Date: Sun, 16 Sep 2012 17:54:33 +0100 From: Chris Rees <crees@FreeBSD.org> To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@freebsd.org> Cc: svn-doc-head@freebsd.org, svn-doc-all@freebsd.org, doc-committers@freebsd.org Subject: Re: svn commit: r39566 - head/en_US.ISO8859-1/books/handbook/jails Message-ID: <CADLo839DUXqE-cV0Jec%2BNZfO11NVHxWu_Zs_hv5N0oUpgaydxA@mail.gmail.com> In-Reply-To: <201209161544.q8GFipnj021157@svn.freebsd.org> References: <201209161544.q8GFipnj021157@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 September 2012 16:44, Dag-Erling Sm=F8rgrav <des@freebsd.org> wrote: > Author: des > Date: Sun Sep 16 15:44:51 2012 > New Revision: 39566 > URL: http://svn.freebsd.org/changeset/doc/39566 > > Log: > Add a warning about filesystem-based attacks. > > Approved by: mentor (gjb) > > Modified: > head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml > > Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 1= 6 14:33:26 2012 (r39565) > +++ head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 1= 6 15:44:51 2012 (r39566) > @@ -28,6 +28,22 @@ > are a very powerful tool for system administrators, but their basi= c > usage can also be useful for advanced users.</para> > > + <important> > + <para>Jails are a powerful tool, but they are not a security > + panacea. It is particularly important to note that while it > + is not possible for a jailed process to break out on its own, > + there are several ways in which an unprivileged user outside > + the jail can cooperate with a privileged user inside the jail > + and thereby obtain elevated privileges in the host > + environment.</para> > + > + <para>Most of these attacks can be mitigated by ensuring that > + the jail root is not accessible to unprivileged users in the > + host environment. Regardless, as a general rule, untrusted > + users with privileged access to a jail should not be given > + access to the host environment.</para> > + </important> > + Thanks for this. I think you could close docs/156853 now; it caused some controversy for some reason when first committed... Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo839DUXqE-cV0Jec%2BNZfO11NVHxWu_Zs_hv5N0oUpgaydxA>