From 2b1970f36297528c8abe547f94696e07d24d3853 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Sat, 1 Feb 2014 00:07:16 +0000
Subject: [PATCH] Turn sandboxing on by default.

---
 crypto/openssh/servconf.c    | 2 +-
 crypto/openssh/sshd_config   | 2 +-
 crypto/openssh/sshd_config.5 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 97efa4e33661..3748d80d8bc1 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -314,7 +314,7 @@ fill_default_server_options(ServerOptions *options)
 		options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-		use_privsep = PRIVSEP_NOSANDBOX;
+		use_privsep = PRIVSEP_ON;
 
 #ifndef HAVE_MMAP
 	if (use_privsep && options->compression == 1) {
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index bd71749fb383..513764eb0590 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -110,7 +110,7 @@
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-#UsePrivilegeSeparation yes
+#UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index e0f59241b985..e33b39ae1fe7 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1227,7 +1227,7 @@ the privilege of the authenticated user.
 The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
-.Dq yes .
+.Dq sandbox .
 If
 .Cm UsePrivilegeSeparation
 is set to