Remove portability support for mmap
We no longer need to wrap/replace mmap for portability now that pre-auth compression has been removed from OpenSSH.
This commit is contained in:
parent
0082fba4ef
commit
1cfd5c06ef
|
@ -8,10 +8,6 @@ More information is available at:
|
|||
Privilege separation is now enabled by default; see the
|
||||
UsePrivilegeSeparation option in sshd_config(5).
|
||||
|
||||
On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
|
||||
compression must be disabled in order for privilege separation to
|
||||
function.
|
||||
|
||||
When privsep is enabled, during the pre-authentication phase sshd will
|
||||
chroot(2) to "/var/empty" and change its privileges to the "sshd" user
|
||||
and its primary group. sshd is a pseudo-account that should not be
|
||||
|
@ -35,9 +31,6 @@ privsep user and chroot directory:
|
|||
--with-privsep-path=xxx Path for privilege separation chroot
|
||||
--with-privsep-user=user Specify non-privileged user for privilege separation
|
||||
|
||||
Privsep requires operating system support for file descriptor passing.
|
||||
Compression will be disabled on systems without a working mmap MAP_ANON.
|
||||
|
||||
PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD,
|
||||
HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
|
||||
|
||||
|
|
4
TODO
4
TODO
|
@ -69,10 +69,6 @@ Packaging:
|
|||
(gilbert.r.loomis@saic.com)
|
||||
|
||||
PrivSep Issues:
|
||||
- mmap() issues.
|
||||
+ /dev/zero solution (Solaris)
|
||||
+ No/broken MAP_ANON (Irix)
|
||||
+ broken /dev/zero parse (Linux)
|
||||
- PAM
|
||||
+ See above PAM notes
|
||||
- AIX
|
||||
|
|
|
@ -1137,7 +1137,6 @@ mips-sony-bsd|mips-sony-newsos4)
|
|||
|
||||
*-*-ultrix*)
|
||||
AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
|
||||
AC_DEFINE([BROKEN_MMAP], [1], [Ultrix mmap can't map files])
|
||||
AC_DEFINE([NEED_SETPGRP])
|
||||
AC_DEFINE([HAVE_SYS_SYSLOG_H], [1], [Force use of sys/syslog.h on Ultrix])
|
||||
;;
|
||||
|
@ -1708,7 +1707,6 @@ AC_CHECK_FUNCS([ \
|
|||
memmove \
|
||||
memset_s \
|
||||
mkdtemp \
|
||||
mmap \
|
||||
ngetaddrinfo \
|
||||
nsleep \
|
||||
ogetaddrinfo \
|
||||
|
|
|
@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
|
|||
|
||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
|
|
|
@ -297,7 +297,6 @@ int bcrypt_pbkdf(const char *, size_t, const u_int8_t *, size_t,
|
|||
void explicit_bzero(void *p, size_t n);
|
||||
#endif
|
||||
|
||||
void *xmmap(size_t size);
|
||||
char *xcrypt(const char *password, const char *salt);
|
||||
char *shadow_pw(struct passwd *pw);
|
||||
|
||||
|
|
|
@ -1,86 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2002 Tim Rice. All rights reserved.
|
||||
* MAP_FAILED code by Solar Designer.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#ifdef HAVE_SYS_MMAN_H
|
||||
#include <sys/mman.h>
|
||||
#endif
|
||||
#include <sys/stat.h>
|
||||
|
||||
#ifdef HAVE_FCNTL_H
|
||||
# include <fcntl.h>
|
||||
#endif
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
|
||||
void *
|
||||
xmmap(size_t size)
|
||||
{
|
||||
#ifdef HAVE_MMAP
|
||||
void *address;
|
||||
|
||||
# ifdef MAP_ANON
|
||||
address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
|
||||
-1, (off_t)0);
|
||||
# else
|
||||
address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
|
||||
open("/dev/zero", O_RDWR), (off_t)0);
|
||||
# endif
|
||||
|
||||
#define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
|
||||
if (address == (void *)MAP_FAILED) {
|
||||
char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
|
||||
int tmpfd;
|
||||
mode_t old_umask;
|
||||
|
||||
old_umask = umask(0177);
|
||||
tmpfd = mkstemp(tmpname);
|
||||
umask(old_umask);
|
||||
if (tmpfd == -1)
|
||||
fatal("mkstemp(\"%s\"): %s",
|
||||
MM_SWAP_TEMPLATE, strerror(errno));
|
||||
unlink(tmpname);
|
||||
if (ftruncate(tmpfd, size) != 0)
|
||||
fatal("%s: ftruncate: %s", __func__, strerror(errno));
|
||||
address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
|
||||
tmpfd, (off_t)0);
|
||||
close(tmpfd);
|
||||
}
|
||||
|
||||
return (address);
|
||||
#else
|
||||
fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported",
|
||||
__func__);
|
||||
#endif /* HAVE_MMAP */
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue