From owner-freebsd-questions@FreeBSD.ORG Thu Aug 16 19:56:40 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8386A1065678; Thu, 16 Aug 2012 19:56:40 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 49DC28FC14; Thu, 16 Aug 2012 19:56:39 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.15]) by ltcfislmsgpa02.fnfis.com (8.14.4/8.14.4) with ESMTP id q7GJudOU012588 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 16 Aug 2012 14:56:39 -0500 Received: from [10.0.0.103] (10.14.152.61) by smtp.fisglobal.com (10.132.206.15) with Microsoft SMTP Server (TLS) id 14.2.309.2; Thu, 16 Aug 2012 14:56:38 -0500 MIME-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset="us-ascii" From: Devin Teske In-Reply-To: <201208162051.AA214893042@mail.Go2France.com> Date: Thu, 16 Aug 2012 12:56:36 -0700 Content-Transfer-Encoding: quoted-printable Message-ID: <81800F08-9149-4457-BA1D-EB07874039E2@fisglobal.com> References: <201208162051.AA214893042@mail.Go2France.com> To: X-Mailer: Apple Mail (2.1278) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855, 1.0.260, 0.0.0000 definitions=2012-08-16_06:2012-08-16, 2012-08-16, 1970-01-01 signatures=0 Cc: Devin Teske , freebsd-questions Questions Subject: Re: can a jail have link to outside of the jail? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2012 19:56:40 -0000 On Aug 16, 2012, at 11:51 AM, Len Conrad wrote: >=20 > I have an ssh user who needs only to search some log files not in his jai= l. The jail required because I don't want the user seeing the rest the mach= ine. If the dirs were linked to his jail, would that work?=20 >=20 To show a directory from a base-host to a member-jail, I'd recommend using = a nullfs-mount. Furthermore, you can automate the process in 2 different ways (scoped diffe= rently depending on how you use jails). You can add jail_{name}_mount_enable=3D"YES" to rc.conf(5) which enables th= e automatic handling of /etc/fstab.{name} every time you perform a "service= jail start|stop|restart {name}" (the mount will automatically be mounted a= nd unmounted on-demand of bringing the jail up-and-down irrespective of the= base host but respective to each jail). You'd load you /etc/fstab.{name} w= ith your nullfs mounts. The second way is of course is to put all your nullfs mounts into /etc/fsta= b (proper) but mark them as "noauto" (if desired) and optionally (if going = the noauto approach) add jail_{name}_exec_prestart=3D"mount dirname" and li= kewise [optional] jail_{name}_exec_poststop=3D"umount dirname" All depending on how you use jails. If you'd of course rather prefer all the mounts come up at boot and go from= permanent directories to permanent directories (which you know will never = go away), _and_ you like the idea of not having mounts going up and down wi= th your jails (perhaps you're fine-tuning your jail's startup), I'd say thr= ow them into /etc/fstab full-auto and not associate them with the jails. Bu= t it's all up to you. Hope that helps. > What I'd really like is something like ftpchroot for but ssh. >=20 Hmmm, does the above approach work better? just exposing one directory to h= is jail via nullfs? > suggestions? >=20 --=20 Cheers, Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.