From owner-svn-src-all@FreeBSD.ORG Thu Jul 28 03:19:10 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E53BA106566C for ; Thu, 28 Jul 2011 03:19:10 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from glenbarber.us (onyx.glenbarber.us [199.48.134.227]) by mx1.freebsd.org (Postfix) with SMTP id 70C1C8FC0C for ; Thu, 28 Jul 2011 03:19:10 +0000 (UTC) Received: (qmail 80690 invoked by uid 0); 27 Jul 2011 22:52:28 -0400 Received: from unknown (HELO schism.local) (gjb@76.124.49.145) by 0 with SMTP; 27 Jul 2011 22:52:28 -0400 Message-ID: <4E30CEEB.107@FreeBSD.org> Date: Wed, 27 Jul 2011 22:52:27 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Jason Hellenthal References: <201107270156.p6R1uquD035835@svn.freebsd.org> <20110728021914.GA55550@DataIX.net> In-Reply-To: <20110728021914.GA55550@DataIX.net> X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Glen Barber , svn-src-all@freebsd.org, src-committers@freebsd.org, svn-src-stable-8@freebsd.org, svn-src-stable@freebsd.org Subject: Re: svn commit: r224462 - stable/8/usr.sbin/jail X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 03:19:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 7/27/11 10:19 PM, Jason Hellenthal wrote: >> +.Sh NOTES +Great care should be taken when managing directories >> visible within the jail. +For example, if a jailed process has its >> current working directory set to a +directory that is moved out of >> the jail's chroot, then the process may gain +access to the file >> space outside of the jail. +It is recommended that directories >> always be copied, rather than moved, out +of a jail. > > How is either one of these different ? > > All mv(1) is doing is a cp(1) & rm(1). In either case the filehandle > is still broken and a process is not going to just get up and move > with it. On the other side though if you copied a pipe or socket or > something similiar for example into a jail then it might make > whatever is outside available to the jailed environment. > > Is there something I am misunderstanding about this ? has the way > cp(1), rm(1) & mv(1) been changed recently ? or is this wording a > little off ? The text in the example is just an example of a situation where it may be possible for a process within a jail(8) to gain filesystem access outside of the jail(8). Regards, - -- Glen Barber | gjb@FreeBSD.org FreeBSD Documentation Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEcBAEBCAAGBQJOMM7rAAoJEFJPDDeguUajw7gIALesuCIHff5+p/a4v3gCYetF Su1RWFH/4Cc7iETC0sBR8vvJM9tUXuuKgSXCMswqmOQeJgwE5F+Xv4zAqofVyG6x b/C0WkmEe+nShOx1JLpmyvoSXlyh7b9QxV/41Kf/0Z1EoUZSNz1q5X58ZCvelaTr pqwftcCqGp0qHxVphCq8q42Z8hzS0V2SMco7gD/dqzyKjmST0zAhQfOgrT8kAqiH JHSU8ZSjVjQ5GPKi68fVCUBsivp/hyrXviSfFwh+anBembPrzMQNS7oYBtSJCrpf Ksy5SrT+JLNTSSZlhnqIvhwLfk01LR4alryZAlXYyUqO+DDjFX11vFqCW8qPrw8= =iXr5 -----END PGP SIGNATURE-----