From owner-freebsd-stable@FreeBSD.ORG Mon Mar 3 21:30:00 2014 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 20BB1A60; Mon, 3 Mar 2014 21:30:00 +0000 (UTC) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DB9DC2C5; Mon, 3 Mar 2014 21:29:59 +0000 (UTC) Received: by mail-pa0-f43.google.com with SMTP id bj1so4231788pad.2 for ; Mon, 03 Mar 2014 13:29:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=3LfsgpKzc6c906ELSKiPrBd32FAPbeJhpK1OQSXNwPc=; b=AYLc3VWjxI4zhDUebGT2aTdIE5+z1daA7NeZZGrAmiWsfMr6EUUDqrEh60EXqgLFmO gs5TKFmOoJVYlbl3gsCr5t3Nm+q6inXXYz+YdgZ8juRMsRa2XLWroRBcTdeSJRuDVcjy yrzY7/KxeKK4XsuL/Ob3srHqEdSwF9eFb+yA8n8IFR1I+UQgo9r6WiRFHBih42am9wuW 2paCn2hY9zhBKIc/qra8RUaYqefnVo6eChlfEtusa+/qIMzLLzG1p2YLF/buTZb3ZsCG 3xpc21mmRZCFhxGdsS/6PBTEIgk/xkyk/lIT48ahpFEOJTuaU56ISeqLyLebbm1GjC0J FQZw== MIME-Version: 1.0 X-Received: by 10.67.3.40 with SMTP id bt8mr1895707pad.78.1393882199424; Mon, 03 Mar 2014 13:29:59 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.66.0.164 with HTTP; Mon, 3 Mar 2014 13:29:59 -0800 (PST) In-Reply-To: References: <531184A8.4050909@freebsd.org> <53118E9C.5030804@freebsd.org> <5314D1F9.20909@intertainservices.com> Date: Mon, 3 Mar 2014 13:29:59 -0800 X-Google-Sender-Auth: byiKuhMoB0O2BPBC2NdDJuf-G60 Message-ID: Subject: Re: openssh in stable-10 broken config or sandbox From: Kevin Oberman To: Greg Rivers Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: Mike Jakubik , Andrey Chernov , FreeBSD Stable ML , des@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 21:30:00 -0000 On Mon, Mar 3, 2014 at 12:38 PM, Greg Rivers wrote: > On Mon, 3 Mar 2014, Kevin Oberman wrote: > > On Mon, Mar 3, 2014 at 11:03 AM, Mike Jakubik < >> mike.jakubik@intertainservices.com> wrote: >> >> On 03/01/14 02:39, Andrey Chernov wrote: >>> >>> On 01.03.2014 10:56, Andrey Chernov wrote: >>>> >>>> Hi. >>>>> Default /etc/ssh/sshd_config have >>>>> #UsePrivilegeSeparation sandbox >>>>> I.e. 'sandbox' by default. It breaks logins with error: >>>>> sshd[81721]: fatal: ssh_sandbox_child: failed to limit the network >>>>> socket [preauth] >>>>> Fixed by using old way, i.e. direct >>>>> UsePrivilegeSeparation yes >>>>> instead of 'sandbox'. Please fix this bug. >>>>> >>>>> Just find that capsicum is required now for default (i.e. sandbox) >>>> mode. >>>> Don't think it is wise move, people may lost remote connections that >>>> way, at least UPDATING entry is needed, but check for WITHOUT_CAPSICUM >>>> for defaults will be better. >>>> >>>> >>>> Personally I find this to be a monumental screw up, such a drastic >>> change >>> and not even so much as an entry in UPDATING, what ever happened to POLA? >>> >>> >> +1 >> >> I didn't get bitten by this by the good fortune of seeing the first >> message >> on this issue just minutes after I updated my system. Saw the change in >> mergemaster, so immediately edited the installed file back to "yes". But, >> if this had been a remote server, I would have been in deep weeds. This is >> simply not acceptable practice! >> >> > Not to disagree, but I think we should tone down the flogging of a person > who's working hard to make FreeBSD better. I'm sure this wasn't > intentional, and the change probably passed all of his tests. If this were > -RELEASE, I might feel differently, but it is -STABLE after all. I do > certainly agree that an UPDATING entry would have been warranted. > > -- > Greg > It was clearly intentional as it was specifically mentioned in the commit message. Oversights happen and I don't have a problem with that. If DES just didn't think about the fact that it would break sshd if capsicum was not available, that happens. I've made bigger mistakes, probably this week. The problem is that the change was not rolled back and no entry was made to UPDATING. It's been over 4 days and, even if DES is tied up and has not seen the issue, someone should have added t note to UPDATING so people have some warning that sshd will break in most cases if they just accept the change to sshd.conf. (Yes, it is not obvious who should have done this, but lots of folks have access to update UPDATING.) Lots of folks use STABLE in production. It's not HEAD and every effort is supposed to be made to not break things, or at least warn people if something will break running systems. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com