svn commit: r39566 - head/en_US.ISO8859-1/books/handbook/jails
Dag-Erling Smørgrav
des at FreeBSD.org
Sun Sep 16 15:44:51 UTC 2012
Author: des
Date: Sun Sep 16 15:44:51 2012
New Revision: 39566
URL: http://svn.freebsd.org/changeset/doc/39566
Log:
Add a warning about filesystem-based attacks.
Approved by: mentor (gjb)
Modified:
head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml
Modified: head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 16 14:33:26 2012 (r39565)
+++ head/en_US.ISO8859-1/books/handbook/jails/chapter.sgml Sun Sep 16 15:44:51 2012 (r39566)
@@ -28,6 +28,22 @@
are a very powerful tool for system administrators, but their basic
usage can also be useful for advanced users.</para>
+ <important>
+ <para>Jails are a powerful tool, but they are not a security
+ panacea. It is particularly important to note that while it
+ is not possible for a jailed process to break out on its own,
+ there are several ways in which an unprivileged user outside
+ the jail can cooperate with a privileged user inside the jail
+ and thereby obtain elevated privileges in the host
+ environment.</para>
+
+ <para>Most of these attacks can be mitigated by ensuring that
+ the jail root is not accessible to unprivileged users in the
+ host environment. Regardless, as a general rule, untrusted
+ users with privileged access to a jail should not be given
+ access to the host environment.</para>
+ </important>
+
<para>After reading this chapter, you will know:</para>
<itemizedlist>
More information about the svn-doc-all
mailing list