From owner-freebsd-stable@FreeBSD.ORG Tue Mar 4 02:01:41 2014 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5232255C; Tue, 4 Mar 2014 02:01:41 +0000 (UTC) Received: from mail-pb0-x22f.google.com (mail-pb0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 18D29E89; Tue, 4 Mar 2014 02:01:40 +0000 (UTC) Received: by mail-pb0-f47.google.com with SMTP id up15so4538887pbc.34 for ; Mon, 03 Mar 2014 18:01:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=B5er7EoWsisZgfJU2PyLlf9VWv8A27Jr2r07Sr5HD/o=; b=OsBufZxBUNSOc0xxz1yjAqPPWgy+v9i2q5ceyR9cuzeH+uAJ1BBFOxDp8dPZoCrLOg pKtlponXadAPh/pznT8z7mWhzj5AkC6eiys3boPMuCRfY4Z7IlyVkAToh1maxUynifxR SN2l2hchRxw/pjPHM8f9cU/Lp9UsxK+BjeWHUPPYdr09HsO6uAKu4r8FDQMai6BU3Bf5 FrFIRYRQ7DFrQBwDismcUpUbVDgcka9TjVAxJylCHxfvyLBSrbmZo/qGeE6PuukUnAtc gy5XPtlkMghXPacCI6klYiNzhl8UlmtX/52X0kxhOMobKr0aOlTGU/HZtIxTj6bmrq77 Jd+A== MIME-Version: 1.0 X-Received: by 10.68.233.200 with SMTP id ty8mr22942937pbc.1.1393898499779; Mon, 03 Mar 2014 18:01:39 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.66.0.164 with HTTP; Mon, 3 Mar 2014 18:01:39 -0800 (PST) In-Reply-To: <53150EFF.5090007@delphij.net> References: <531184A8.4050909@freebsd.org> <53118E9C.5030804@freebsd.org> <5314D1F9.20909@intertainservices.com> <53150EFF.5090007@delphij.net> Date: Mon, 3 Mar 2014 18:01:39 -0800 X-Google-Sender-Auth: IZ2DPG5lS1Kk90z1AxUAuFL4BbQ Message-ID: Subject: Re: openssh in stable-10 broken config or sandbox From: Kevin Oberman To: Xin LI Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: Greg Rivers , Mike Jakubik , Andrey Chernov , FreeBSD Stable ML , =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2014 02:01:41 -0000 Thanks, Delphij! Better than what I asked for. This also induced me to fix my configuration to include GENERIC with five lines to modify it. I missed that capsicum had been made default. On Mon, Mar 3, 2014 at 3:23 PM, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 03/03/14 13:29, Kevin Oberman wrote: > > On Mon, Mar 3, 2014 at 12:38 PM, Greg Rivers > > >> wrote: > > > >> On Mon, 3 Mar 2014, Kevin Oberman wrote: > >> > >> On Mon, Mar 3, 2014 at 11:03 AM, Mike Jakubik < > >>> mike.jakubik@intertainservices.com> wrote: > >>> > >>> On 03/01/14 02:39, Andrey Chernov wrote: > >>>> > >>>> On 01.03.2014 10:56, Andrey Chernov wrote: > >>>>> > >>>>> Hi. > >>>>>> Default /etc/ssh/sshd_config have #UsePrivilegeSeparation > >>>>>> sandbox I.e. 'sandbox' by default. It breaks logins with > >>>>>> error: sshd[81721]: fatal: ssh_sandbox_child: failed to > >>>>>> limit the network socket [preauth] Fixed by using old > >>>>>> way, i.e. direct UsePrivilegeSeparation yes instead of > >>>>>> 'sandbox'. Please fix this bug. > >>>>>> > >>>>>> Just find that capsicum is required now for default (i.e. > >>>>>> sandbox) > >>>>> mode. Don't think it is wise move, people may lost remote > >>>>> connections that way, at least UPDATING entry is needed, > >>>>> but check for WITHOUT_CAPSICUM for defaults will be > >>>>> better. > >>>>> > >>>>> > >>>>> Personally I find this to be a monumental screw up, such a > >>>>> drastic > >>>> change and not even so much as an entry in UPDATING, what > >>>> ever happened to POLA? > >>>> > >>>> > >>> +1 > >>> > >>> I didn't get bitten by this by the good fortune of seeing the > >>> first message on this issue just minutes after I updated my > >>> system. Saw the change in mergemaster, so immediately edited > >>> the installed file back to "yes". But, if this had been a > >>> remote server, I would have been in deep weeds. This is simply > >>> not acceptable practice! > >>> > >>> > >> Not to disagree, but I think we should tone down the flogging of > >> a person who's working hard to make FreeBSD better. I'm sure > >> this wasn't intentional, and the change probably passed all of > >> his tests. If this were -RELEASE, I might feel differently, but > >> it is -STABLE after all. I do certainly agree that an UPDATING > >> entry would have been warranted. > >> > >> -- Greg > >> > > > > It was clearly intentional as it was specifically mentioned in the > > commit message. > > > > Oversights happen and I don't have a problem with that. If DES just > > didn't think about the fact that it would break sshd if capsicum > > was not available, that happens. I've made bigger mistakes, > > probably this week. The problem is that the change was not rolled > > back and no entry was made to UPDATING. > > > > It's been over 4 days and, even if DES is tied up and has not seen > > the issue, someone should have added t note to UPDATING so people > > have some warning that sshd will break in most cases if they just > > accept the change to sshd.conf. (Yes, it is not obvious who should > > have done this, but lots of folks have access to update UPDATING.) > > Lots of folks use STABLE in production. It's not HEAD and every > > effort is supposed to be made to not break things, or at least warn > > people if something will break running systems. > > I have just merged r261499 (pjd) as r262718 which should have fixed > this issue. r261499 tests if the capability calls returned ENOSYS and > silently ignores them. > > Note that it's generally a good idea from security prospective that > one enable the new security mechanisms in their kernel, but yes, we > would keep our promise on POLA on stable branches. Sorry for the > breakage. > > Cheers, > - -- > Xin LI https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (FreeBSD) > > iQIcBAEBCgAGBQJTFQ7/AAoJEJW2GBstM+nsQYYP/i7teuMdm+G79dnaYFzlh3KN > Ao7wiC4CUhrDUTyeMvreS+mo3lXSD/dH83eTpWUKDIEq3kHpqJ69Oi9qh01+9fSy > t0lFHqKS3AqamRWoJpjygogaRAu9KpWsqQgttc7iZa+pbOeHYSiM2rmcoJauT8PX > zoCi2zX3DZj2Jcm+hznvDVUFf+POpP1dBxp4u6MT8N3079nfcu5uSOPROqXodxW2 > +Y71o7EQvWobsnUIhu4zK/16gWVuqmpIeGVv80uvOv935LaW1aCB30J0vZmmbbni > Q59z47y/SzhtU2lOPmykj5LFpr3rlW572Wg7ibGzqksxXrqBomGmfMH78HEKKJb8 > 6o9kbRFH04m8TeumQ4KE7VTTc8oYa55+o5dRPCrjgkLQusfYLiZh23UZ1RmDPmZD > DYhFv4nWNRkDet2o4ow5PdsSUYs/ezwfURpHTgDoUhkklr9/74F6uVYshD68Ojgs > 6fALpH6T9fKES7teqalycSSNY407aGCOYQRAb+0kHVEafXKO2w4CqZ4cJ5bB8KSH > tZA371LHS0n82aeBvNDzqyQBxVCJ7vZJY7jfxSRuIh1ePou7I+FduIM9i0NkhD0y > 6NCNmsRgn9mt3rDCKmIdvhUc0qZH81a23q6YXkK7U+cQ26p+kksSOxM0sk/fwVBo > /jj2qDuCdm9+Suj1u8Y+ > =L20p > -----END PGP SIGNATURE----- > -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com