From owner-freebsd-questions@freebsd.org Mon Mar 13 18:33:09 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E078D0A600 for ; Mon, 13 Mar 2017 18:33:09 +0000 (UTC) (envelope-from d@l.ynx.fr) Received: from mailer.daserv.fr (daserv.fr [91.121.223.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DE7D71868 for ; Mon, 13 Mar 2017 18:33:08 +0000 (UTC) (envelope-from d@l.ynx.fr) Received: from mailpile.local (mailpile.ynx.fr [192.168.1.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailer.daserv.fr (Postfix) with ESMTPS id A1DF4578; Mon, 13 Mar 2017 18:22:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ynx.fr; s=YNX_KEY; t=1489425770; bh=TxwpdTR4wXrcCZ0dkk4OCAbr5xeH77oCJefXc2NeXg8=; h=Subject:From:To:Cc:In-Reply-To:References:Date; b=UJ8aZaVQbvi//lg3rT8DHQUAqk0HNwMXNp3Um8R849d26l27G6ztPTdSE8K2wWKbv sHzGGjpgVgEPHCSVYpqu7fEmk764lai/Sdt4VglnzuChKRpiGhsgq2pz6vvblgJq1H Li/T/C0Kp4dpJa3d69iGxdeKm2L6/2s200e+1Q1Y= MIME-Version: 1.0 Subject: Re: Jail limited user cannot access host mountpoint although jail root can From: DaLynX To: "CyberLeo Kitsana" Cc: freebsd-questions In-Reply-To: <90c205ea-fbaf-14de-4c83-81421838510b@cyberleo.net> References: <90c205ea-fbaf-14de-4c83-81421838510b@cyberleo.net> User-Agent: Mailpile Message-Id: Date: Mon, 13 Mar 2017 09:31:43 -0000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2017 18:33:09 -0000 CyberLeo Kitsana wrote: > > Fuse filesystems include an additional security measure by > default whereby only the uid of the mounter is permitted to > access the mountpoint; even root is forbidden from accessing > non-root fuse mounts. > > Read up on the allow_other fuse mount option for further > details. > Yes, that was it! Thank you very much for your help! I still cannot mount fuse from inside the jail, and I understand it is because it is not jail-friendly (as listed by lsvfs), but I can mount them from the host and access them correctly inside. From owner-freebsd-questions@freebsd.org Mon Mar 13 19:41:57 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E5C3D0A1D8 for ; Mon, 13 Mar 2017 19:41:57 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B62CA14ED for ; Mon, 13 Mar 2017 19:41:56 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id v2DJapQr054781; Mon, 13 Mar 2017 20:36:51 +0100 (CET) (envelope-from freebsd@omnilan.de) Received: from titan.inop.mo1.omnilan.net (titan.inop.mo1.omnilan.net [IPv6:2001:a60:f0bb:1::3:1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id 496F37C2; Mon, 13 Mar 2017 20:36:51 +0100 (CET) Message-ID: <58C6F4D2.1050203@omnilan.de> Date: Mon, 13 Mar 2017 20:36:50 +0100 From: Harry Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: Doug McIntyre CC: freebsd-questions@freebsd.org Subject: Re: sudo alternatives; for the minimalists References: <58C6BDC0.7070307@omnilan.de> <58C6D50B.8030803@omnilan.de> <20170313173427.GA83078@geeks.org> In-Reply-To: <20170313173427.GA83078@geeks.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Mon, 13 Mar 2017 20:36:51 +0100 (CET) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2017 19:41:57 -0000 Bezüglich Doug McIntyre's Nachricht vom 13.03.2017 18:34 (localtime): > On Mon, Mar 13, 2017 at 06:21:15PM +0100, Harry Schmalzbauer wrote: >> Bezüglich Phil Eaton's Nachricht vom 13.03.2017 16:48 (localtime): >>> How do you feel about the security/doas port from OpenBSD? >> >> Thanks, most likely worth a look. But it has no credentials caching, >> does it? >> That's my most wanted feature, otherwise I'm still fine with su (no >> classic user privileging needed, only for admin tasks) > > I think you are collapsing two features into one with this requirement, > and I'm not sure what you are expecting. > > One way to do what I think you are looking for is you can use SSH > public-key auth to PAM authenticate in as root priviledges into a server. > > eg. see this discussion thread. > > https://forums.freebsd.org/threads/35645/ > > > Another way keychain/SSH is used, is as an ssh-agent (probably likely > of what you are looking for) > > I was trying to find a decent web page (ie. more than a mention > of how to run ssh-agent), but ran across a wrapper that did a bit > more with it for you. > > http://www.funtoo.org/index.php?title=Keychain > > with links to a better description of ssh-agent and using it, even if > they are a bit dated (ie. ignore the part about DSA keys altogether). Thanks, but I'm really only looking for some kind of "'su -c'-credential caching". I'm using gpg-agent eversince which handles my ssh-keys perfectly. But of course I'm not logging in as SuperUser, just regular user with wheel-membership. So I'm logged in by pub-key-auth with passphrase from gpg-agent as regular user – convinient so far. But now I have to re-type the SuperUser password any time I utilize 'su -c', which is often :-( On MacOS, I just have to do SuperUser privilege authorization once, then sudo doesn't ask on subsequent call. That's what I'm looking for :-) Thanks, -harry