can a jail have link to outside of the jail?

Thu Aug 16 19:56:40 UTC 2012

On Aug 16, 2012, at 11:51 AM, Len Conrad wrote:

> 
> I have an ssh user who needs only to search some log files not in his jail. The jail required because I don't want the user seeing the rest the machine.  If the dirs were linked to his jail, would that work? 
> 

To show a directory from a base-host to a member-jail, I'd recommend using a nullfs-mount.

Furthermore, you can automate the process in 2 different ways (scoped differently depending on how you use jails).

You can add jail_{name}_mount_enable="YES" to rc.conf(5) which enables the automatic handling of /etc/fstab.{name} every time you perform a "service jail start|stop|restart {name}" (the mount will automatically be mounted and unmounted on-demand of bringing the jail up-and-down irrespective of the base host but respective to each jail). You'd load you /etc/fstab.{name} with your nullfs mounts.

The second way is of course is to put all your nullfs mounts into /etc/fstab (proper) but mark them as "noauto" (if desired) and optionally (if going the noauto approach) add jail_{name}_exec_prestart="mount dirname" and likewise [optional] jail_{name}_exec_poststop="umount dirname"

All depending on how you use jails.

If you'd of course rather prefer all the mounts come up at boot and go from permanent directories to permanent directories (which you know will never go away), _and_ you like the idea of not having mounts going up and down with your jails (perhaps you're fine-tuning your jail's startup), I'd say throw them into /etc/fstab full-auto and not associate them with the jails. But it's all up to you.

Hope that helps.

> What I'd really like is something like ftpchroot for but ssh.
> 

Hmmm, does the above approach work better? just exposing one directory to his jail via nullfs?

> suggestions?
> 

-- 
Cheers,
Devin

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.