Date: Mon, 07 Dec 2015 11:26:58 -0500 From: "Michael B. Eichorn" <ike@michaeleichorn.com> To: markham breitbach <markhamb@corp.ssimicro.com>, freebsd-questions@freebsd.org Subject: Re: OSS in jail Message-ID: <1449505618.1126.19.camel@michaeleichorn.com> In-Reply-To: <5665ACA7.80104@corp.ssimicro.com> References: <20151206194401.GA3860@hpmini> <5665ACA7.80104@corp.ssimicro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2015-12-07 at 08:58 -0700, markham breitbach wrote: > > This is not a technical problem, and any technical solution will turn > into a giant Rube-Goldberg contraption that will ultimately fail. Semantics. It is possible to solve some policy problems with technological solutions, jails themselves are proof of this. > > Why are you giving out superuser permissions if you wish to restrict > the > activities of your users? > > The right answer to this is to not give out superuser permission. It is entirely possible to parsel out superuser permissions, sudo, jail, and capsicum are all ways to give out slivers of superuser permissions. The problem is *hard* not *impossible*. > > -Markham > > On 2015-12-06 12:44 PM, Luís Fernando Schultz Xavier da Silveira > wrote: > > Hi, > > > > I would like one of my jails to have the ability to play back > > sound, > > but not to record it. As I understand, sound is played back by > > writing > > to /dev/dsp and recorded by reading from it. Hence, placing the > > /dev/dsp > > device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is > > not > > a solution since the jail superuser can override permissions on > > these > > devices and even read from them when they lack read permission. > > > > Is there a way to give a device to a jail in read-only mode? > > If not, is it possible to create a virtual OSS stack and give that > > to > > the jail? > > How would you solve this problem? > > > > Also, is it possible to give the jail a mixer device that can only > > read > > mixer settings but not alter them? > > > > Thanks, > > Luís > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@fre > > ebsd.org" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freeb > sd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1449505618.1126.19.camel>