Similar to a real-world prison, an "inescapable" FreeBSD jail may be easy to break out of, if you have help from the guards & staff. In particular, `man jail` warns against an easy route for a jailed root user to, with a quick assist from a low-privilege user on the host system, gain root on the host. So if the security is lax within one of your jails, because "it's all locked in a jail, they can't do much" - yeah.
Arguably true. But IRL, there can be all sorts of reasons for some user(s) to have access to /jails/prison_n/ - including limited supplies of time and skill when the host system was set up, or later modified.
Worth noting, for those unfamiliar:
Similar to a real-world prison, an "inescapable" FreeBSD jail may be easy to break out of, if you have help from the guards & staff. In particular, `man jail` warns against an easy route for a jailed root user to, with a quick assist from a low-privilege user on the host system, gain root on the host. So if the security is lax within one of your jails, because "it's all locked in a jail, they can't do much" - yeah.
A low-privilege user that has access to the jails root directories? That server is setup pretty poorly.
> is set up pretty poorly.
Arguably true. But IRL, there can be all sorts of reasons for some user(s) to have access to /jails/prison_n/ - including limited supplies of time and skill when the host system was set up, or later modified.
Indeed. Just as a linux admin could do something silly with docker volumes or literally anything on any server platform.