Date: Wed, 29 May 2013 09:09:53 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@FreeBSD.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r251088 - head/crypto/openssh Message-ID: <20130529070952.GA1400@garage.freebsd.pl> In-Reply-To: <201305290019.r4T0JxLE011755@svn.freebsd.org> References: <201305290019.r4T0JxLE011755@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2013 at 12:19:59AM +0000, Dag-Erling Sm=F8rgrav wrote: > Author: des > Date: Wed May 29 00:19:58 2013 > New Revision: 251088 > URL: http://svnweb.freebsd.org/changeset/base/251088 >=20 > Log: > Revert a local change that sets the default for UsePrivilegeSeparation = to > "sandbox" instead of "yes". In sandbox mode, the privsep child is unab= le > to load additional libraries and will therefore crash when trying to ta= ke > advantage of crypto offloading on CPUs that support it. Which library is needed for AES-NI? I don't see any engine in /usr/lib/ that implements AES-NI support. Could you be more specific? Also what is the exact difference between "sandbox" and "yes" settings? The reason I ask is because I plan to experiment with OpenSSH sandboxing to use Capsicum and Casper. > Modified: > head/crypto/openssh/servconf.c >=20 > Modified: head/crypto/openssh/servconf.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/crypto/openssh/servconf.c Wed May 29 00:18:12 2013 (r251087) > +++ head/crypto/openssh/servconf.c Wed May 29 00:19:58 2013 (r251088) > @@ -298,7 +298,7 @@ fill_default_server_options(ServerOption > options->version_addendum =3D xstrdup(SSH_VERSION_FREEBSD); > /* Turn privilege separation on by default */ > if (use_privsep =3D=3D -1) > - use_privsep =3D PRIVSEP_ON; > + use_privsep =3D PRIVSEP_NOSANDBOX; > =20 > #ifndef HAVE_MMAP > if (use_privsep && options->compression =3D=3D 1) { --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGlqcAACgkQForvXbEpPzQGOgCgtMJXt0yVntEo0ej5EZZVEzZq e8AAnRFOUbrteHLIVdBEEgFuT8ESmKq9 =HLoi -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130529070952.GA1400>