Date: Fri, 12 Jun 2009 15:56:10 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-current@FreeBSD.org, Jamie Gritton <jamie@FreeBSD.org> Subject: Re: kgssapi won't build, I need prison help Message-ID: <Pine.GSO.4.63.0906121554140.7026@muncher.cs.uoguelph.ca> In-Reply-To: <20090612192839.M22887@maildrop.int.zabbadoz.net> References: <Pine.GSO.4.63.0906111131001.6225@muncher.cs.uoguelph.ca> <20090611170448.M22887@maildrop.int.zabbadoz.net> <Pine.GSO.4.63.0906121454040.29219@muncher.cs.uoguelph.ca> <4A32AAB4.8010602@FreeBSD.org> <20090612192839.M22887@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Jun 2009, Bjoern A. Zeeb wrote: > On Fri, 12 Jun 2009, Jamie Gritton wrote: > >> No, nfsd in a proson doesn't make any sense (at least to me). The NFS >> server itself created its own unjailed cred, so I would expect the >> auxillary stuff needs to be unjailed as well. You still may want to >> use the cred's jail though - it seems there may be a chance of >> permission escalation otherwise. > > An nfsd inside a prison (with a vnet) will make perfect sense; the > code is just not there (yet). I could not see a reason why it would > no longer be possible to server or (in case of nfsclient) consume NFS > with a complete virtual network stack. > So, is getcredhostid(curthread->td_ucred) sound ok as a way to get it working, at least for now? And is adding getcredhostid() a reasonable patch? Thanks for the help, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.63.0906121554140.7026>