Changes between Version 1 and Version 2 of Ticket #59497, comment 12
- Timestamp:
- Nov 4, 2019, 1:37:21 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #59497, comment 12
v1 v2 7 7 With privilege separation enabled, the child spawned by `sshd` chroots into some specific directory. 8 8 9 In vanilla OpenSSH, enables the sandbox in the child process **after** reseeding the OpenSSL RNG and chrooting to that directory.9 In vanilla OpenSSH, `sshd` enables the sandbox in the child process **after** reseeding the OpenSSL RNG and chrooting to that directory. 10 10 11 11 However, since Apple (and we) use a special profile file, they (and we) enable the sandbox first, then do all the other things. It's mostly just a code move, but an important one, because a chrooted child couldn't ever be able to read the special profile file residing outside of the chroot.