[ssh_x509] poll and OS limits summary

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Mar 8 09:25:31 EET 2022


Hello,

I'm so sorry for top postings.

Yesterday was opened new defect #3398 in OpenBSD bug tracking system. It is related more or less as expected to OPEN_MAX limit in rlimit sandbox.
PKIX-SSH 13.3+ are not impacted - see below for details.


Lesson learned: Exist OS that implement select on top of poll. On those systems "if select works with descriptor rlimit" fail. The new, as is visible from issue above, is that exist OS where test pass. Because OS is with POSIX compliant poll/ppoll, later rlimit privilege separation fail.

Remark: Unlike OpenBSD PKIX-SSH allows you to control test using cash variable (see below). Also you could disable privilege separation (not recommended in production).

Please let me know if you encounter issues on distributions. I have limited access to FreeBSD and Solaris.
More or less Linux is covered. Sanbox based on selinux is know to work - https://build.opensuse.org/package/show/home:petrov_r/pkixssh. Failures are due to : fail to start armv7l build system(VM), fail to load DSA X.509 certificates in SLE 11 SP4, and I guess  broken OCSP in OpenSSL 3.0 is reason for failure in "Fedora Rawhide".

Regards,
Roumen Petrov


ssh_x509 at roumenpetrov.info wrote:
> Hello,
>
> Next patch is almost ready. It will includes following related to poll:
> - one optimization (use "packed" array with poll file descriptors in server_accept_loop()) and
> - one enhancement (allow 64-bits time compatible ppoll system call in secure secure computing mode) for new kernels on 32-bit system.
>
> Remarks according Open Group specification:
> - number of file descriptors poll argument cannot exceed OPEN_MAX file limit;
> - unexpected behavior if RLIMIT_NOFILE to less than the highest currently open file descriptor +1.
>
> Unfortunately some inherited sandbox implementations sets maximum number of open files limit to zero.
> Switch to poll requires NOFILE limit to be increased.
>
>
> Let summarize current status in PKIX-SSH.
>
> Sandbox implementations capsicum, darwin, rlimit, and seccomp_filter sets OS-limits. PKIX-SSH release 13.3 unify management of limits.
>
> Let review used limits one by one.
>
> - RLIMIT_FSIZE
> Configure script checks "if setrlimit RLIMIT_FSIZE works". Test requires program execution and so does not work in cross-compilation case. In PKIX-SSH script is changed to use cache variable - ssh_cv_rlimit_fsize_work. Variable could be used to disable limits.
> Set to zero if enabled.
>
>
> - RLIMIT_NPROC
> Configure script performs standartd checks whether symbol is declared. So variable name is ac_cv_have_decl_RLIMIT_NPROC.
> Set to zero if enabled.
>
>
> - RLIMIT_NOFILE
>
> Configuration test "if select works with descriptor rlimit" is related to issue as test sets limit to zero. As result on POSIX compatible OS-ses where select is based on poll test fail.
> To avoid limitation of this broken test now in PKIX-SSH is used cache variable.
> If needed you could set ssh_cv_select_rlimit_nofile_zero to yes.
> Note that if test pass you could enable rlimit sandbox. This looks useful on UNIX-ses where does not exist suitable sandbox and now could be activated.
> Remark: Switch to poll obsolete test and test will be removed in the future.
>
> Configuration test "if setrlimit(RLIMIT_NOFILE,{0,0}) works" is another one that may prevent use of rlimit sandbox. Test looks harmless and is expected to pass. Now it is useless, see below.
> In PKIX-SSH it is controlled by cash variable ssh_cv_setrlimit_nofile_zero.
>
> Definition SANDBOX_SKIP_RLIMIT_NOFILE.
> Now in PKIX-SSH configuration script stop to define it for FreeBSD. This is because in all sandboxes code set limit to one and root reason is not applicable.
>
> Another FreeBSD related point here is capsicum sandbox. On ancient FreeBSD release 9/10 ppoll is not enabled in capsicum. So capsicum is excluded for those releases. If needed could be activated rlimit.
>
> To ensure POSIX conformance limit is set to one in all sandboxes. This makes configure test to zero limits useless. Perhaps test will be changed to test for {1,1}.
>
> Regard,
> Roumen Petrov
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info
>




More information about the ssh_x509 mailing list