Date: Sun, 16 Sep 2012 15:22:15 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r240563 - head/usr.sbin/jail Message-ID: <201209161522.q8GFMFco016649@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Sun Sep 16 15:22:15 2012 New Revision: 240563 URL: http://svn.freebsd.org/changeset/base/240563 Log: Warn about filesystem-based attacks. Modified: head/usr.sbin/jail/jail.8 Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Sun Sep 16 14:38:01 2012 (r240562) +++ head/usr.sbin/jail/jail.8 Sun Sep 16 15:22:15 2012 (r240563) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 23, 2012 +.Dd September 15, 2012 .Dt JAIL 8 .Os .Sh NAME @@ -1225,3 +1225,11 @@ directory that is moved out of the jail' access to the file space outside of the jail. It is recommended that directories always be copied, rather than moved, out of a jail. +.Pp +In addition, there are several ways in which an unprivileged user +outside the jail can cooperate with a privileged user inside the jail +and thereby obtain elevated privileges in the host environment. +Most of these attacks can be mitigated by ensuring that the jail root +is not accessible to unprivileged users in the host environment. +Regardless, as a general rule, untrusted users with privileged access +to a jail should not be given access to the host environment.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209161522.q8GFMFco016649>