On Tue, May 12, 2026 at 07:07:17PM +0000, Emmanuel Dreyfus wrote: > Hi > > On Tue, May 12, 2026 at 06:23:27PM +0100, Joe Orton wrote: > > If an issue is reported against an aspect of the security model which > > is not documented here, it MUST be accompanied by a clear description > > of that model, showing why a trust boundary exists and how it is > > violated. > > It feels odd, as if we are asking the security researcher to > specify a new model on its own. Or did you meant "aspect" instead > of "model" here? > s/a clear description of that model/a clear description of that aspect/
Yup, that's exactly what I meant - thanks for the review! > > The less-privileged user: > > > > * cannot obtain root privileges, > > * cannot read or truncate log files, > > * retains access to e.g. any private TLS key data loaded in memory. > > Cannot escape a chroot if httpd is configured to use that feature? I'd say that's explicitly out of scope (IIRC chroot jails are relatively easy to escape?), so maybe: "Attacks against OS-specific sandboxing or security features (such as use of containers, chroot jails, or Mandatory Access Control models) are out of scope for this security model." Regards, Joe
