Running DOSEMU as user

Running DOSEMU as user

[Danilo Godec]

Hi,

I administer an old system (dated back to 2002) running DOSEMU (1.0.0).
Multiple users connect to the machine with SSH / Telnet (over modem /
ISDN dial-in) and run DOS / Novell IPX based applications. The system
has worked so well that despite initial intentions to replace the system
with something more up-to-date, they're still using it and the number of
users increased. So much, that the old server is not coping anymore.

So now it's finally time to get new hardware and I intended to also use
a more up-to-date distribution and DOSEMU. I decided to use OpenSuSE
11.2, as I grown most comfortable with OpenSuSE. It comes with DOSEMU
1.4.0.1.

I have the system up and running on a test machine (which is a humble
desktop machine, but still more powerfull then the old server). I also
managed to get DOSEMU running with IPX (using 'direct' networking) and
those old Novell applications run too - but only if I run DOSEMU as
'root' (either directly or via 'sudo'). Now that is a bit of a problem,
because sometimes, people forget to logout or their connection is
interrupted - on the old system a login script would check whether
DOSEMU is already running for the user and it would terminate the
process. Of course, if I run all DOSEMU's as root, this is no longer
possible, so I'm trying to find a way to run DOSEMU as users, but with
all features.

I set the 'suid' bit to 'dosemu.bin':

  # ll /usr/bin/dosemu.bin
  -rwsr-xr-x 1 root root 1816368 Oct 24 10:19 /usr/bin/dosemu.bin

If I try to run DOSEMU as a user, I get this:

  > dosemu
  LOWRAM mmap: Invalid argument
  Segmentation fault

Actuaclly, this output is the same whether dosemu.bin has the suid bit
or not.

My 'dosemu.users':

> log_level= 1
> root c_all unrestricted
> all c_all unrestricted

I found several references to the 'LOWRAM mmap' error and changed my
'/proc/sys/vm/mmap_min_addr' to '0' - but it's still the same.

Running dosemu with 'strace', I get this (the last part of the output):

> mprotect(0xb6d40000, 7405568, PROT_READ|PROT_WRITE) = 0
> mprotect(0xb6d40000, 1114112, PROT_READ|PROT_WRITE) = 0
> mmap2(NULL, 1114112, PROT_READ|PROT_WRITE|PROT_EXEC,
> MAP_SHARED|MAP_FIXED, 5, 0) = -1 EACCES (Permission denied)
> mmap2(NULL, 1114112, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, 5, 0)
> = -1 EACCES (Permission denied)
> mprotect(0xffffffff, 1114112, PROT_READ|PROT_WRITE|PROT_EXEC) = -1
> EINVAL (Invalid argument)
> munmap(0, 655360)                       = 0
> dup(2)                                  = 6
> fcntl64(6, F_GETFL)                     = 0x8002 (flags
> O_RDWR|O_LARGEFILE)
> fstat64(6, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb753e000
> _llseek(6, 0, 0xbf913b00, SEEK_CUR)     = -1 ESPIPE (Illegal seek)
> ---- removed some probably harmles 'locale' messages' ----
> write(6, "LOWRAM mmap: Invalid argument\n", 30LOWRAM mmap: Invalid
> argument
> ) = 30
> close(6)                                = 0
> munmap(0xb753e000, 4096)                = 0
> stat64("/home/danci/.dosemu/disclaimer", {st_mode=S_IFREG|0644,
> st_size=402, ...}) = 0
> munmap(0x100000, 65536)                 = 0
> mmap2(0x100000, 65536, PROT_READ|PROT_WRITE|PROT_EXEC,
> MAP_SHARED|MAP_FIXED, 5, 0) = 0x100000
> mmap2(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
> -1, 0) = 0xb6c40000
> write(4, "CONF: reserving 1088Kb at 0x1000"..., 71) = 71
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++

So... What am I doing wrong? What do I need to do to be able to run
DOSEMU as non-root user?

 Thanks, Danilo

PS: I sure hope this list is still 'alive'.

Re: Running DOSEMU as user

[aja_by_steely_dan]

On Tue, 02 Feb 2010 12:35:52 +0100
Danilo Godec <danilo.godec@agenda.si> wrote:

Hi.

I upgrated my debian lenny 5.0.3 -> 5.0.4 yesterday,  and I had a kind
of the same trouble.

I run a command 

$ sudo sysctl vm.mmap_min_addr=0

in the gnome terminal, and dosemu works fine now.


Actually, I had the same trouble with ubuntu 9.04 and dosemu.
At that time, I found this workaround. And it worked.

https://bugs.launchpad.net/ubuntu/+source/dosemu/+bug/216398

This time, with lenny, this workaround also worked.

--
- aja_by_steely_dan -
VZ Editor / DOS / DOSBox  http://aja.seesaa.net/

--------------------------------------
VANCOUVER 2010 Olympic News [Yahoo! Sports/sportsnavi]
http://pr.mail.yahoo.co.jp/olympic/

Re: Running DOSEMU as user

[Reinhard Karcher]

Am Dienstag 02 Februar 2010 12:35:52 schrieb Danilo Godec:
> 
> I set the 'suid' bit to 'dosemu.bin':
> 
>   # ll /usr/bin/dosemu.bin
>   -rwsr-xr-x 1 root root 1816368 Oct 24 10:19 /usr/bin/dosemu.bin
> 

Did you start dosemu with the -s option? The suid bit alone doesn't give 
enough rights any longer.

Reinhard

Re: Running DOSEMU as user

[Paul Crawford]

> Did you start dosemu with the -s option? The suid bit alone doesn't give 
> enough rights any longer.

The question is do they need such rights? You should be able to run 
dosmeu as a user without getting the ability to go direct to hardware 
(which -s allows) unless that is a real requirement for users.

For most things (serial ports and printing) you don't need this and 
don't want to give it out.

We do in our application as we need direct hardware access, but that is 
not given to all+sundry who can log in.

Regards,
Paul
-- 
  Dr. Paul S. Crawford
  c/o Satellite Station
  University of Dundee
  Small's Wynd, Dundee, DD1 4HN
  Email: psc@sat.dundee.ac.uk
  Tel: +44 (0)1382 38 4687
  The University of Dundee is a Scottish Registered Charity, No. SC015096

Re: Running DOSEMU as user

[Reinhard Karcher]

Am Dienstag 02 Februar 2010 22:26:25 schrieb Paul Crawford:
> 
> The question is do they need such rights? You should be able to run
> dosmeu as a user without getting the ability to go direct to hardware
> (which -s allows) unless that is a real requirement for users.
> 

The original poster had problems with newer (than 1.0) version of 
dosemu,  running suid. Older version of dosemu with suid bit set had all 
rights without  the -s option.
Perhaps his problems vanish, if he uses -s.

Reinhard

Re: Running DOSEMU as user

[Danilo Godec]

On 02. 02. 2010 22:26, Paul Crawford wrote:
>> Did you start dosemu with the -s option? The suid bit alone doesn't
>> give enough rights any longer.
>
> The question is do they need such rights? You should be able to run
> dosmeu as a user without getting the ability to go direct to hardware
> (which -s allows) unless that is a real requirement for users.

Every DOSEMU session has to connect to a Novell (IPX based) server. I
used 'direct networking' on the old version and it worked well, so I'd
like to keep using it.

And as far as I know IPX requires root privileges.

> For most things (serial ports and printing) you don't need this and
> don't want to give it out.
>
> We do in our application as we need direct hardware access, but that
> is not given to all+sundry who can log in.

When users login (via telnet over a SSH tunnel) DOS is automatically
started for them, they're automatically logged into Novell server and
their application start automatically.

Regards, Danilo

Re: Running DOSEMU as user

[Reinhard Karcher]

Am Mittwoch 03 Februar 2010 09:29:49 schrieb Danilo Godec:
> 
> Every DOSEMU session has to connect to a Novell (IPX based) server. I
> used 'direct networking' on the old version and it worked well, so
>  I'd like to keep using it.
> 
> And as far as I know IPX requires root privileges.
> 

You could mount the Netware volumes in Linux and use lredir in dosemu.

Reinhard

Re: Running DOSEMU as user

[Danilo Godec]

Just to recap - on OpenSuSE 11.2 (and reportedly earlier versions too)
one has to disable apparmor completely using 'apparmor=0' kernel boot
parameter. Otherwise the 'sysctl' setting is ignored.

Now DOSEMU runs as expected - users can run it with SUID bit and without
'-s' parameter.

If I use '-s', I see two 'dosemu' processes for each user. Without it,
there is only one process per user, which is what I like best.


 Best regards, Danilo


On 02. 02. 2010 12:35, Danilo Godec wrote:
> Hi,
>
> I administer an old system (dated back to 2002) running DOSEMU (1.0.0).
> Multiple users connect to the machine with SSH / Telnet (over modem /
> ISDN dial-in) and run DOS / Novell IPX based applications. The system
> has worked so well that despite initial intentions to replace the system
> with something more up-to-date, they're still using it and the number of
> users increased. So much, that the old server is not coping anymore.
>
> So now it's finally time to get new hardware and I intended to also use
> a more up-to-date distribution and DOSEMU. I decided to use OpenSuSE
> 11.2, as I grown most comfortable with OpenSuSE. It comes with DOSEMU
> 1.4.0.1.
>
> I have the system up and running on a test machine (which is a humble
> desktop machine, but still more powerfull then the old server). I also
> managed to get DOSEMU running with IPX (using 'direct' networking) and
> those old Novell applications run too - but only if I run DOSEMU as
> 'root' (either directly or via 'sudo'). Now that is a bit of a problem,
> because sometimes, people forget to logout or their connection is
> interrupted - on the old system a login script would check whether
> DOSEMU is already running for the user and it would terminate the
> process. Of course, if I run all DOSEMU's as root, this is no longer
> possible, so I'm trying to find a way to run DOSEMU as users, but with
> all features.
>
> I set the 'suid' bit to 'dosemu.bin':
>
>   # ll /usr/bin/dosemu.bin
>   -rwsr-xr-x 1 root root 1816368 Oct 24 10:19 /usr/bin/dosemu.bin
>
> If I try to run DOSEMU as a user, I get this:
>
>   > dosemu
>   LOWRAM mmap: Invalid argument
>   Segmentation fault
>
> Actuaclly, this output is the same whether dosemu.bin has the suid bit
> or not.
>
> My 'dosemu.users':
>
>   
>> log_level= 1
>> root c_all unrestricted
>> all c_all unrestricted
>>     
> I found several references to the 'LOWRAM mmap' error and changed my
> '/proc/sys/vm/mmap_min_addr' to '0' - but it's still the same.
>
> Running dosemu with 'strace', I get this (the last part of the output):
>
>   
>> mprotect(0xb6d40000, 7405568, PROT_READ|PROT_WRITE) = 0
>> mprotect(0xb6d40000, 1114112, PROT_READ|PROT_WRITE) = 0
>> mmap2(NULL, 1114112, PROT_READ|PROT_WRITE|PROT_EXEC,
>> MAP_SHARED|MAP_FIXED, 5, 0) = -1 EACCES (Permission denied)
>> mmap2(NULL, 1114112, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, 5, 0)
>> = -1 EACCES (Permission denied)
>> mprotect(0xffffffff, 1114112, PROT_READ|PROT_WRITE|PROT_EXEC) = -1
>> EINVAL (Invalid argument)
>> munmap(0, 655360)                       = 0
>> dup(2)                                  = 6
>> fcntl64(6, F_GETFL)                     = 0x8002 (flags
>> O_RDWR|O_LARGEFILE)
>> fstat64(6, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>> 0) = 0xb753e000
>> _llseek(6, 0, 0xbf913b00, SEEK_CUR)     = -1 ESPIPE (Illegal seek)
>> ---- removed some probably harmles 'locale' messages' ----
>> write(6, "LOWRAM mmap: Invalid argument\n", 30LOWRAM mmap: Invalid
>> argument
>> ) = 30
>> close(6)                                = 0
>> munmap(0xb753e000, 4096)                = 0
>> stat64("/home/danci/.dosemu/disclaimer", {st_mode=S_IFREG|0644,
>> st_size=402, ...}) = 0
>> munmap(0x100000, 65536)                 = 0
>> mmap2(0x100000, 65536, PROT_READ|PROT_WRITE|PROT_EXEC,
>> MAP_SHARED|MAP_FIXED, 5, 0) = 0x100000
>> mmap2(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
>> -1, 0) = 0xb6c40000
>> write(4, "CONF: reserving 1088Kb at 0x1000"..., 71) = 71
>> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>> +++ killed by SIGSEGV +++
>>     
> So... What am I doing wrong? What do I need to do to be able to run
> DOSEMU as non-root user?
>
>  Thanks, Danilo
>
> PS: I sure hope this list is still 'alive'.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-msdos" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: Running DOSEMU as user

[Ivan Baldo]

    Hello.

El 03/02/10 06:29, Danilo Godec escribió:
> Every DOSEMU session has to connect to a Novell (IPX based) server. I
> used 'direct networking' on the old version and it worked well, so I'd
> like to keep using it.
>
> And as far as I know IPX requires root privileges.
>
>   
    Not really.
    If you setup the IPX network with Linux then DOSEmu can run without 
privileges, just run "ipx_configure --auto_interface=on 
--auto_primary=on" and then the "ipxd" daemon; in DOSEmu set the option 
"$_ipxsupport = (on)", then the normal ipx tools in DOS ("vlm" and a 
very basic net.cfg).



> When users login (via telnet over a SSH tunnel) DOS is automatically
> started for them, they're automatically logged into Novell server and
> their application start automatically.
>
>   
    Thats good if you trust your users, if you don't trust them, then 
please don't run DOSEmu with root privileges, because a malicious user 
could stop the bootup or exit in some way from the application and run 
not only DOS commands, but Linux commands too, and as root!

    Hope this helps!!!
    Bye.

-- 
Ivan Baldo - ibaldo@adinet.com.uy - http://ibaldo.codigolibre.net/
From Montevideo, Uruguay, at the south of South America.
Freelance programmer and GNU/Linux system administrator, hire me!
Alternatives: ibaldo@codigolibre.net - http://go.to/ibaldo

--
To unsubscribe from this list: send the line "unsubscribe linux-msdos" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html