From owner-freebsd-hackers Sun Sep 1 18:18: 0 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 218E637B400; Sun, 1 Sep 2002 18:17:56 -0700 (PDT) Received: from utility.clubscholarship.com (utility.clubscholarship.com [198.78.70.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3A0B43E77; Sun, 1 Sep 2002 18:17:55 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Received: from localhost (root@localhost) by utility.clubscholarship.com (8.11.6/8.11.6) with ESMTP id g821Ejg85150; Sun, 1 Sep 2002 18:14:45 -0700 (PDT) (envelope-from root@utility.clubscholarship.com) Date: Sun, 1 Sep 2002 18:14:45 -0700 (PDT) From: Patrick Thomas To: Robert Watson Cc: Subject: Re: setting quotas _inside_ a jail for users _inside_ a jail In-Reply-To: <20020901114733.K46180-100000@fledge.watson.org> Message-ID: <20020901181045.S58763-100000@utility.clubscholarship.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG No, sorry I think that I was misunderstood - here is my situation: - I have a host machine with no users - just root. - on that host machine I have a vn-backed FS 500 megs in size - on that vn-backed FS, I run a jail - and no other jails share that vn-backed FS (although other jails may share the underlying actual disk FS that the vn is on...) Now, I die in a car accident and nobody ever logs into the host system again or touches anything on the _host system_. Can the root user of the _jail running on the host system_ set up quotas for her users ? Let's assume the root user and all her other users don't even know it is a jail - as far as they are concerned, it's just their freebsd machine. So the question is, can this root user set up quotas ? And if so, some hints on exactly what needs to go into /etc/fstab _inside their jail_, since specifying anything in there seems to have the side effects of: a) not working as expected b) causing the jail not to be startable. thanks, PT On Sun, 1 Sep 2002, Robert Watson wrote: > > On Fri, 30 Aug 2002, Patrick Thomas wrote: > > > I realize the difficulties in trying to use quotas on the _host_ > > system to limit the size of jails on the host system - userid mapping, > > etc. This is not what I am asking. > > > > I wonder, is it possible for the root user of a jail to set quotas > > _inside_ her jail for users _inside_ her jail ? Can anyone simply > > confirm or deny that this is possible ? > > > > Simply following normal protocol does not work, because if you place > > filesystem entries into /etc/fstab inside the jail, the jail will no > > longer start, as it does not have permission to mount or otherwise > > manipulate those filesystems. > > Other than the access control checks in the quota code being influenced by > the jail, there really is no relationship between jails and quotas. > Jails are solely a property of processes and other credential-bearing > kernel objects. Persistent and transient quota information is stored > relative to uids and gids, and quotas are enforced based on those elements > of the process credential, and are not impacted by the jail field. This > means that if a file system is shared by two jails, and a particular uid > is in use in both jails, both sets of processes will be impacted by the > same quota. > > Privileged users can perform quota management calls on any file system > they can name via a visible file object. If quota management calls were > permitted from jail, they could likewise be performed on any file system > visible in the jail. If only appropriate file systems are visible from > the jail, you could add PRISON_ROOT to the flags field of the relevant > suser call. If you expose file systems to the jail that you don't want > the root user in the jail to set quotas on, you may be out of luck. I > take it from your description that you're interested in imposing quotas on > the users in the jail, not quotas on the jail itself? > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message