From owner-freebsd-questions@FreeBSD.ORG Wed Feb 1 07:30:18 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 329FD106566B for ; Wed, 1 Feb 2012 07:30:18 +0000 (UTC) (envelope-from stas@legolasweb.nl) Received: from smtpq1.gn.mail.iss.as9143.net (smtpq1.gn.mail.iss.as9143.net [212.54.34.164]) by mx1.freebsd.org (Postfix) with ESMTP id D69CC8FC15 for ; Wed, 1 Feb 2012 07:30:17 +0000 (UTC) Received: from [212.54.34.136] (helo=smtp5.gn.mail.iss.as9143.net) by smtpq1.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1RsUe0-0005qS-88 for freebsd-questions@freebsd.org; Wed, 01 Feb 2012 08:30:16 +0100 Received: from 5357e32a.cm-6-8d.dynamic.ziggo.nl ([83.87.227.42] helo=homey.local) by smtp5.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1RsUdz-0002T8-Ue for freebsd-questions@freebsd.org; Wed, 01 Feb 2012 08:30:16 +0100 Received: from homey.local (localhost [127.0.0.1]) by homey.local (8.14.5/8.14.5) with ESMTP id q117UVgf009882 for ; Wed, 1 Feb 2012 08:30:31 +0100 (CET) (envelope-from stas@homey.local) Received: (from stas@localhost) by homey.local (8.14.5/8.14.5/Submit) id q117UV9M009881 for freebsd-questions@freebsd.org; Wed, 1 Feb 2012 08:30:31 +0100 (CET) (envelope-from stas) Date: Wed, 1 Feb 2012 08:30:31 +0100 From: Stas Verberkt To: freebsd-questions@freebsd.org Message-ID: <20120201073031.GA1678@homey.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Ziggo-spambar: -- X-Ziggo-spamscore: -2.2 X-Ziggo-spamreport: ALL_TRUSTED=-1, BAYES_00=-1.9, NO_DNS_FOR_FROM=2.496, PROLO_TRUST_RDNS=-3, RDNS_DYNAMIC=0.982, SPF_SOFTFAIL=0.2 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No Subject: Securely sharing directories between jails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 07:30:18 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline L.S., I want to set up my system in a way where applications are clustered over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I need to share data over the jails, which is stored on the host. Often, nullfs and mounting ro is suitable, but I need write access in some cases. As nullfs rw over multiple jails can be considered insecure, I was wondering what would be a secure way. The only thing I could come up with was having both a NFS server and client running on the host and mounting such that all access is mapped to an account with less privileges. However, it seems like a waste to NFS with yourself. Thus, are there any better ways to achieve this? (I also thought of using nosuid flags, but I'm not sure if this is enough.) Kind regards, Stas Verberkt --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQJFBAEBCAAvBQJPKOoXKBpodHRwOi8vc3Rhcy52ZXJiZXJrdC5uZXQvcGdwL3Bv bGljeS50eHQACgkQaH4c59IqtYgQBg//Y6k1BjX5FRMbvcD77w8X1F+jvWgTCv5d dR294rKrj3iTl7a5zhOxfFajVb6C4vxwqMB0X/wpdpkjfud6tO/zr/x4yh2YYh+I a+94oTNgyIiyX3WVzLwH9z+gynkAVjrMnUrthAl9KefemNixEtPRqvNmmIPheE8Y r1a0daaeY/DWxjzVJwQbZ7Oq4aXjLcMp1BE5Ijr1bnE9OBCjOtAzKaFPNrki6Ac9 ekXCyasrzEMaqCyYccOZVrWvqgo0SYjYGC+c9fK4mQ2TGZMnQo5FHJbGx+vCFCiy j0hFb+gac2iFHsZOMrYP9c61BhSN5KlrBbPZKfsUEP5sbw4UPXm4Yr2nQuw1RCdj gU4OPdzSuI/a9GDbCOshvU+mXIX+WvrMr3W3exLF1gm9/+P37R9mTJV/N2jrvFwK p0Be3P4toUqy3/DHQL7h1YjKamcU0NZTlt7DE/Z/g/r2UUYF+1G2LlIV56mIl/U4 Z4v6fdcZr9a1kkNZmmn4t1w+WNkfn78C5eRc6zRHby1kJOnDF8Hl9lu5k4TD8Tlq UV+NCKxV/gwcQalkS1bXjQsDfzB7nN+1t28WYd0IP32kc17BfkTbUdLysTj4bcAY 2/eDBEUQHTEoz1z71EQnOXvBAC83hWD5XFCNSPUMbrMCGNQ8B6lmbT4v9Q6tMiOc XzTIgeNHoPY= =BjRO -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe--