Call for testing: OpenSSH-6.2

Darren Tucker dtucker at zip.com.au
Wed Mar 6 17:06:02 EST 2013 

On Wed, Mar 06, 2013 at 03:25:45PM +1100, Darren Tucker wrote:
> it's a different problem to what's in the configure test.  It looks
> like HP-UX does not allow you to set RLIMIT_NOFILE below the number of
> descriptors you currently have open.
[...]
> descriptors.  I'll look at adding a test for that and set SANDBOX_NULL
> in that case.

This seems to work for me.  Note: you'll need to run "autoreconf" to
rebuild configure.

Index: configure.ac
===================================================================
RCS file: /openssh_cvs/openssh/configure.ac,v
retrieving revision 1.511
diff -u -r1.511 configure.ac
--- configure.ac	5 Mar 2013 08:57:39 -0000	1.511
+++ configure.ac	6 Mar 2013 06:03:43 -0000
@@ -2690,6 +2690,32 @@
 	[AC_MSG_WARN([cross compiling: assuming yes])]
 )
 
+AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works])
+AC_RUN_IFELSE(
+	[AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include <sys/resource.h>
+#include <errno.h>
+#include <stdlib.h>
+	]],[[
+	struct rlimit rl_zero;
+	int fd, r;
+	fd_set fds;
+
+	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+	r = setrlimit(RLIMIT_NOFILE, &rl_zero);
+	exit (r == -1 ? 1 : 0);
+	]])],
+	[AC_MSG_RESULT([yes])
+	 rlimit_nofile_zero_works=yes],
+	[AC_MSG_RESULT([no])
+	 rlimit_nofile_zero_works=no],
+	[AC_MSG_WARN([cross compiling: assuming yes])]
+)
+
 AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
 AC_RUN_IFELSE(
 	[AC_LANG_PROGRAM([[
@@ -2744,7 +2770,8 @@
 	AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
 elif test "x$sandbox_arg" = "xrlimit" || \
      ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
-       test "x$select_works_with_rlimit" = "xyes" ) ; then
+       test "x$select_works_with_rlimit" = "xyes" && \
+       test "x$rlimit_nofile_zero_works" = "xyes" ) ; then
 	test "x$ac_cv_func_setrlimit" != "xyes" && \
 		AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
 	test "x$select_works_with_rlimit" != "xyes" && \

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list