From owner-freebsd-current@FreeBSD.ORG  Fri Jun 12 19:35:07 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 26541106564A
	for <freebsd-current@freebsd.org>; Fri, 12 Jun 2009 19:35:07 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3])
	by mx1.freebsd.org (Postfix) with ESMTP id CEC978FC08
	for <freebsd-current@freebsd.org>; Fri, 12 Jun 2009 19:35:06 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from localhost (amavis.fra.cksoft.de [192.168.74.71])
	by mail.cksoft.de (Postfix) with ESMTP id 2230D41C712;
	Fri, 12 Jun 2009 21:35:06 +0200 (CEST)
X-Virus-Scanned: amavisd-new at cksoft.de
Received: from mail.cksoft.de ([195.88.108.3])
	by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new,
	port 10024)
	with ESMTP id e5AX+J-1dC01; Fri, 12 Jun 2009 21:35:05 +0200 (CEST)
Received: by mail.cksoft.de (Postfix, from userid 66)
	id B4B3241C70A; Fri, 12 Jun 2009 21:35:05 +0200 (CEST)
Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net
	[10.111.66.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.int.zabbadoz.net (Postfix) with ESMTP id D1F97444900;
	Fri, 12 Jun 2009 19:30:09 +0000 (UTC)
Date: Fri, 12 Jun 2009 19:30:09 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
X-X-Sender: bz@maildrop.int.zabbadoz.net
To: Jamie Gritton <jamie@FreeBSD.org>
In-Reply-To: <4A32AAB4.8010602@FreeBSD.org>
Message-ID: <20090612192839.M22887@maildrop.int.zabbadoz.net>
References: <Pine.GSO.4.63.0906111131001.6225@muncher.cs.uoguelph.ca>
	<20090611170448.M22887@maildrop.int.zabbadoz.net>
	<Pine.GSO.4.63.0906121454040.29219@muncher.cs.uoguelph.ca>
	<4A32AAB4.8010602@FreeBSD.org>
X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-current@FreeBSD.org, Rick Macklem <rmacklem@uoguelph.ca>
Subject: Re: kgssapi won't build, I need prison help
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2009 19:35:07 -0000

On Fri, 12 Jun 2009, Jamie Gritton wrote:

> No, nfsd in a proson doesn't make any sense (at least to me).  The NFS
> server itself created its own unjailed cred, so I would expect the
> auxillary stuff needs to be unjailed as well.  You still may want to
> use the cred's jail though - it seems there may be a chance of
> permission escalation otherwise.

An nfsd inside a prison (with a vnet) will make perfect sense; the
code is just not there (yet).  I could not see a reason why it would
no longer be possible to server or (in case of nfsclient) consume NFS
with a complete virtual network stack.

/bz

-- 
Bjoern A. Zeeb                      The greatest risk is not taking one.