Call for testing: OpenSSH-5.9

Tim Rice tim at multitalents.net
Wed Aug 24 06:02:51 EST 2011 

On Tue, 23 Aug 2011, Kevin Brott wrote:

> On Sat, Aug 20, 2011 at 22:31, Tim Rice <tim at multitalents.net> wrote:
> 
> > On Fri, 19 Aug 2011, Kevin Brott wrote:
> >
> > > All other tested systems (RH 6.2, 8.0, RHEL 2.1->6.0, FC2, Ubuntu
> > > 8.04,10.10, AIX 5.2->7.1) are OK.
> >
> > Please send the output of 'grep "#define SANDBOX" config.h' from
> > each of your test machines.
> >
> >
> HP-UX 11.11 - 11.31 all the same:
> ---BEGIN---
>  #define SANDBOX_RLIMIT 1
> ---END---

Thanks for confirming my guess that HP was SANDBOX_RLIMIT.
I was also interested in your other tested machines. Especially the AIX.
I'm trying to figure out if any SANDBOX_RLIMIT platforms do work.

> > And please test the following patch.
> > ----------------
> > --- sandbox-rlimit.c.old        2011-06-23 06:58:32.529017003 -0700
> > +++ sandbox-rlimit.c    2011-08-20 19:09:35.780772002 -0700
> > @@ -61,13 +61,15 @@
> >  ssh_sandbox_child(struct ssh_sandbox *box)
> >  {
> >        struct rlimit rl_zero;
> > +       struct rlimit rl_one;
> >
> >        rl_zero.rlim_cur = rl_zero.rlim_max = 0;
> > +       rl_one.rlim_cur = rl_one.rlim_max = 1;
> >
> >        if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
> >                fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
> >                        __func__, strerror(errno));
> > -       if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
> > +       if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
> >                fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
> >                        __func__, strerror(errno));
> >  #ifdef HAVE_RLIMIT_NPROC
> > ----------------
> >
> 
> Manually applied patched lines - 'make tests' still fails in same place on
> all three systems.

Not what I expected. The patch works on Solaris and UnixWare.
I don't have access HP-UX so someone that does will have to figure this out.
Your post with the debog log shows
ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid argument [preauth]
Play around with sandbox-rlimit.c to see if you can figure out why
the setrlimit call is failing.
 
> Note: I  had to manually apply the patched lines - as this segment gets
> rejected applying against the 20110820 and 20110824 SNAPs.

Not suprising, somewhere along the way tabs got changed to spaces.


-- 
Tim Rice				Multitalents	(707) 456-1146
tim at multitalents.net					(707) 887-1469

More information about the openssh-unix-dev mailing list