Date: Wed, 29 Jan 2014 22:22:10 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: James Gritton <jamie@freebsd.org> Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail Message-ID: <20140129222210.0000711f@unknown> In-Reply-To: <52E906CD.9050202@freebsd.org> References: <201401291341.s0TDfDcB068211@svn.freebsd.org> <20140129134344.GW66160@FreeBSD.org> <52E906CD.9050202@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Jan 2014 06:49:01 -0700 James Gritton <jamie@freebsd.org> wrote: > On 1/29/2014 6:43 AM, Gleb Smirnoff wrote: > > Doesn't this allow to easily unjail self? :) > It does. I included a warning in jail.8 that this will pretty much > undo jail security. There are still reasons some may want to do this, > but it's definitely not for everyone or even most people. It only "unjails" (= basically the same security level as the jail-host with the added benefit of the flexibility of a jail like easy moving from one system to another) the jail which has this flag set. All other jails without the flag can not "escape" to the host. I also have to add that just setting this flag does not give access to the host, you also have to configure a non-default devfs rule for this jail (to have the devices appear in the jail). Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140129222210.0000711f>