From owner-freebsd-questions@freebsd.org Mon Dec 7 16:18:08 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B87AC9B9417 for ; Mon, 7 Dec 2015 16:18:08 +0000 (UTC) (envelope-from markhamb@corp.ssimicro.com) Received: from mail.ssimicro.com (mail.ssimicro.com [64.247.129.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.ssimicro.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 74CE71D86 for ; Mon, 7 Dec 2015 16:18:07 +0000 (UTC) (envelope-from markhamb@corp.ssimicro.com) Received: from markham.ssimicro.com (markham.ssimicro.com [64.247.130.99]) (authenticated bits=0) by mail.ssimicro.com (8.14.7/8.14.7) with ESMTP id tB7Fu3cX002092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Mon, 7 Dec 2015 08:56:03 -0700 (MST) Subject: Re: OSS in jail To: freebsd-questions@freebsd.org References: <20151206194401.GA3860@hpmini> From: markham breitbach Message-ID: <5665ACA7.80104@corp.ssimicro.com> Date: Mon, 7 Dec 2015 08:58:31 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <20151206194401.GA3860@hpmini> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2015 16:18:08 -0000 This is not a technical problem, and any technical solution will turn into a giant Rube-Goldberg contraption that will ultimately fail. Why are you giving out superuser permissions if you wish to restrict the activities of your users? The right answer to this is to not give out superuser permission. -Markham On 2015-12-06 12:44 PM, Luís Fernando Schultz Xavier da Silveira wrote: > Hi, > > I would like one of my jails to have the ability to play back sound, > but not to record it. As I understand, sound is played back by writing > to /dev/dsp and recorded by reading from it. Hence, placing the /dev/dsp > device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is not > a solution since the jail superuser can override permissions on these > devices and even read from them when they lack read permission. > > Is there a way to give a device to a jail in read-only mode? > If not, is it possible to create a virtual OSS stack and give that to > the jail? > How would you solve this problem? > > Also, is it possible to give the jail a mixer device that can only read > mixer settings but not alter them? > > Thanks, > Luís > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >