rlimit sandbox on cygwin

Darren Tucker dtucker at zip.com.au
Tue Jul 3 01:23:48 EST 2012 

Hi all.

I have an old windows VM with an oldish cygwin that I use for the
regression tests.  Investigating one of the test failures, I see that
it's for UsePrivilegeSeparation=sandbox, and it seems to be because
setrlimit(RLIMIT_FSIZE, ...) is not supported.

IMO, this isn't a big loss, since the most useful thing in the rlimit
"sandbox" is the descriptor limits.  Can anyone see a reason not to just
omit RLIMIT_FSIZE on cygwin?  It's a no-op unless you've explicitly set
"UsePrivilegeSeparation sandbox" in sshd_config.

Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.492
diff -u -p -r1.492 configure.ac
--- configure.ac	19 May 2012 05:24:37 -0000	1.492
+++ configure.ac	2 Jul 2012 15:17:56 -0000
@@ -511,6 +511,7 @@ case "$host" in
 		file descriptor passing])
 	AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
 	AC_DEFINE([FILESYSTEM_NO_BACKSLASH], [1], [File names may not contain backslash characters]) 
+	AC_DEFINE([SANDBOX_SKIP_RLIMIT_FSIZE], [1], [Do not try rlimit FSIZE])
 	;;
 *-*-dgux*)
 	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
Index: sandbox-rlimit.c
===================================================================
RCS file: /var/cvs/openssh/sandbox-rlimit.c,v
retrieving revision 1.2
diff -u -p -r1.2 sandbox-rlimit.c
--- sandbox-rlimit.c	23 Jun 2011 09:45:51 -0000	1.2
+++ sandbox-rlimit.c	2 Jul 2012 15:17:56 -0000
@@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *bo
 
 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
 
+#ifndef SANDBOX_SKIP_RLIMIT_FSIZE
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
 			__func__, strerror(errno));
+#endif
 	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
 			__func__, strerror(errno));

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list