Date: Sun, 16 Sep 2012 15:44:51 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r39566 - head/en_US.ISO8859-1/books/handbook/jails Message-ID: <201209161544.q8GFipnj021157@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Sun Sep 16 15:44:51 2012 New Revision: 39566 URL: http://svn.freebsd.org/changeset/doc/39566 Log: Add a warning about filesystem-based attacks. Approved by: mentor (gjb) Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 16 14:33:26 2012 (r39565) +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 16 15:44:51 2012 (r39566) @@ -28,6 +28,22 @@ are a very powerful tool for system administrators, but their basic usage can also be useful for advanced users.</para> + <important> + <para>Jails are a powerful tool, but they are not a security + panacea. It is particularly important to note that while it + is not possible for a jailed process to break out on its own, + there are several ways in which an unprivileged user outside + the jail can cooperate with a privileged user inside the jail + and thereby obtain elevated privileges in the host + environment.</para> + + <para>Most of these attacks can be mitigated by ensuring that + the jail root is not accessible to unprivileged users in the + host environment. Regardless, as a general rule, untrusted + users with privileged access to a jail should not be given + access to the host environment.</para> + </important> + <para>After reading this chapter, you will know:</para> <itemizedlist>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209161544.q8GFipnj021157>