svn commit: r252340 - stable/8/crypto/openssh

Dag-Erling Smørgrav des at FreeBSD.org
Fri Jun 28 10:21:50 UTC 2013 

Author: des
Date: Fri Jun 28 10:21:49 2013
New Revision: 252340
URL: http://svnweb.freebsd.org/changeset/base/252340

Log:
  MFH (r251088, r252338): revert default privsep setting to "yes"

Modified:
  stable/8/crypto/openssh/servconf.c
  stable/8/crypto/openssh/sshd_config
  stable/8/crypto/openssh/sshd_config.5
Directory Properties:
  stable/8/crypto/openssh/   (props changed)

Modified: stable/8/crypto/openssh/servconf.c
==============================================================================
--- stable/8/crypto/openssh/servconf.c	Fri Jun 28 09:55:00 2013	(r252339)
+++ stable/8/crypto/openssh/servconf.c	Fri Jun 28 10:21:49 2013	(r252340)
@@ -294,7 +294,7 @@ fill_default_server_options(ServerOption
 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-		use_privsep = PRIVSEP_ON;
+		use_privsep = PRIVSEP_NOSANDBOX;
 
 #ifndef HAVE_MMAP
 	if (use_privsep && options->compression == 1) {

Modified: stable/8/crypto/openssh/sshd_config
==============================================================================
--- stable/8/crypto/openssh/sshd_config	Fri Jun 28 09:55:00 2013	(r252339)
+++ stable/8/crypto/openssh/sshd_config	Fri Jun 28 10:21:49 2013	(r252340)
@@ -102,7 +102,7 @@
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation sandbox
+#UsePrivilegeSeparation yes
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0

Modified: stable/8/crypto/openssh/sshd_config.5
==============================================================================
--- stable/8/crypto/openssh/sshd_config.5	Fri Jun 28 09:55:00 2013	(r252339)
+++ stable/8/crypto/openssh/sshd_config.5	Fri Jun 28 10:21:49 2013	(r252340)
@@ -1095,7 +1095,7 @@ the privilege of the authenticated user.
 The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
-.Dq sandbox .
+.Dq yes .
 If
 .Cm UsePrivilegeSeparation
 is set to

More information about the svn-src-all mailing list