From owner-freebsd-security Mon Jan 14 9:37:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id 35AD837B427 for ; Mon, 14 Jan 2002 09:37:37 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id 0BB1E107879; Mon, 14 Jan 2002 20:37:36 +0300 (MSK) Date: Mon, 14 Jan 2002 20:37:36 +0300 From: zhuravlev alexander To: security@freebsd.org Subject: Re: jail and NFS Message-ID: <20020114203735.A59890@ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: security@freebsd.org References: <20020114160455.A44661@ulstu.ru> <20020114203031.A59312@ulstu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <20020114203031.A59312@ulstu.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 14, 2002 at 08:30:32PM +0300, zhuravlev alexander wrote: > On Mon, Jan 14, 2002 at 09:42:26AM -0500, Robert Watson wrote: > > If the NFS mount is visible in the jail's namespace, then the jailed > > processes can access it subject to normal access control restrictions. > > However, processes in jail are not permitted to mount, remount, or unmount > > filesystems, so any access to NFS must be configured by a process outside > > the jail (and preferably, before any untrusted processes run in the jail, > > so as to prevent racing and path-based games). Typically, when using NFS > > with a jail, I'll do the NFS mounting prior to actually starting the jail. > > by the way ... when it type in jailed box mount i saw all filesystems and shares mounted by host system is this correct ? -- zhuravlev alexander u l s t u c t c e-mail:zaa@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message