From owner-svn-doc-head@FreeBSD.ORG Sun Sep 16 16:55:06 2012 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8CB7D106566C; Sun, 16 Sep 2012 16:55:06 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 82C038FC16; Sun, 16 Sep 2012 16:55:05 +0000 (UTC) Received: by bkcje9 with SMTP id je9so1940734bkc.13 for ; Sun, 16 Sep 2012 09:55:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=Op8VTIWgPUsTSKKbzApITznDRYjqgO4jRVCHizYqRvQ=; b=PxcWtYnirg746UMgk4BAB0fWlDcTZ5AcQ/yQc+CYu3ALQ3h3ObC19flV7NCXgIuC9z g3aYhXGQXXAmD0eXmxtU7gBBeNVaudUSyRkWaAqS2UOWZAhAgn76MBslXgQ2krHDmo53 KqGLp6EvNUigOl7IPrDnJIciUffekjQfiHLu4Q46CaCQTL7EaDj6O6EqJVGysYYZ/omC yJOFW0vjleF9E3bwcbqN2OVBAhEm2Ry5QqJEbPqLiGSoWqbyi/zyqncDCxB+HRE+l+PA P1/oum7JGnN95Ui3JZusCYetaE/B0mMY+94+ktL2EBnwPRNURp/i9eLm36ar1ZrMviBz 9GNA== Received: by 10.204.129.14 with SMTP id m14mr3618704bks.7.1347814504191; Sun, 16 Sep 2012 09:55:04 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.204.10.141 with HTTP; Sun, 16 Sep 2012 09:54:33 -0700 (PDT) In-Reply-To: <201209161544.q8GFipnj021157@svn.freebsd.org> References: <201209161544.q8GFipnj021157@svn.freebsd.org> From: Chris Rees Date: Sun, 16 Sep 2012 17:54:33 +0100 X-Google-Sender-Auth: _hA0g5e2ilgFeZ708R04tIUUDsc Message-ID: To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: svn-doc-head@freebsd.org, svn-doc-all@freebsd.org, doc-committers@freebsd.org Subject: Re: svn commit: r39566 - head/en_US.ISO8859-1/books/handbook/jails X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 16:55:06 -0000 On 16 September 2012 16:44, Dag-Erling Sm=F8rgrav wrote: > Author: des > Date: Sun Sep 16 15:44:51 2012 > New Revision: 39566 > URL: http://svn.freebsd.org/changeset/doc/39566 > > Log: > Add a warning about filesystem-based attacks. > > Approved by: mentor (gjb) > > Modified: > head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml > > Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 1= 6 14:33:26 2012 (r39565) > +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 1= 6 15:44:51 2012 (r39566) > @@ -28,6 +28,22 @@ > are a very powerful tool for system administrators, but their basi= c > usage can also be useful for advanced users. > > + > + Jails are a powerful tool, but they are not a security > + panacea. It is particularly important to note that while it > + is not possible for a jailed process to break out on its own, > + there are several ways in which an unprivileged user outside > + the jail can cooperate with a privileged user inside the jail > + and thereby obtain elevated privileges in the host > + environment. > + > + Most of these attacks can be mitigated by ensuring that > + the jail root is not accessible to unprivileged users in the > + host environment. Regardless, as a general rule, untrusted > + users with privileged access to a jail should not be given > + access to the host environment. > + > + Thanks for this. I think you could close docs/156853 now; it caused some controversy for some reason when first committed... Chris