From owner-freebsd-security  Mon Jan 14  6:42:43 2002
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 082BA37B417
	for <security@freebsd.org>; Mon, 14 Jan 2002 06:42:41 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0EEgQD25989;
	Mon, 14 Jan 2002 09:42:26 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Mon, 14 Jan 2002 09:42:26 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: zhuravlev alexander <zaa@ulstu.ru>
Cc: security@freebsd.org
Subject: Re: jail and NFS
In-Reply-To: <20020114160455.A44661@ulstu.ru>
Message-ID: <Pine.NEB.3.96L.1020114094053.25539D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

If the NFS mount is visible in the jail's namespace, then the jailed
processes can access it subject to normal access control restrictions.
However, processes in jail are not permitted to mount, remount, or unmount
filesystems, so any access to NFS must be configured by a process outside
the jail (and preferably, before any untrusted processes run in the jail,
so as to prevent racing and path-based games).  Typically, when using NFS
with a jail, I'll do the NFS mounting prior to actually starting the jail. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Mon, 14 Jan 2002, zhuravlev alexander wrote:

> hello
> is it possible in jailed box mount nfs shares ? 
> 
> thanks.
> sorry if this is not correct list to post this message.
> 
> --
> zhuravlev alexander
>  u l s t u  c t c
> e-mail:zaa@ulstu.ru
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message