From owner-svn-src-head@FreeBSD.ORG Wed May 29 07:07:08 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B356D870; Wed, 29 May 2013 07:07:08 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 7D87FF88; Wed, 29 May 2013 07:07:07 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id E316E917; Wed, 29 May 2013 09:02:48 +0200 (CEST) Date: Wed, 29 May 2013 09:09:53 +0200 From: Pawel Jakub Dawidek To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Subject: Re: svn commit: r251088 - head/crypto/openssh Message-ID: <20130529070952.GA1400@garage.freebsd.pl> References: <201305290019.r4T0JxLE011755@svn.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline In-Reply-To: <201305290019.r4T0JxLE011755@svn.freebsd.org> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 07:07:08 -0000 --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2013 at 12:19:59AM +0000, Dag-Erling Sm=F8rgrav wrote: > Author: des > Date: Wed May 29 00:19:58 2013 > New Revision: 251088 > URL: http://svnweb.freebsd.org/changeset/base/251088 >=20 > Log: > Revert a local change that sets the default for UsePrivilegeSeparation = to > "sandbox" instead of "yes". In sandbox mode, the privsep child is unab= le > to load additional libraries and will therefore crash when trying to ta= ke > advantage of crypto offloading on CPUs that support it. Which library is needed for AES-NI? I don't see any engine in /usr/lib/ that implements AES-NI support. Could you be more specific? Also what is the exact difference between "sandbox" and "yes" settings? The reason I ask is because I plan to experiment with OpenSSH sandboxing to use Capsicum and Casper. > Modified: > head/crypto/openssh/servconf.c >=20 > Modified: head/crypto/openssh/servconf.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/crypto/openssh/servconf.c Wed May 29 00:18:12 2013 (r251087) > +++ head/crypto/openssh/servconf.c Wed May 29 00:19:58 2013 (r251088) > @@ -298,7 +298,7 @@ fill_default_server_options(ServerOption > options->version_addendum =3D xstrdup(SSH_VERSION_FREEBSD); > /* Turn privilege separation on by default */ > if (use_privsep =3D=3D -1) > - use_privsep =3D PRIVSEP_ON; > + use_privsep =3D PRIVSEP_NOSANDBOX; > =20 > #ifndef HAVE_MMAP > if (use_privsep && options->compression =3D=3D 1) { --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGlqcAACgkQForvXbEpPzQGOgCgtMJXt0yVntEo0ej5EZZVEzZq e8AAnRFOUbrteHLIVdBEEgFuT8ESmKq9 =HLoi -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE--