No, sorry I think that I was misunderstood - here is my situation:
- I have a host machine with no users - just root. - on that host machine I have a vn-backed FS 500 megs in size - on that vn-backed FS, I run a jail - and no other jails share that vn-backed FS (although other jails may share the underlying actual disk FS that the vn is on...) Now, I die in a car accident and nobody ever logs into the host system again or touches anything on the _host system_. Can the root user of the _jail running on the host system_ set up quotas for her users ? Let's assume the root user and all her other users don't even know it is a jail - as far as they are concerned, it's just their freebsd machine. So the question is, can this root user set up quotas ? And if so, some hints on exactly what needs to go into /etc/fstab _inside their jail_, since specifying anything in there seems to have the side effects of: a) not working as expected b) causing the jail not to be startable. thanks, PT On Sun, 1 Sep 2002, Robert Watson wrote: > > On Fri, 30 Aug 2002, Patrick Thomas wrote: > > > I realize the difficulties in trying to use quotas on the _host_ > > system to limit the size of jails on the host system - userid mapping, > > etc. This is not what I am asking. > > > > I wonder, is it possible for the root user of a jail to set quotas > > _inside_ her jail for users _inside_ her jail ? Can anyone simply > > confirm or deny that this is possible ? > > > > Simply following normal protocol does not work, because if you place > > filesystem entries into /etc/fstab inside the jail, the jail will no > > longer start, as it does not have permission to mount or otherwise > > manipulate those filesystems. > > Other than the access control checks in the quota code being influenced by > the jail, there really is no relationship between jails and quotas. > Jails are solely a property of processes and other credential-bearing > kernel objects. Persistent and transient quota information is stored > relative to uids and gids, and quotas are enforced based on those elements > of the process credential, and are not impacted by the jail field. This > means that if a file system is shared by two jails, and a particular uid > is in use in both jails, both sets of processes will be impacted by the > same quota. > > Privileged users can perform quota management calls on any file system > they can name via a visible file object. If quota management calls were > permitted from jail, they could likewise be performed on any file system > visible in the jail. If only appropriate file systems are visible from > the jail, you could add PRISON_ROOT to the flags field of the relevant > suser call. If you expose file systems to the jail that you don't want > the root user in the jail to set quotas on, you may be out of luck. I > take it from your description that you're interested in imposing quotas on > the users in the jail, not quotas on the jail itself? > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > [EMAIL PROTECTED] Network Associates Laboratories > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message