Date: Thu, 14 Nov 2002 07:14:29 +0300 (MSK) From: "."@babolo.ru To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, hackers@FreeBSD.ORG Subject: Re: tty/pty devices not safe in jail? Message-ID: <200211140414.gAE4EUSH094888@aaz.links.ru> In-Reply-To: <200211132001.gADK188f001694@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Would people be interested if I added such a feature? Limit the > highest allocatable pty to 90% when operating within a jail? e.g. > if you have 256 ptys both jail and normal tend to allocate ptys > from the bottom up, but the jail would not be allowed to allocate > past pty #227. This way if a jail eats all the ptys the sysadmin > can still ssh in. I think there is method to limit ptys without code change now. Usually my jail environment has the only fs without 'nodev' mounted in jail's /dev and this file system's directories protected by flags: 0myth/home/CVShome/ispdb-sfbsdr/ispdb(13)>l -o /jail/vhost/aaz/dev/ total 4 2 drwxr-xr-x 3 root wheel schg,sunlnk 1536 15 ΣΕΞ 02:57 ./ 1 drwxr-xr-x 15 root wheel - 512 10 ΣΕΞ 20:42 ../ 0 lrwx------ 1 root wheel - 4 15 ΣΕΞ 02:57 console@ -> null 1 dr-xr-xr-x 2 root wheel schg,sunlnk 1024 15 ΣΕΞ 02:57 fd/ 0 lrwx------ 1 root wheel - 4 15 ΣΕΞ 02:57 kmem@ -> null 0 lrwx------ 1 root wheel - 4 15 ΣΕΞ 02:57 mem@ -> null 0 crw-rw-rw- 1 root wheel sunlnk 2, 2 14 ΞΟΡ 06:58 null 0 crw-rw-rw- 1 root wheel sunlnk 6, 0 13 ΞΟΡ 18:29 ptyp0 0 crw-rw-rw- 1 root wheel sunlnk 6, 1 14 ΞΟΡ 04:06 ptyp1 .... and only limited number of ptys in that /dev I use vn with labels set for a lot of /dev directories for jails 0myth/home/CVShome/ispdb-sfbsdr/ispdb(16)>grep vn /etc/fstab /dev/vn7s1b /jail/vhost/aaz/dev ufs rw,noauto 0 0 ... 0myth/home/CVShome/ispdb-sfbsdr/ispdb(17)>cat /etc/rc.local /usr/bin/gunzip -c /full.gz > /full /usr/sbin/vnconfig -cs labels /dev/vn7 /full /sbin/mount /jail/vhost/aaz/dev ... -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211140414.gAE4EUSH094888>