Date: Sun, 1 Sep 2002 18:14:45 -0700 (PDT) From: Patrick Thomas <root@utility.clubscholarship.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: <freebsd-hackers@FreeBSD.org> Subject: Re: setting quotas _inside_ a jail for users _inside_ a jail Message-ID: <20020901181045.S58763-100000@utility.clubscholarship.com> In-Reply-To: <20020901114733.K46180-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
No, sorry I think that I was misunderstood - here is my situation: - I have a host machine with no users - just root. - on that host machine I have a vn-backed FS 500 megs in size - on that vn-backed FS, I run a jail - and no other jails share that vn-backed FS (although other jails may share the underlying actual disk FS that the vn is on...) Now, I die in a car accident and nobody ever logs into the host system again or touches anything on the _host system_. Can the root user of the _jail running on the host system_ set up quotas for her users ? Let's assume the root user and all her other users don't even know it is a jail - as far as they are concerned, it's just their freebsd machine. So the question is, can this root user set up quotas ? And if so, some hints on exactly what needs to go into /etc/fstab _inside their jail_, since specifying anything in there seems to have the side effects of: a) not working as expected b) causing the jail not to be startable. thanks, PT On Sun, 1 Sep 2002, Robert Watson wrote: > > On Fri, 30 Aug 2002, Patrick Thomas wrote: > > > I realize the difficulties in trying to use quotas on the _host_ > > system to limit the size of jails on the host system - userid mapping, > > etc. This is not what I am asking. > > > > I wonder, is it possible for the root user of a jail to set quotas > > _inside_ her jail for users _inside_ her jail ? Can anyone simply > > confirm or deny that this is possible ? > > > > Simply following normal protocol does not work, because if you place > > filesystem entries into /etc/fstab inside the jail, the jail will no > > longer start, as it does not have permission to mount or otherwise > > manipulate those filesystems. > > Other than the access control checks in the quota code being influenced by > the jail, there really is no relationship between jails and quotas. > Jails are solely a property of processes and other credential-bearing > kernel objects. Persistent and transient quota information is stored > relative to uids and gids, and quotas are enforced based on those elements > of the process credential, and are not impacted by the jail field. This > means that if a file system is shared by two jails, and a particular uid > is in use in both jails, both sets of processes will be impacted by the > same quota. > > Privileged users can perform quota management calls on any file system > they can name via a visible file object. If quota management calls were > permitted from jail, they could likewise be performed on any file system > visible in the jail. If only appropriate file systems are visible from > the jail, you could add PRISON_ROOT to the flags field of the relevant > suser call. If you expose file systems to the jail that you don't want > the root user in the jail to set quotas on, you may be out of luck. I > take it from your description that you're interested in imposing quotas on > the users in the jail, not quotas on the jail itself? > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020901181045.S58763-100000>