svn commit: r240563 - head/usr.sbin/jail
Dag-Erling Smørgrav
des at FreeBSD.org
Sun Sep 16 15:22:16 UTC 2012
Author: des
Date: Sun Sep 16 15:22:15 2012
New Revision: 240563
URL: http://svn.freebsd.org/changeset/base/240563
Log:
Warn about filesystem-based attacks.
Modified:
head/usr.sbin/jail/jail.8
Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8 Sun Sep 16 14:38:01 2012 (r240562)
+++ head/usr.sbin/jail/jail.8 Sun Sep 16 15:22:15 2012 (r240563)
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd May 23, 2012
+.Dd September 15, 2012
.Dt JAIL 8
.Os
.Sh NAME
@@ -1225,3 +1225,11 @@ directory that is moved out of the jail'
access to the file space outside of the jail.
It is recommended that directories always be copied, rather than moved, out
of a jail.
+.Pp
+In addition, there are several ways in which an unprivileged user
+outside the jail can cooperate with a privileged user inside the jail
+and thereby obtain elevated privileges in the host environment.
+Most of these attacks can be mitigated by ensuring that the jail root
+is not accessible to unprivileged users in the host environment.
+Regardless, as a general rule, untrusted users with privileged access
+to a jail should not be given access to the host environment.
More information about the svn-src-all
mailing list