From owner-freebsd-security Mon Jan 14 9:30:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id F09FD37B41E for ; Mon, 14 Jan 2002 09:30:35 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id 44C92107879; Mon, 14 Jan 2002 20:30:32 +0300 (MSK) Date: Mon, 14 Jan 2002 20:30:32 +0300 From: zhuravlev alexander To: security@freebsd.org Subject: Re: jail and NFS Message-ID: <20020114203031.A59312@ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: security@freebsd.org References: <20020114160455.A44661@ulstu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 14, 2002 at 09:42:26AM -0500, Robert Watson wrote: > If the NFS mount is visible in the jail's namespace, then the jailed > processes can access it subject to normal access control restrictions. > However, processes in jail are not permitted to mount, remount, or unmount > filesystems, so any access to NFS must be configured by a process outside > the jail (and preferably, before any untrusted processes run in the jail, > so as to prevent racing and path-based games). Typically, when using NFS > with a jail, I'll do the NFS mounting prior to actually starting the jail. > thank you. i assume that this is right way too. > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > ps. and as all the time :) sorry for my ugly english :) -- zhuravlev alexander u l s t u c t c e-mail:zaa@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message