From owner-freebsd-stable@FreeBSD.ORG  Mon Mar  3 19:03:29 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 95AE2B45;
 Mon,  3 Mar 2014 19:03:29 +0000 (UTC)
Received: from mail.intertainservices.com (mail.intertainservices.com
 [69.77.177.114]) by mx1.freebsd.org (Postfix) with ESMTP id 6F51EF0D;
 Mon,  3 Mar 2014 19:03:29 +0000 (UTC)
Received: from freebsd.local (unknown [172.16.10.114])
 by mail.intertainservices.com (Postfix) with ESMTPSA id 50F7256454;
 Mon,  3 Mar 2014 14:03:21 -0500 (EST)
Message-ID: <5314D1F9.20909@intertainservices.com>
Date: Mon, 03 Mar 2014 14:03:21 -0500
From: Mike Jakubik <mike.jakubik@intertainservices.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Andrey Chernov <ache@freebsd.org>, des@freebsd.org, 
 stable@freebsd.org
Subject: Re: openssh in stable-10 broken config or sandbox
References: <531184A8.4050909@freebsd.org> <53118E9C.5030804@freebsd.org>
In-Reply-To: <53118E9C.5030804@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-intertainservices-MailScanner-Information: Please contact the ISP for more
 information
X-intertainservices-MailScanner-ID: 50F7256454.AC6B9
X-intertainservices-MailScanner: Found to be clean
X-intertainservices-MailScanner-From: mike.jakubik@intertainservices.com
X-Spam-Status: No
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 19:03:29 -0000

On 03/01/14 02:39, Andrey Chernov wrote:
> On 01.03.2014 10:56, Andrey Chernov wrote:
>> Hi.
>> Default /etc/ssh/sshd_config have
>> #UsePrivilegeSeparation sandbox
>> I.e. 'sandbox' by default. It breaks logins with error:
>> sshd[81721]: fatal: ssh_sandbox_child: failed to limit the network socket [preauth]
>> Fixed by using old way, i.e. direct
>> UsePrivilegeSeparation yes
>> instead of 'sandbox'. Please fix this bug.
> Just find that capsicum is required now for default (i.e. sandbox) mode.
> Don't think it is wise move, people may lost remote connections that
> way, at least UPDATING entry is needed, but check for WITHOUT_CAPSICUM
> for defaults will be better.
>

Personally I find this to be a monumental screw up, such a drastic 
change and not even so much as an entry in UPDATING, what ever happened 
to POLA?