Call for testing: OpenSSH-5.9
Darren Tucker
dtucker at zip.com.au
Mon Aug 29 16:19:46 EST 2011
On Mon, Aug 29, 2011 at 3:34 PM, Tim Rice <tim at multitalents.net> wrote:
[...]
> +#ifdef POLL_USES_FD
> + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
> +#else
> if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
> +#endif
Problem is this destroys a lot of the value of the rlimit sandbox,
since a compromised slave can close all descriptors and open a single
new one with connect() and, eg, use it to probe serves on localhost or
beyond the machine in question.
One thing we could do to mitigate this is to have the monitoring
SIGKILL the slave if the socketpair closes. It's racy so there's a
window where a compromised slave could potentially make a connection.
Unless someone who knows Solaris internals can tell us how to make
poll work with NFILES=0, I don't see any better solution.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list