Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 May 2013 09:09:53 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@FreeBSD.org>
Cc:        svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r251088 - head/crypto/openssh
Message-ID:  <20130529070952.GA1400@garage.freebsd.pl>
In-Reply-To: <201305290019.r4T0JxLE011755@svn.freebsd.org>
References:  <201305290019.r4T0JxLE011755@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Wed, May 29, 2013 at 12:19:59AM +0000, Dag-Erling Smørgrav wrote:
> Author: des
> Date: Wed May 29 00:19:58 2013
> New Revision: 251088
> URL: http://svnweb.freebsd.org/changeset/base/251088
> 
> Log:
>   Revert a local change that sets the default for UsePrivilegeSeparation to
>   "sandbox" instead of "yes".  In sandbox mode, the privsep child is unable
>   to load additional libraries and will therefore crash when trying to take
>   advantage of crypto offloading on CPUs that support it.

Which library is needed for AES-NI? I don't see any engine in /usr/lib/
that implements AES-NI support. Could you be more specific?

Also what is the exact difference between "sandbox" and "yes" settings?

The reason I ask is because I plan to experiment with OpenSSH sandboxing
to use Capsicum and Casper.

> Modified:
>   head/crypto/openssh/servconf.c
> 
> Modified: head/crypto/openssh/servconf.c
> ==============================================================================
> --- head/crypto/openssh/servconf.c	Wed May 29 00:18:12 2013	(r251087)
> +++ head/crypto/openssh/servconf.c	Wed May 29 00:19:58 2013	(r251088)
> @@ -298,7 +298,7 @@ fill_default_server_options(ServerOption
>  		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
>  	/* Turn privilege separation on by default */
>  	if (use_privsep == -1)
> -		use_privsep = PRIVSEP_ON;
> +		use_privsep = PRIVSEP_NOSANDBOX;
>  
>  #ifndef HAVE_MMAP
>  	if (use_privsep && options->compression == 1) {

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (FreeBSD)

iEYEARECAAYFAlGlqcAACgkQForvXbEpPzQGOgCgtMJXt0yVntEo0ej5EZZVEzZq
e8AAnRFOUbrteHLIVdBEEgFuT8ESmKq9
=HLoi
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130529070952.GA1400>