From owner-freebsd-hackers Wed Nov 13 20:12:53 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A731D37B401 for ; Wed, 13 Nov 2002 20:12:51 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id B32EC43E3B for ; Wed, 13 Nov 2002 20:12:50 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id gAE4EUDh094889; Thu, 14 Nov 2002 07:14:30 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id gAE4EUSH094888; Thu, 14 Nov 2002 07:14:30 +0300 (MSK) Message-Id: <200211140414.gAE4EUSH094888@aaz.links.ru> Subject: Re: tty/pty devices not safe in jail? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <200211132001.gADK188f001694@apollo.backplane.com> To: Matthew Dillon Date: Thu, 14 Nov 2002 07:14:29 +0300 (MSK) From: "."@babolo.ru Cc: Poul-Henning Kamp , hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=KOI8-R Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Would people be interested if I added such a feature? Limit the > highest allocatable pty to 90% when operating within a jail? e.g. > if you have 256 ptys both jail and normal tend to allocate ptys > from the bottom up, but the jail would not be allowed to allocate > past pty #227. This way if a jail eats all the ptys the sysadmin > can still ssh in. I think there is method to limit ptys without code change now. Usually my jail environment has the only fs without 'nodev' mounted in jail's /dev and this file system's directories protected by flags: 0myth/home/CVShome/ispdb-sfbsdr/ispdb(13)>l -o /jail/vhost/aaz/dev/ total 4 2 drwxr-xr-x 3 root wheel schg,sunlnk 1536 15 ΣΕΞ 02:57 ./ 1 drwxr-xr-x 15 root wheel - 512 10 ΣΕΞ 20:42 ../ 0 lrwx------ 1 root wheel - 4 15 ΣΕΞ 02:57 console@ -> null 1 dr-xr-xr-x 2 root wheel schg,sunlnk 1024 15 ΣΕΞ 02:57 fd/ 0 lrwx------ 1 root wheel - 4 15 ΣΕΞ 02:57 kmem@ -> null 0 lrwx------ 1 root wheel - 4 15 ΣΕΞ 02:57 mem@ -> null 0 crw-rw-rw- 1 root wheel sunlnk 2, 2 14 ΞΟΡ 06:58 null 0 crw-rw-rw- 1 root wheel sunlnk 6, 0 13 ΞΟΡ 18:29 ptyp0 0 crw-rw-rw- 1 root wheel sunlnk 6, 1 14 ΞΟΡ 04:06 ptyp1 .... and only limited number of ptys in that /dev I use vn with labels set for a lot of /dev directories for jails 0myth/home/CVShome/ispdb-sfbsdr/ispdb(16)>grep vn /etc/fstab /dev/vn7s1b /jail/vhost/aaz/dev ufs rw,noauto 0 0 ... 0myth/home/CVShome/ispdb-sfbsdr/ispdb(17)>cat /etc/rc.local /usr/bin/gunzip -c /full.gz > /full /usr/sbin/vnconfig -cs labels /dev/vn7 /full /sbin/mount /jail/vhost/aaz/dev ... -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message