Call for testing: OpenSSH-6.2

Darren Tucker dtucker at
Wed Mar 6 15:25:45 EST 2013

On Wed, Mar 6, 2013 at 2:57 PM, Darren Tucker <dtucker at> wrote:
> ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid
> argument [preauth]
> so, setrlimit is the problem, but only for
> UsePrivilegeSeparation=sandbox.  Not sure why though (or, for that
> matter, why the test in configure didn't catch it).

it's a different problem to what's in the configure test.  It looks
like HP-UX does not allow you to set RLIMIT_NOFILE below the number of
descriptors you currently have open.

with this little test program:

#include <sys/types.h>
#include <sys/resource.h>
#include <errno.h>
#include <stdlib.h>

int main(void)
        int i, r;
        struct rlimit rl;

        for (i = 5; i >= 0; i--) {
                rl.rlim_cur = rl.rlim_max = i;
                r = setrlimit(RLIMIT_NOFILE, &rl);
                printf("%d %s %s\n", i, r == 0 ? "ok" : "fail",
                    r == 0 ? "" : strerror(errno));

I get it start to fail at 2, and if I add a "close(2)" at the top it
then fails at 1.  This makes it effectively useless for the sandbox,
since there's nothing to stop a compromised slave recycling
descriptors.  I'll look at adding a test for that and set SANDBOX_NULL
in that case.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list