Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Aug 2012 12:56:36 -0700
From:      Devin Teske <>
To:        <>
Cc:        Devin Teske <>, freebsd-questions Questions <>
Subject:   Re: can a jail have link to outside of the jail?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Aug 16, 2012, at 11:51 AM, Len Conrad wrote:

> I have an ssh user who needs only to search some log files not in his jai=
l. The jail required because I don't want the user seeing the rest the mach=
ine.  If the dirs were linked to his jail, would that work?=20

To show a directory from a base-host to a member-jail, I'd recommend using =
a nullfs-mount.

Furthermore, you can automate the process in 2 different ways (scoped diffe=
rently depending on how you use jails).

You can add jail_{name}_mount_enable=3D"YES" to rc.conf(5) which enables th=
e automatic handling of /etc/fstab.{name} every time you perform a "service=
 jail start|stop|restart {name}" (the mount will automatically be mounted a=
nd unmounted on-demand of bringing the jail up-and-down irrespective of the=
 base host but respective to each jail). You'd load you /etc/fstab.{name} w=
ith your nullfs mounts.

The second way is of course is to put all your nullfs mounts into /etc/fsta=
b (proper) but mark them as "noauto" (if desired) and optionally (if going =
the noauto approach) add jail_{name}_exec_prestart=3D"mount dirname" and li=
kewise [optional] jail_{name}_exec_poststop=3D"umount dirname"

All depending on how you use jails.

If you'd of course rather prefer all the mounts come up at boot and go from=
 permanent directories to permanent directories (which you know will never =
go away), _and_ you like the idea of not having mounts going up and down wi=
th your jails (perhaps you're fine-tuning your jail's startup), I'd say thr=
ow them into /etc/fstab full-auto and not associate them with the jails. Bu=
t it's all up to you.

Hope that helps.

> What I'd really like is something like ftpchroot for but ssh.

Hmmm, does the above approach work better? just exposing one directory to h=
is jail via nullfs?

> suggestions?


The information contained in this message is proprietary and/or confidentia=
l. If you are not the intended recipient, please: (i) delete the message an=
d all copies; (ii) do not disclose, distribute or use the message in any ma=
nner; and (iii) notify the sender immediately. In addition, please be aware=
 that any message addressed to our domain is subject to archiving and revie=
w by persons other than the intended recipient. Thank you.

Want to link to this message? Use this URL: <>