On the other hand, it'd be very difficult to get root in the jail if
there's nothing setuid root or running as root in the jail. Anything
kernel-level that will give you root in this situation would probably let
you do arbitrary other things anyway, and anything userspace can't give
you root. Tasks requiring root access can be done from outside the jail,
so in-jail root doesn't actually need to be possible at all, which makes
security auditting much simpler, because you can be sure that permissions
will be followed by everything in the jail.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds