From owner-freebsd-current@FreeBSD.ORG Fri Jun 12 19:35:07 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26541106564A for ; Fri, 12 Jun 2009 19:35:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id CEC978FC08 for ; Fri, 12 Jun 2009 19:35:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 2230D41C712; Fri, 12 Jun 2009 21:35:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id e5AX+J-1dC01; Fri, 12 Jun 2009 21:35:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id B4B3241C70A; Fri, 12 Jun 2009 21:35:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D1F97444900; Fri, 12 Jun 2009 19:30:09 +0000 (UTC) Date: Fri, 12 Jun 2009 19:30:09 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Jamie Gritton In-Reply-To: <4A32AAB4.8010602@FreeBSD.org> Message-ID: <20090612192839.M22887@maildrop.int.zabbadoz.net> References: <20090611170448.M22887@maildrop.int.zabbadoz.net> <4A32AAB4.8010602@FreeBSD.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@FreeBSD.org, Rick Macklem Subject: Re: kgssapi won't build, I need prison help X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2009 19:35:07 -0000 On Fri, 12 Jun 2009, Jamie Gritton wrote: > No, nfsd in a proson doesn't make any sense (at least to me). The NFS > server itself created its own unjailed cred, so I would expect the > auxillary stuff needs to be unjailed as well. You still may want to > use the cred's jail though - it seems there may be a chance of > permission escalation otherwise. An nfsd inside a prison (with a vnet) will make perfect sense; the code is just not there (yet). I could not see a reason why it would no longer be possible to server or (in case of nfsclient) consume NFS with a complete virtual network stack. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.