Call for testing: OpenSSH-5.9
Tim Rice
tim at multitalents.net
Tue Aug 30 01:15:44 EST 2011
On Mon, 29 Aug 2011, Darren Tucker wrote:
> On Mon, Aug 29, 2011 at 3:34 PM, Tim Rice <tim at multitalents.net> wrote:
> [...]
> > +#ifdef POLL_USES_FD
> > + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
> > +#else
> > if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
> > +#endif
>
> Problem is this destroys a lot of the value of the rlimit sandbox,
> since a compromised slave can close all descriptors and open a single
> new one with connect() and, eg, use it to probe serves on localhost or
> beyond the machine in question.
True, but it's better than no sandbox. And right now we can't use
sandbox on Solaris or UnixWare.
HP-UX does not work ethier but it looks like that is a different issue.
> One thing we could do to mitigate this is to have the monitoring
> SIGKILL the slave if the socketpair closes. It's racy so there's a
> window where a compromised slave could potentially make a connection.
Hmm.
> Unless someone who knows Solaris internals can tell us how to make
> poll work with NFILES=0, I don't see any better solution.
I'll ask the engineers at UnXis if they have any ideas.
--
Tim Rice Multitalents (707) 456-1146
tim at multitalents.net (707) 887-1469
More information about the openssh-unix-dev
mailing list