Call for testing: OpenSSH-5.9

Tim Rice tim at
Tue Aug 30 01:15:44 EST 2011

On Mon, 29 Aug 2011, Darren Tucker wrote:

> On Mon, Aug 29, 2011 at 3:34 PM, Tim Rice <tim at> wrote:
> [...]
> > +#ifdef POLL_USES_FD
> > +       if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
> > +#else
> >        if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
> > +#endif
> Problem is this destroys a lot of the value of the rlimit sandbox,
> since a compromised slave can close all descriptors and open a single
> new one with connect() and, eg, use it to probe serves on localhost or
> beyond the machine in question.

True, but it's better than no sandbox. And right now we can't use
sandbox on Solaris or UnixWare. 
HP-UX does not work ethier but it looks like that is a different issue.

> One thing we could do to mitigate this is to have the monitoring
> SIGKILL the slave if the socketpair closes.  It's racy so there's a
> window where a compromised slave could potentially make a connection.

> Unless someone who knows Solaris internals can tell us how to make
> poll work with NFILES=0, I don't see any better solution.

I'll ask the engineers at UnXis if they have any ideas.

Tim Rice				Multitalents	(707) 456-1146
tim at					(707) 887-1469

More information about the openssh-unix-dev mailing list