summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--configure.ac23
-rw-r--r--sandbox-rlimit.c2
3 files changed, 27 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index bd174a476..2c998748e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,10 @@
120120703 120120703
2 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with 2 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
3 setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. 3 setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
4 - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
5 setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
6 benefit is minor, so it's not worth disabling the sandbox if it doesn't
7 work.
4 8
520120702 920120702
6- (dtucker) OpenBSD CVS Sync 10- (dtucker) OpenBSD CVS Sync
diff --git a/configure.ac b/configure.ac
index 97cf7b17c..f7033bc0b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $ 1# $Id: configure.ac,v 1.494 2012/07/03 12:48:31 dtucker Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.493 $) 18AC_REVISION($Revision: 1.494 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -2615,6 +2615,25 @@ AC_RUN_IFELSE(
2615 [AC_MSG_WARN([cross compiling: assuming yes])] 2615 [AC_MSG_WARN([cross compiling: assuming yes])]
2616) 2616)
2617 2617
2618AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
2619AC_RUN_IFELSE(
2620 [AC_LANG_PROGRAM([[
2621#include <sys/types.h>
2622#include <sys/resource.h>
2623#include <stdlib.h>
2624 ]],[[
2625 struct rlimit rl_zero;
2626
2627 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
2628 exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
2629 ]])],
2630 [AC_MSG_RESULT([yes])],
2631 [AC_MSG_RESULT([no])
2632 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
2633 [setrlimit RLIMIT_FSIZE works])],
2634 [AC_MSG_WARN([cross compiling: assuming yes])]
2635)
2636
2618if test "x$sandbox_arg" = "xsystrace" || \ 2637if test "x$sandbox_arg" = "xsystrace" || \
2619 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then 2638 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
2620 test "x$have_systr_policy_kill" != "x1" && \ 2639 test "x$have_systr_policy_kill" != "x1" && \
diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c
index 761e9284f..a00386337 100644
--- a/sandbox-rlimit.c
+++ b/sandbox-rlimit.c
@@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
64 64
65 rl_zero.rlim_cur = rl_zero.rlim_max = 0; 65 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
66 66
67#ifndef SANDBOX_SKIP_RLIMIT_FSIZE
67 if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) 68 if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
68 fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", 69 fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
69 __func__, strerror(errno)); 70 __func__, strerror(errno));
71#endif
70 if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) 72 if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
71 fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", 73 fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
72 __func__, strerror(errno)); 74 __func__, strerror(errno));
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-07 16:05:56 +0000