I'm contemplating using zfs over NFS for domU package builders, and I'm basically allergic to NFS for security reasons but it should be confined. So I'm trying to reduce exposure, and have set setuid=off on zfs filesystems. That successfully prevented a suid binary from working. The other usual thing is "nodev", and zfs has a devices property on or off. So I went to set it to off and got an error that FreeBSD doesn't support that. I made a device node (just with mknod) for wd0d and I was able to dd from it. Is there any good approach to avoiding this? Why doesn't devices=off just lead to the nodev mount option and work, similar to setuid=off leads to nosuid?
Attachment:
signature.asc
Description: PGP signature