Date: Mon, 3 Mar 2014 12:14:02 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Mike Jakubik <mike.jakubik@intertainservices.com> Cc: FreeBSD Stable ML <stable@freebsd.org>, Andrey Chernov <ache@freebsd.org>, des@freebsd.org Subject: Re: openssh in stable-10 broken config or sandbox Message-ID: <CAN6yY1tvr7F739%2BRxiVu8MjHo399=4VPHF9zw8WWKq16bMKVcA@mail.gmail.com> In-Reply-To: <5314D1F9.20909@intertainservices.com> References: <531184A8.4050909@freebsd.org> <53118E9C.5030804@freebsd.org> <5314D1F9.20909@intertainservices.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 3, 2014 at 11:03 AM, Mike Jakubik < mike.jakubik@intertainservices.com> wrote: > On 03/01/14 02:39, Andrey Chernov wrote: > >> On 01.03.2014 10:56, Andrey Chernov wrote: >> >>> Hi. >>> Default /etc/ssh/sshd_config have >>> #UsePrivilegeSeparation sandbox >>> I.e. 'sandbox' by default. It breaks logins with error: >>> sshd[81721]: fatal: ssh_sandbox_child: failed to limit the network >>> socket [preauth] >>> Fixed by using old way, i.e. direct >>> UsePrivilegeSeparation yes >>> instead of 'sandbox'. Please fix this bug. >>> >> Just find that capsicum is required now for default (i.e. sandbox) mode. >> Don't think it is wise move, people may lost remote connections that >> way, at least UPDATING entry is needed, but check for WITHOUT_CAPSICUM >> for defaults will be better. >> >> > Personally I find this to be a monumental screw up, such a drastic change > and not even so much as an entry in UPDATING, what ever happened to POLA? > +1 I didn't get bitten by this by the good fortune of seeing the first message on this issue just minutes after I updated my system. Saw the change in mergemaster, so immediately edited the installed file back to "yes". But, if this had been a remote server, I would have been in deep weeds. This is simply not acceptable practice! -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1tvr7F739%2BRxiVu8MjHo399=4VPHF9zw8WWKq16bMKVcA>