Extended "system" attributes within jailed environment dont work
Konstantin Belousov
kostikbel at gmail.com
Fri Jul 14 07:56:14 UTC 2017
On Fri, Jul 14, 2017 at 01:53:40PM +1000, Dewayne Geraghty wrote:
> Can someone advise how I can enable extended attributes in a "system"
> namespace within a jailed (or bhyve) environment? There was no guidance
> in "man jail" nor "man jail.conf".
Mentioning jails and bhyve in a single sentence clearly indicates serious
issues with understanding either feature.
>
> Simple test
> >From the host or base system:
> # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a
> /a first
> # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a
> /a second
>
> Within a jail:
> # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a
> /a first
> # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a
> setextattr: /a: failed: Operation not permitted
> getextattr: /a: failed: Operation not permitted
>
> The impact of this is that SAMBA after 4.3 uses "system" namespace
> extended attributes; hence can not provision an Active Directory within
> a jailed environment. (For the inclined, this affects sysvol, and
> interestingly "rsync -x" is unable to copy extended attributes, so
> having consistent sysvols across a SAMBA domain may be a challenge)
System namespace access is not allowed for jailed processes by design.
See sys/kern/vfs_subr.c:extattr_check_cred() and a comment there
explicitely mentioning the behaviour. The behaviour predates ~ year
2002, where extended attributes were introduced, and it makes sense.
More information about the freebsd-stable
mailing list