Yet more exploits against OpenSSH [1] according to Mark [2] so I should upgrade. Thanks to a suggestion from Mark, I was able to get OpenSSH 3.4p1 [3] compiled and running, with privledge separation under Linux 2.0 [4] (technically, 2.0.36 and 2.0.39):
#ifdef HAVE_MMAP_ANON_SHARED
# ifdef USE_MMAP_DEV_ZERO
{
int fh;
fh = open("/dev/zero",O_RDWR);
if (fh == -1)
fatal("mmap(`/dev/zero'): %s",strerror(errno));
address = mmap(NULL,size,PROT_WRITE|PROT_READ,MAP_PRIVATE,fh,0);
if (address == MAP_FAILED)
fatal("mmap(%lu,%d): %s",(u_long)size,fh,strerror(errno));
}
# else
address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
-1, 0);
if (address == MAP_FAILED)
fatal("mmap(%lu): %s", (u_long)size, strerror(errno));
# endif
#else
fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported",
__func__);
#endif
modified openssh-3.4p1/monitor_mm.c:87-109
I had to define USE_MMAP_DEV_ZERO and BROKEN_FD_PASSING in openssh-3.4p1/config.h to get this working. But working it is, thankfully.
[2] http://www.conman.org/people/myg/