From owner-freebsd-questions@freebsd.org Mon Dec 7 16:27:02 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC8149B9D79 for ; Mon, 7 Dec 2015 16:27:02 +0000 (UTC) (envelope-from ike@michaeleichorn.com) Received: from mx1.eichornenterprises.com (mx1.eichornenterprises.com [104.236.13.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.eichornenterprises.com", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 709B01324 for ; Mon, 7 Dec 2015 16:27:02 +0000 (UTC) (envelope-from ike@michaeleichorn.com) Received: from mail.eichornenterprises.com (cpe-184-59-147-149.neo.res.rr.com [184.59.147.149]) by mx1.eichornenterprises.com (OpenSMTPD) with ESMTP id 2c671750; Mon, 7 Dec 2015 11:26:58 -0500 (EST) Received: by mail.eichornenterprises.com (OpenSMTPD) with ESMTPSA id 4d7b1194 TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO; Mon, 7 Dec 2015 11:26:57 -0500 (EST) Message-ID: <1449505618.1126.19.camel@michaeleichorn.com> Subject: Re: OSS in jail From: "Michael B. Eichorn" To: markham breitbach , freebsd-questions@freebsd.org Date: Mon, 07 Dec 2015 11:26:58 -0500 In-Reply-To: <5665ACA7.80104@corp.ssimicro.com> References: <20151206194401.GA3860@hpmini> <5665ACA7.80104@corp.ssimicro.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.2 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2015 16:27:02 -0000 On Mon, 2015-12-07 at 08:58 -0700, markham breitbach wrote: > > This is not a technical problem, and any technical solution will turn > into a giant Rube-Goldberg contraption that will ultimately fail. Semantics. It is possible to solve some policy problems with technological solutions, jails themselves are proof of this. > > Why are you giving out superuser permissions if you wish to restrict > the > activities of your users? > > The right answer to this is to not give out superuser permission. It is entirely possible to parsel out superuser permissions, sudo, jail, and capsicum are all ways to give out slivers of superuser permissions. The problem is *hard* not *impossible*. > > -Markham > > On 2015-12-06 12:44 PM, Luís Fernando Schultz Xavier da Silveira > wrote: > > Hi, > > > > I would like one of my jails to have the ability to play back > > sound, > > but not to record it. As I understand, sound is played back by > > writing > > to /dev/dsp and recorded by reading from it. Hence, placing the > > /dev/dsp > > device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is > > not > > a solution since the jail superuser can override permissions on > > these > > devices and even read from them when they lack read permission. > > > > Is there a way to give a device to a jail in read-only mode? > > If not, is it possible to create a virtual OSS stack and give that > > to > > the jail? > > How would you solve this problem? > > > > Also, is it possible to give the jail a mixer device that can only > > read > > mixer settings but not alter them? > > > > Thanks, > > Luís > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@fre > > ebsd.org" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freeb > sd.org"