7 messages in org.freebsd.freebsd-securityRe: jail and NFS| From | Sent On | Attachments |
|---|---|---|
| zhuravlev alexander | Jan 14, 2002 5:04 am | |
| Steve Shorter | Jan 14, 2002 6:13 am | |
| Robert Watson | Jan 14, 2002 6:42 am | |
| zhuravlev alexander | Jan 14, 2002 9:30 am | |
| zhuravlev alexander | Jan 14, 2002 9:37 am | |
| Ryan C. Creasey | Jan 14, 2002 10:59 am | |
| Robert Watson | Jan 14, 2002 8:03 pm |
| Subject: | Re: jail and NFS | |
|---|---|---|
| From: | zhuravlev alexander (za...@ulstu.ru) | |
| Date: | Jan 14, 2002 9:30:10 am | |
| List: | org.freebsd.freebsd-security | |
On Mon, Jan 14, 2002 at 09:42:26AM -0500, Robert Watson wrote:
If the NFS mount is visible in the jail's namespace, then the jailed processes can access it subject to normal access control restrictions. However, processes in jail are not permitted to mount, remount, or unmount filesystems, so any access to NFS must be configured by a process outside the jail (and preferably, before any untrusted processes run in the jail, so as to prevent racing and path-based games). Typically, when using NFS with a jail, I'll do the NFS mounting prior to actually starting the jail.
thank you. i assume that this is right way too.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project rob...@fledge.watson.org NAI Labs, Safeport Network Services
ps. and as all the time :) sorry for my ugly english :)
-- zhuravlev alexander u l s t u c t c e-mail:za...@ulstu.ru
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message