Warn about filesystem-based attacks.

author: des <des@FreeBSD.org> 2012-09-16 15:22:15 +0000
committer: des <des@FreeBSD.org> 2012-09-16 15:22:15 +0000
commit: 5496f5a384befc6dc39b43decef79b12d83e75a3 (patch)
tree: 6ea67e147a0fc5d336eb3756dc588217fe1e6262 /usr.sbin/jail/jail.8
parent: 07b8304d19dd55a8eaac5abd279a0b195f9a2e0e (diff)
download: FreeBSD-src-5496f5a384befc6dc39b43decef79b12d83e75a3.zip
FreeBSD-src-5496f5a384befc6dc39b43decef79b12d83e75a3.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 9204686..b96cfef 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd May 23, 2012
+.Dd September 15, 2012
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -1225,3 +1225,11 @@ directory that is moved out of the jail's chroot, then the process may gain
 access to the file space outside of the jail.
 It is recommended that directories always be copied, rather than moved, out
 of a jail.
+.Pp
+In addition, there are several ways in which an unprivileged user
+outside the jail can cooperate with a privileged user inside the jail
+and thereby obtain elevated privileges in the host environment.
+Most of these attacks can be mitigated by ensuring that the jail root
+is not accessible to unprivileged users in the host environment.
+Regardless, as a general rule, untrusted users with privileged access
+to a jail should not be given access to the host environment.
author	des <des@FreeBSD.org>	2012-09-16 15:22:15 +0000
committer	des <des@FreeBSD.org>	2012-09-16 15:22:15 +0000
commit	5496f5a384befc6dc39b43decef79b12d83e75a3 (patch)
tree	6ea67e147a0fc5d336eb3756dc588217fe1e6262 /usr.sbin/jail/jail.8
parent	07b8304d19dd55a8eaac5abd279a0b195f9a2e0e (diff)
download	FreeBSD-src-5496f5a384befc6dc39b43decef79b12d83e75a3.zip FreeBSD-src-5496f5a384befc6dc39b43decef79b12d83e75a3.tar.gz