
> Created an attachment (id=1330) [details]
> Disable fd passing only on qnx6.
> 
> > 6.3.0.  I think it's been this way since 6.0.0,
> 
> In that case I would prefer to see it set only for the versions known
> to need it.  Other versions can be added if it proves necessary.
> 
> Could you please confirm that this patch does the right thing?  Thanks.

Sure, I'll test it Monday.

NTO only matches QNX 6, so the only difference this patch makes is to skip this definition for future versions.

Comment 6 Matt Kraai 2007-07-24 16:00:25 AEST

(In reply to comment #4)
> Created an attachment (id=1330) [details]
> Disable fd passing only on qnx6.
...
> Could you please confirm that this patch does the right thing?  Thanks.

I had to hand-regenerate configure, but after I did so, the problem was fixed.  Thanks.

Comment 7 Darren Tucker 2007-07-24 16:18:58 AEST

(In reply to comment #6)
> I had to hand-regenerate configure, but after I did so,

We don't automatically regenerate configure so you need to either run "autoreconf" or "make -f Makefile.in distprep"

>  the problem was fixed.  Thanks.

Thanks for confirming, we will put this in for the next release.

Comment 8 Darren Tucker 2007-08-10 14:36:37 AEST

Applied, thanks.  It will be in the 4.7 release.

Comment 9 Damien Miller 2008-04-04 10:00:12 AEDT

Close resolved bugs after release.