svn commit: r224462 - stable/8/usr.sbin/jail
jhell at DataIX.net
Thu Jul 28 02:47:37 UTC 2011
On Wed, Jul 27, 2011 at 01:56:52AM +0000, Glen Barber wrote:
> Author: gjb (doc committer)
> Date: Wed Jul 27 01:56:52 2011
> New Revision: 224462
> URL: http://svn.freebsd.org/changeset/base/224462
> MFC 224286:
> Document the potential for jail escape.
> PR: 142341
> Directory Properties:
> stable/8/usr.sbin/jail/ (props changed)
> Modified: stable/8/usr.sbin/jail/jail.8
> --- stable/8/usr.sbin/jail/jail.8 Tue Jul 26 20:51:58 2011 (r224461)
> +++ stable/8/usr.sbin/jail/jail.8 Wed Jul 27 01:56:52 2011 (r224462)
> @@ -34,7 +34,7 @@
> .\" $FreeBSD$
> -.Dd January 17, 2010
> +.Dd July 23, 2011
> .Dt JAIL 8
> .Sh NAME
> @@ -913,3 +913,10 @@ Currently, the simplest answer is to min
> offered on the host, possibly limiting it to services offered from
> .Xr inetd 8
> which is easily configurable.
> +.Sh NOTES
> +Great care should be taken when managing directories visible within the jail.
> +For example, if a jailed process has its current working directory set to a
> +directory that is moved out of the jail's chroot, then the process may gain
> +access to the file space outside of the jail.
> +It is recommended that directories always be copied, rather than moved, out
> +of a jail.
How is either one of these different ?
All mv(1) is doing is a cp(1) & rm(1). In either case the filehandle is
still broken and a process is not going to just get up and move with it.
On the other side though if you copied a pipe or socket or something
similiar for example into a jail then it might make whatever is outside
available to the jailed environment.
Is there something I am misunderstanding about this ? has the way cp(1),
rm(1) & mv(1) been changed recently ? or is this wording a little off ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 522 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/svn-src-stable-8/attachments/20110728/011f01da/attachment.pgp
More information about the svn-src-stable-8