Jail Quotas - quota.user hard link

Charles Sprickman spork at bway.net
Thu Apr 27 04:51:15 UTC 2006 

On Thu, 27 Apr 2006, Michael R. Wayne wrote:

> On Wed, Apr 26, 2006 at 06:23:59PM -0400, Charles Sprickman wrote:
>>
>> I have a question about using quotas in a jail with FreeBSD 6.x.  So far I
>> have had no problems on a test box with setting quotas from the host using
>> a numeric UID (ie: edquota -u 20000 where UID 20000 is a user that only
>> exists in a jail).  That seems to "just work".
>
> Just a heads up: quotas in jails on FreeBSD 6 are pretty broken.  I'll
> include some workarounds.
>
> Basic operation can be done by specifying a filename, available in the jail,
> which contains the quotas.  So, on the base system, /etc/fstab contains:
>
> /dev/twed0s2f /usr/jails/foo.bar.com ufs rw,userquota=/usr/jails/foo.bar.com/usr/quotas/shell.root 2 2
>
> and on the foo.bar.com jail, /etc/fstab contains:
>
> /dev/twed0s2f   /  ufs rw,userquota=/usr/quotas/shell.root,noauto      2       2

That's pretty nifty.  "man fstab" confirms (at least the first part).  I'm 
still curious if there's any harm in the symlink solution.

> Now the problems begin.
>
> You either do
>   chmod a+r /usr/quotas/shell.root
> which permits everyone on the machine to read all quotas (both
> quota and repquota) or
>   chmod o-r /usr/quotas/shell.root
> which permits ONLY root to read any quotas.  Normal users can
> not see their own quotas (I filed a PR on this quite some time back,
> nobody seems interested).  This seems to be new breakage since 4.x

See, now back in 6.0, I could have sworn that I saw this.  Even with the 
quota command setuid root inside the jail, I was getting "permission 
denied" errors.  I'm now running a 6.1-RC from late last week and this 
seems to be working now.  I'm not sure where to look in the kernel source 
to find if something changed, but my guess is someone did "fix" it.

> Also, if you edquota from within the jail, it does not really take
> effect.  You can stick an hourly cron script on the base system containing
>   quotaoff -a
>   quotacheck -a
>   quotaon -a
> which will "fixup" the mess.  Alternately, you can only use edquota
> from the base system which seems to mostly work.

That's fine, I plan to do most work from the host and only become root in 
the jail when necessary.

> ISTR that there was something else that was odd but I'm sure somebody
> else will jump in and mention it.

The above was the main stumbling block for me.  I know keeping UIDs unique 
across the host and all jails is probably a royal pain for some, but my 
use here (shell server inside a jail) really doesn't have any issues with 
that.

Thanks,

Charles

> /\/\ \/\/
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>

More information about the freebsd-hackers mailing list