On Fri, 30 Aug 2002, Patrick Thomas wrote:
> I realize the difficulties in trying to use quotas on the _host_ > system to limit the size of jails on the host system - userid mapping, > etc. This is not what I am asking. > > I wonder, is it possible for the root user of a jail to set quotas > _inside_ her jail for users _inside_ her jail ? Can anyone simply > confirm or deny that this is possible ? > > Simply following normal protocol does not work, because if you place > filesystem entries into /etc/fstab inside the jail, the jail will no > longer start, as it does not have permission to mount or otherwise > manipulate those filesystems. Other than the access control checks in the quota code being influenced by the jail, there really is no relationship between jails and quotas. Jails are solely a property of processes and other credential-bearing kernel objects. Persistent and transient quota information is stored relative to uids and gids, and quotas are enforced based on those elements of the process credential, and are not impacted by the jail field. This means that if a file system is shared by two jails, and a particular uid is in use in both jails, both sets of processes will be impacted by the same quota. Privileged users can perform quota management calls on any file system they can name via a visible file object. If quota management calls were permitted from jail, they could likewise be performed on any file system visible in the jail. If only appropriate file systems are visible from the jail, you could add PRISON_ROOT to the flags field of the relevant suser call. If you expose file systems to the jail that you don't want the root user in the jail to set quotas on, you may be out of luck. I take it from your description that you're interested in imposing quotas on the users in the jail, not quotas on the jail itself? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
