On Fri, Jul 14, 2017 at 01:53:40PM +1000, Dewayne Geraghty wrote: > Can someone advise how I can enable extended attributes in a "system" > namespace within a jailed (or bhyve) environment? There was no guidance > in "man jail" nor "man jail.conf". Mentioning jails and bhyve in a single sentence clearly indicates serious issues with understanding either feature.
> > Simple test > >From the host or base system: > # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a > /a first > # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a > /a second > > Within a jail: > # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a > /a first > # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a > setextattr: /a: failed: Operation not permitted > getextattr: /a: failed: Operation not permitted > > The impact of this is that SAMBA after 4.3 uses "system" namespace > extended attributes; hence can not provision an Active Directory within > a jailed environment. (For the inclined, this affects sysvol, and > interestingly "rsync -x" is unable to copy extended attributes, so > having consistent sysvols across a SAMBA domain may be a challenge) System namespace access is not allowed for jailed processes by design. See sys/kern/vfs_subr.c:extattr_check_cred() and a comment there explicitely mentioning the behaviour. The behaviour predates ~ year 2002, where extended attributes were introduced, and it makes sense. _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
