From owner-freebsd-current@FreeBSD.ORG  Fri Jun 12 19:54:35 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6067E106566B;
	Fri, 12 Jun 2009 19:54:35 +0000 (UTC)
	(envelope-from rmacklem@uoguelph.ca)
Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca
	[131.104.91.44])
	by mx1.freebsd.org (Postfix) with ESMTP id EEFF08FC08;
	Fri, 12 Jun 2009 19:54:34 +0000 (UTC)
	(envelope-from rmacklem@uoguelph.ca)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAPxOMkqDaFvL/2dsb2JhbADRPYQLBQ
X-IronPort-AV: E=Sophos;i="4.42,211,1243828800"; d="scan'208";a="38280775"
Received: from nile.cs.uoguelph.ca ([131.104.91.203])
	by esa-jnhn-pri.mail.uoguelph.ca with ESMTP; 12 Jun 2009 15:54:34 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by nile.cs.uoguelph.ca (Postfix) with ESMTP id 1BDD28D40C0;
	Fri, 12 Jun 2009 15:54:34 -0400 (EDT)
X-Virus-Scanned: amavisd-new at nile.cs.uoguelph.ca
Received: from nile.cs.uoguelph.ca ([127.0.0.1])
	by localhost (nile.cs.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id k+oiV3BnCmA4; Fri, 12 Jun 2009 15:54:33 -0400 (EDT)
Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102])
	by nile.cs.uoguelph.ca (Postfix) with ESMTP id 4777C8D4084;
	Fri, 12 Jun 2009 15:54:33 -0400 (EDT)
Received: from localhost (rmacklem@localhost)
	by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id
	n5CJuAw07718; Fri, 12 Jun 2009 15:56:10 -0400 (EDT)
X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing
	-bs
Date: Fri, 12 Jun 2009 15:56:10 -0400 (EDT)
From: Rick Macklem <rmacklem@uoguelph.ca>
X-X-Sender: rmacklem@muncher.cs.uoguelph.ca
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
In-Reply-To: <20090612192839.M22887@maildrop.int.zabbadoz.net>
Message-ID: <Pine.GSO.4.63.0906121554140.7026@muncher.cs.uoguelph.ca>
References: <Pine.GSO.4.63.0906111131001.6225@muncher.cs.uoguelph.ca>
	<20090611170448.M22887@maildrop.int.zabbadoz.net>
	<Pine.GSO.4.63.0906121454040.29219@muncher.cs.uoguelph.ca>
	<4A32AAB4.8010602@FreeBSD.org>
	<20090612192839.M22887@maildrop.int.zabbadoz.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-current@FreeBSD.org, Jamie Gritton <jamie@FreeBSD.org>
Subject: Re: kgssapi won't build, I need prison help
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2009 19:54:35 -0000



On Fri, 12 Jun 2009, Bjoern A. Zeeb wrote:

> On Fri, 12 Jun 2009, Jamie Gritton wrote:
>
>> No, nfsd in a proson doesn't make any sense (at least to me).  The NFS
>> server itself created its own unjailed cred, so I would expect the
>> auxillary stuff needs to be unjailed as well.  You still may want to
>> use the cred's jail though - it seems there may be a chance of
>> permission escalation otherwise.
>
> An nfsd inside a prison (with a vnet) will make perfect sense; the
> code is just not there (yet).  I could not see a reason why it would
> no longer be possible to server or (in case of nfsclient) consume NFS
> with a complete virtual network stack.
>
So, is getcredhostid(curthread->td_ucred) sound ok as a way to get it
working, at least for now?

And is adding getcredhostid() a reasonable patch?

Thanks for the help, rick