| ▲ | gjm11 6 hours ago | |||||||
Maybe I'm misunderstanding the video, but it looks to me as if the situation is: You are root inside a sandbox. As root-in-the-sandbox, you create a symlink and this gives you the ability to escape the sandbox. (Whether this is interesting or not depends on whether anyone actually tries to use the sandbox facility in such a way as to give root-in-the-sandbox privileges to untrusted people or code. I don't know enough about OpenBSD to answer that.) | ||||||||
| ▲ | ori_b 5 hours ago | parent | next [-] | |||||||
OpenBSD doesn't do different user accounts inside vs outside sandboxes; if you're root in the sandbox, you're root on the system. | ||||||||
| ||||||||
| ▲ | 866-RON-0-FEZ 6 hours ago | parent | prev [-] | |||||||
So what? You're still root. You're relying on a sandbox to plug a few voids while you still effectively held keys to the kingdom before said voids were plugged. I hear this excuse daily from developers who insist on running all their docker containers as root "because we have to". If you're relying on a sandbox as your first line of defense you've already lost the war. | ||||||||
| ||||||||