From owner-freebsd-questions@FreeBSD.ORG Mon Apr 26 07:03:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9E3D16A4CE for ; Mon, 26 Apr 2004 07:03:54 -0700 (PDT) Received: from hobbiton.shire.net (hobbiton.shire.net [206.71.64.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 926BF43D3F for ; Mon, 26 Apr 2004 07:03:54 -0700 (PDT) (envelope-from chad@shire.net) Received: from [67.161.247.57] (helo=[192.168.99.66]) by hobbiton.shire.net with asmtp (TLSv1:RC4-SHA:128) (Exim 4.10) id 1BI6i9-000Om0-00; Mon, 26 Apr 2004 08:03:53 -0600 In-Reply-To: <200404261342.48970.h@schmalzbauer.de> References: <87fzaravaj.fsf@deneb.enyo.de> <200404261342.48970.h@schmalzbauer.de> Mime-Version: 1.0 (Apple Message framework v613) Message-Id: <8A17357B-978A-11D8-91B5-003065A70D30@shire.net> From: "Chad Leigh -- Shire.Net LLC" Date: Mon, 26 Apr 2004 08:03:48 -0600 To: antwort@schmalzbauer.de X-Mailer: Apple Mail (2.613) Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on hobbiton.shire.net X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60 X-Spam-Level: cc: Florian Weimer cc: freebsd-questions@freebsd.org Subject: Re: Jail organization X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 14:03:54 -0000 On Apr 26, 2004, at 5:42 AM, Harald Schmalzbauer wrote: > > Use mount_nullfs whenever you need more than the spezialized jail > itself was > designed for, eg. when installing a new port > mount_nullfs /hostusr/ports /jailuser/ports. > I explicitly use one single label for each jail. Don't forget in case > of a > compromised jail the hacker could simply fill up your filesystem when > you use > only directories. > > -Harry > I have stated away from mount_nullfs because the man page for it (on 5-2-CURRENT) still says: BUGS THIS FILE SYSTEM TYPE IS NOT YET FULLY SUPPORTED (READ: IT DOESN'T WORK) AND USING IT MAY, IN FACT, DESTROY DATA ON YOUR SYSTEM. USE AT YOUR OWN RISK. BEWARE OF DOG. SLIPPERY WHEN WET. This code also needs an owner in order to be less dangerous - serious hackers can apply by sending mail to and announcing their intent to take it over. HISTORY The mount_nullfs utility first appeared in 4.4BSD. Is this still true? Is it safe to use, at least in a read only situation? I have been remounting various parts of the filesystem in read only state using nfs from the local filesystem, ie, % mount localhost:/jailmaster/usr /jail/usr Chad