On Thu, Feb 07, 2002 at 09:07:50PM -0800, Martin Quinson wrote: > I've no idea if this would test, but you may be interrested in some version > I've done of the last upstream version of pvm. I speak about them with the > maintainer, and he never gave me his advice about them.
I think (without consulting my mail archives) that I did (to someone anyway). It's my opinion that it is impossible to secure access to pvmd's using the rendevous points in upstream pvm. For years now Debian's pvm has used /tmp/pvm.uid/* instead of bare files in /tmp. Upstream 3.4.3 added some checking code, going from a wide open security hole to I believe a race. I'm not a /tmp-file expert, so if someone who is can verify this I'd appreciate it. The files must be perfectly predictable, as the completely separate libpvm application code and the pvmd must both find the same files. Given this constraint, I don't believe that is possible to put those files safely in /tmp, at best you can get a security race (which pvm now gets, before it was just wide open). I instead create a directory (or check it's ownership), and then put the rendevous sockets and logfiles in that subdirectory. This means Debian binaries (linked against our libpvm.so) won't run on other Linuxes (where they have no libpvm.so), and linked against libpvm.a we also aren't portable either way (different rendevous locations). As upstream is modifying the same code I did, it's a messy, time consuming forward port. I'd much rather convince upstream to do it and never have to repeat the exercise. :) Most of 3.4.3 was either a reimplementation of our security fix, or some of the same architecture support also in Debian's 3.4.2. Upstream PVM is very nearly frozen (it's a done project). If some security expert can confirm this I'll forward the discussion upstream, and maybe they'll do the work. I wasn't convincing last time I tried (they concluded that moving the rendevous sockets was unnecessary). OTOH, if you can convince me that they *are* safe, it'll be pretty trivial to dump my alternate /tmp/dir/ code (nicely bracketed in #define SAFE_TMPDIR or something like that). > > Note that they are only roughly tested. They work for me (tm). Note also > that I have no access to a mips hardware, so you gonna have to recompile > them yourself. > Me neither - that's capable of runnning Linux anyway. Lots of old SGIs floating around, but Irix only, where PVM does work. I'd be very surprised if the new upstream PVM has better mips support than what we have, as (I think) their LINUXMIPS support came via us anyway. -Drake (Debian pvm maintainer)
