Date: Mon, 3 Mar 2014 14:38:39 -0600 (CST) From: Greg Rivers <gcr+freebsd-stable@tharned.org> To: Kevin Oberman <rkoberman@gmail.com> Cc: Mike Jakubik <mike.jakubik@intertainservices.com>, Andrey Chernov <ache@freebsd.org>, FreeBSD Stable ML <stable@freebsd.org>, des@freebsd.org Subject: Re: openssh in stable-10 broken config or sandbox Message-ID: <alpine.BSF.2.00.1403031430380.20838@badger.tharned.org> In-Reply-To: <CAN6yY1tvr7F739%2BRxiVu8MjHo399=4VPHF9zw8WWKq16bMKVcA@mail.gmail.com> References: <531184A8.4050909@freebsd.org> <53118E9C.5030804@freebsd.org> <5314D1F9.20909@intertainservices.com> <CAN6yY1tvr7F739%2BRxiVu8MjHo399=4VPHF9zw8WWKq16bMKVcA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Mar 2014, Kevin Oberman wrote: > On Mon, Mar 3, 2014 at 11:03 AM, Mike Jakubik < > mike.jakubik@intertainservices.com> wrote: > >> On 03/01/14 02:39, Andrey Chernov wrote: >> >>> On 01.03.2014 10:56, Andrey Chernov wrote: >>> >>>> Hi. >>>> Default /etc/ssh/sshd_config have >>>> #UsePrivilegeSeparation sandbox >>>> I.e. 'sandbox' by default. It breaks logins with error: >>>> sshd[81721]: fatal: ssh_sandbox_child: failed to limit the network >>>> socket [preauth] >>>> Fixed by using old way, i.e. direct >>>> UsePrivilegeSeparation yes >>>> instead of 'sandbox'. Please fix this bug. >>>> >>> Just find that capsicum is required now for default (i.e. sandbox) mode. >>> Don't think it is wise move, people may lost remote connections that >>> way, at least UPDATING entry is needed, but check for WITHOUT_CAPSICUM >>> for defaults will be better. >>> >>> >> Personally I find this to be a monumental screw up, such a drastic change >> and not even so much as an entry in UPDATING, what ever happened to POLA? >> > > +1 > > I didn't get bitten by this by the good fortune of seeing the first message > on this issue just minutes after I updated my system. Saw the change in > mergemaster, so immediately edited the installed file back to "yes". But, > if this had been a remote server, I would have been in deep weeds. This is > simply not acceptable practice! > Not to disagree, but I think we should tone down the flogging of a person who's working hard to make FreeBSD better. I'm sure this wasn't intentional, and the change probably passed all of his tests. If this were -RELEASE, I might feel differently, but it is -STABLE after all. I do certainly agree that an UPDATING entry would have been warranted. -- Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1403031430380.20838>