search for: jail_attach

...rator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The jail_attach(2) system call, which was introduced in FreeBSD 5 before 5.1-RELEASE, allows a non-jailed process to permanently move into an existing jail. II. Problem Description A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege...

...rator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The jail_attach(2) system call, which was introduced in FreeBSD 5 before 5.1-RELEASE, allows a non-jailed process to permanently move into an existing jail. II. Problem Description A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege...

...ecurity.html It's not a very big issue (unless I'm missing something), simply one of leaking the host environment into the jail. This might be used legitimately in certain cases, but in most cases it's probably a good idea to clear out the environment before executing the jail() or jail_attach() syscalls. The 'jstart' utility included in jailutils does this and it would probably be a good addition to 'jexec' and/or 'jail'.