From owner-svn-src-head@FreeBSD.ORG Wed Jan 29 21:22:37 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53931ADF; Wed, 29 Jan 2014 21:22:37 +0000 (UTC) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 023D41716; Wed, 29 Jan 2014 21:22:36 +0000 (UTC) Received: from outgoing.leidinger.net (pD9FBB16E.dip0.t-ipconnect.de [217.251.177.110]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id AB2A1844138; Wed, 29 Jan 2014 22:22:14 +0100 (CET) Received: from unknown (Titan.Leidinger.net [192.168.1.17]) by outgoing.leidinger.net (Postfix) with ESMTP id 96A913B9F; Wed, 29 Jan 2014 22:22:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1391030531; bh=gUS0j8+kUspTlgK7zJG8b79UXn0NuhSGKxA3AzAi8dU=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=OgHZoho729Tzls/wJNAGpI6Tl2g6ccXAQWSBIjcdyPctRoGHwpzT0V/UvEP1L4pf4 2LHDgZ4U0OXblf/fTjRL2iUuHkQxWNz+/KPPu2mpSiJSsmUtMxhXBgOLISNhwroQ1Y gUS0F1ml1oPIqIA56K1lAUsCONx4+01SsRFeKfgH4PT9uwH8bFDHCzbIJVilqwPl2C 7DqMoDJjQcyU/1Ac1C3rcnHR2TZ9BcXNnhyaUgfjsNqCMYQUFIDt809lBvm//wI3M5 JiOicihUgU3x0+rK/CKPBXeJyU2mrATEnkcTJ1aVDRvXKTie0Vt5RrVbk4MS1sKHu3 ZM6Nv7S4ISq1g== Date: Wed, 29 Jan 2014 22:22:10 +0100 From: Alexander Leidinger To: James Gritton Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail Message-ID: <20140129222210.0000711f@unknown> In-Reply-To: <52E906CD.9050202@freebsd.org> References: <201401291341.s0TDfDcB068211@svn.freebsd.org> <20140129134344.GW66160@FreeBSD.org> <52E906CD.9050202@freebsd.org> X-Mailer: Claws Mail 3.9.2-55-g74b05b (GTK+ 2.16.6; i586-pc-mingw32msvc) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: AB2A1844138.A0C9E X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.936, required 6, autolearn=disabled, ALL_TRUSTED -1.00, AWL 0.01, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, RP_MATCHES_RCVD -0.00, TW_EV 0.08, TW_SV 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1391635336.48393@eAcf6kcnE/FDsV7g4M+W5g X-EBL-Spam-Status: No Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Gleb Smirnoff , src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 21:22:37 -0000 On Wed, 29 Jan 2014 06:49:01 -0700 James Gritton wrote: > On 1/29/2014 6:43 AM, Gleb Smirnoff wrote: > > Doesn't this allow to easily unjail self? :) > It does. I included a warning in jail.8 that this will pretty much > undo jail security. There are still reasons some may want to do this, > but it's definitely not for everyone or even most people. It only "unjails" (= basically the same security level as the jail-host with the added benefit of the flexibility of a jail like easy moving from one system to another) the jail which has this flag set. All other jails without the flag can not "escape" to the host. I also have to add that just setting this flag does not give access to the host, you also have to configure a non-default devfs rule for this jail (to have the devices appear in the jail). Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137