Date: Mon, 13 Mar 2017 09:31:43 -0000 From: DaLynX <d@l.ynx.fr> To: "CyberLeo Kitsana" <cyberleo@cyberleo.net> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Jail limited user cannot access host mountpoint although jail root can Message-ID: <bKefnGr5uJG9Iq4fztHkwcazXH4k2cJ7xb2L2NWN21ab@mailpile> In-Reply-To: <90c205ea-fbaf-14de-4c83-81421838510b@cyberleo.net> References: <90c205ea-fbaf-14de-4c83-81421838510b@cyberleo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
CyberLeo Kitsana <cyberleo@cyberleo.net> wrote: > > Fuse filesystems include an additional security measure by > default whereby only the uid of the mounter is permitted to > access the mountpoint; even root is forbidden from accessing > non-root fuse mounts. > > Read up on the allow_other fuse mount option for further > details. > Yes, that was it! Thank you very much for your help! I still cannot mount fuse from inside the jail, and I understand it is because it is not jail-friendly (as listed by lsvfs), but I can mount them from the host and access them correctly inside. From owner-freebsd-questions@freebsd.org Mon Mar 13 19:41:57 2017 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E5C3D0A1D8 for <freebsd-questions@mailman.ysv.freebsd.org>; Mon, 13 Mar 2017 19:41:57 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B62CA14ED for <freebsd-questions@freebsd.org>; Mon, 13 Mar 2017 19:41:56 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id v2DJapQr054781; Mon, 13 Mar 2017 20:36:51 +0100 (CET) (envelope-from freebsd@omnilan.de) Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net [IPv6:2001:a60:f0bb:1::3:1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id 496F37C2; Mon, 13 Mar 2017 20:36:51 +0100 (CET) Message-ID: <58C6F4D2.1050203@omnilan.de> Date: Mon, 13 Mar 2017 20:36:50 +0100 From: Harry Schmalzbauer <freebsd@omnilan.de> Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: Doug McIntyre <merlyn@geeks.org> CC: freebsd-questions@freebsd.org Subject: Re: sudo alternatives; for the minimalists References: <58C6BDC0.7070307@omnilan.de> <CAByiw+p0cM+O-wd8uoo0Kp8BNEiQvrrmQuK858ALAR9bTfJThA@mail.gmail.com> <58C6D50B.8030803@omnilan.de> <20170313173427.GA83078@geeks.org> In-Reply-To: <20170313173427.GA83078@geeks.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Mon, 13 Mar 2017 20:36:51 +0100 (CET) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Mon, 13 Mar 2017 19:41:57 -0000 Bezüglich Doug McIntyre's Nachricht vom 13.03.2017 18:34 (localtime): > On Mon, Mar 13, 2017 at 06:21:15PM +0100, Harry Schmalzbauer wrote: >> Bezüglich Phil Eaton's Nachricht vom 13.03.2017 16:48 (localtime): >>> How do you feel about the security/doas port from OpenBSD? >> >> Thanks, most likely worth a look. But it has no credentials caching, >> does it? >> That's my most wanted feature, otherwise I'm still fine with su (no >> classic user privileging needed, only for admin tasks) > > I think you are collapsing two features into one with this requirement, > and I'm not sure what you are expecting. > > One way to do what I think you are looking for is you can use SSH > public-key auth to PAM authenticate in as root priviledges into a server. > > eg. see this discussion thread. > > https://forums.freebsd.org/threads/35645/ > > > Another way keychain/SSH is used, is as an ssh-agent (probably likely > of what you are looking for) > > I was trying to find a decent web page (ie. more than a mention > of how to run ssh-agent), but ran across a wrapper that did a bit > more with it for you. > > http://www.funtoo.org/index.php?title=Keychain > > with links to a better description of ssh-agent and using it, even if > they are a bit dated (ie. ignore the part about DSA keys altogether). Thanks, but I'm really only looking for some kind of "'su -c'-credential caching". I'm using gpg-agent eversince which handles my ssh-keys perfectly. But of course I'm not logging in as SuperUser, just regular user with wheel-membership. So I'm logged in by pub-key-auth with passphrase from gpg-agent as regular user – convinient so far. But now I have to re-type the SuperUser password any time I utilize 'su -c', which is often :-( On MacOS, I just have to do SuperUser privilege authorization once, then sudo doesn't ask on subsequent call. That's what I'm looking for :-) Thanks, -harry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bKefnGr5uJG9Iq4fztHkwcazXH4k2cJ7xb2L2NWN21ab>