From owner-svn-doc-head@FreeBSD.ORG Sun Sep 16 15:44:51 2012 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B61CF106566B; Sun, 16 Sep 2012 15:44:51 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A16BA8FC18; Sun, 16 Sep 2012 15:44:51 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q8GFip43021160; Sun, 16 Sep 2012 15:44:51 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q8GFipnj021157; Sun, 16 Sep 2012 15:44:51 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201209161544.q8GFipnj021157@svn.freebsd.org> From: Dag-Erling Smørgrav Date: Sun, 16 Sep 2012 15:44:51 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r39566 - head/en_US.ISO8859-1/books/handbook/jails X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 15:44:51 -0000 Author: des Date: Sun Sep 16 15:44:51 2012 New Revision: 39566 URL: http://svn.freebsd.org/changeset/doc/39566 Log: Add a warning about filesystem-based attacks. Approved by: mentor (gjb) Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 16 14:33:26 2012 (r39565) +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 16 15:44:51 2012 (r39566) @@ -28,6 +28,22 @@ are a very powerful tool for system administrators, but their basic usage can also be useful for advanced users. + + Jails are a powerful tool, but they are not a security + panacea. It is particularly important to note that while it + is not possible for a jailed process to break out on its own, + there are several ways in which an unprivileged user outside + the jail can cooperate with a privileged user inside the jail + and thereby obtain elevated privileges in the host + environment. + + Most of these attacks can be mitigated by ensuring that + the jail root is not accessible to unprivileged users in the + host environment. Regardless, as a general rule, untrusted + users with privileged access to a jail should not be given + access to the host environment. + + After reading this chapter, you will know: