Nicolas Williams wrote: > >> I'd even go further and say that any user >> in the global zone would not have access to /export/z1. [...] >> > > But if we resolve loopback NFS mount issues then any zone could access > any other zone's NFS shares provided they have logical or physical > connectivity between them. So why not allow global zone access then, > mediated, perhaps, by NFSv4-style ID mapping? > > Nico > What about the case where the customer wants to administer the zone they purchased and they do not want the global zone admins to have local access to their data?
I'd say make it simple - in order to get access, you must be able to mount the export and abide both by the share level machine access rules and either the UID mapping (NFSv3) or ID mapping (NFSv4) rules. Let the owner of the zone explicitly control the access to their data.
