Jail in zfs filesystem: non-root user has no access

Jason Hellenthal jhellenthal at dataix.net
Sat Jan 17 18:08:32 UTC 2015 

Can you jexec into the jail as that user ?

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellenthal at DataIX.net
 JJH48-ARIN

On Jan 17, 2015, at 12:04, javocado <javocado at gmail.com> wrote:

System: FreeBSD 8.4 amd

We have a jail in a zfs filesystem with the following create properties:

zpool create -O devices=off -O atime=off -O setuid=off -O exec=off -O
compression=on ...

zfs create -o devices=off -o atime=off -o setuid=off -o compression=on -o
...

Everything works and runs fine, but when we try to do anything as a
non-root user we run into issues:

ssh user at x.x.x.x
Password:
Last login: Thu Jan 15 16:40:14 2015 from 209.242.167.133
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California.  All rights reserved.

Could not chdir to home directory /home/user: Permission denied
/bin/csh: Permission denied
Connection to x.x.x.x closed.

----------------

[root @ xxxxx] /# su user
su: /bin/sh: Permission denied

----------------

Permissions on the dir are fine:

# ll
1 lrwxr-xr-x    1 root  wheel     8 Jan 11  2012 home@ -> usr/home
...

# ll usr
24 drwxr-xr-x  17 root  wheel   17 Jan 11  2012 ./
24 drwx------  18 root  wheel   23 Jan 11  2012 ../
...

# ll usr/home
24 drwxr-xr-x   3 root  wheel   3 Jan 11  2012 ./
24 drwxr-xr-x  17 root  wheel  17 Jan 11  2012 ../
24 drwxr-xr-x   2 user  user   10 Jan 11  2012 user/


My suspicion is it has to do with the setuid=off or exec=off on the pool,
since these settings set to "=on" on the zfs device itself have no impact.
But, before I tinker with the pool...which I'm not prepared to do for other
security-related reasons, I wanted to confirm what may be causing this.

Thanks!
_______________________________________________
freebsd-jail at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20150117/c383211f/attachment.bin>

More information about the freebsd-jail mailing list