Date: Fri, 2 Jun 2006 02:26:55 -0300 From: "=?ISO-8859-1?Q?Andr=E9_Braga?=" <meianoite@gmail.com> To: "Robert Watson" <rwatson@freebsd.org> Cc: ozawa@ongs.co.jp, dkirhlarov@oilspace.com, freebsd-hackers@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>, Daichi GOTO <daichi@freebsd.org>, freebsd-fs@freebsd.org, freebsd-current@freebsd.org, kris@obsecurity.org, Alexander Leidinger <Alexander@leidinger.net> Subject: Re: [ANN] unionfs patchset-13 release Message-ID: <2ad73a0606012226h75e03deck653c34f98e98233c@mail.gmail.com> In-Reply-To: <20060601133410.M37536@fledge.watson.org> References: <E1F5gbI-000Eea-B7@cs1.cs.huji.ac.il> <4417DD8D.3050201@freebsd.org> <4433CA53.5050000@freebsd.org> <444E13BA.8050902@freebsd.org> <4475C119.1020305@freebsd.org> <447C919B.20303@freebsd.org> <86bqteikj4.fsf@xps.des.no> <20060531133814.acykloyqhkcccg80@netchild.homeip.net> <2ad73a0605311125h7ac8a927t33bbfadf9fe18c33@mail.gmail.com> <20060601133410.M37536@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/1/06, Robert Watson <rwatson@freebsd.org> wrote: > On Wed, 31 May 2006, Andr=E9 Braga wrote: [snip] > > I also have this feeling that ACLs also aren't respected inside > > jails or can be overwritten as easily as shown below > > By "ACLs also aren't respected inside jails", do you mean, "ACLs don't wo= rk in > jail", or do you mean, "ACLs don't work with unionfs"? They are believed > firmly to work with jail, and if you have evidence to the contrary, a PR > pointer would be greatly appreciated so it can be investigated. s/"jails"/"unionfs with the -b option". Sorry. I intended to use unionfs to keep a single "pristine" tree with nothing but what installword/distribution puts in there, and then layer several other mountpoints on top of it to handle several jails, each to every service my server would offer: web, mail, database, RADIUS, LDAP and user's home directories. This works best by mounting the pristine tree *below* those mountpoints. However, as demonstrated by the test case on my previous message, more sophisticated access control mechanisms, like immutable flags, are not handled by the patchset as per the -p11 version (and I still don't know whether this behaviour was fixed on subsequent patches up to -p13. Would someone enlighten me?). This is why I mentioned that ACLs are probably not correctly handled by "unionfs with the mount below option" either. This has nothing to do with jails per se, but to unionfs. Sorry if I alarmed anyone :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2ad73a0606012226h75e03deck653c34f98e98233c>