Jail Quotas - quota.user hard link

Robert Watson rwatson at FreeBSD.org
Thu Apr 27 16:30:37 UTC 2006 

On Thu, 27 Apr 2006, Michael R. Wayne wrote:

> On Wed, Apr 26, 2006 at 06:23:59PM -0400, Charles Sprickman wrote:
>>
>> I have a question about using quotas in a jail with FreeBSD 6.x.  So far I 
>> have had no problems on a test box with setting quotas from the host using 
>> a numeric UID (ie: edquota -u 20000 where UID 20000 is a user that only 
>> exists in a jail).  That seems to "just work".
>
> Just a heads up: quotas in jails on FreeBSD 6 are pretty broken.  I'll 
> include some workarounds.
>
> Basic operation can be done by specifying a filename, available in the jail, 
> which contains the quotas.  So, on the base system, /etc/fstab contains:
>
> /dev/twed0s2f /usr/jails/foo.bar.com ufs 
> rw,userquota=/usr/jails/foo.bar.com/usr/quotas/shell.root 2 2
>
> and on the foo.bar.com jail, /etc/fstab contains:
>
> /dev/twed0s2f / ufs rw,userquota=/usr/quotas/shell.root,noauto 2 2

I'm loosely under the impression that it should be possible to both query and 
manage quota data on live file systems without ever touching the quota backing 
file (which is an error-prone mechanism because live quota data is cached in 
the kernel without constantly refering back to the quota file, so writing to 
the file runs into cache coherency problems).  In particular, you can set 
security.bsd.unprivileged_get_quota to 1 to allow a user to query another 
user's quota using the syscall interface.  It could be that we don't allow 
these syscalls to work from within a jail though, or that they look at 
/etc/fstab to decide if they should use the syscall, which should be fixable.

Robert N M Watson

>
>
> Now the problems begin.
>
> You either do
>   chmod a+r /usr/quotas/shell.root
> which permits everyone on the machine to read all quotas (both
> quota and repquota) or
>   chmod o-r /usr/quotas/shell.root
> which permits ONLY root to read any quotas.  Normal users can
> not see their own quotas (I filed a PR on this quite some time back,
> nobody seems interested).  This seems to be new breakage since 4.x
>
> Also, if you edquota from within the jail, it does not really take
> effect.  You can stick an hourly cron script on the base system containing
>   quotaoff -a
>   quotacheck -a
>   quotaon -a
> which will "fixup" the mess.  Alternately, you can only use edquota
> from the base system which seems to mostly work.
>
> ISTR that there was something else that was odd but I'm sure somebody
> else will jump in and mention it.
>
> /\/\ \/\/
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>

More information about the freebsd-hackers mailing list