Robert Gordon wrote: > > On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote: > >> >> this all makes logical sense to me. >> >> i would refine your second point though because it doesn't take into >> account lofs mounts. >> >> ex, if i have /export/foo in the global zone and then in zonecfg i >> configure a "filesystem" resource such that this directory is also >> lofs mounted in the zone at /export/foo, then who should be able >> to export the filesystem? >> >> it seems to me that both the local zone and the global zone >> should be able to export it (or not export it) independantly. >> >> ed > > There maybe a conflicting security requirement here. Lets say > I'm SA of the zone and i have exported /export/foo with krb5i > (since my foo really needs tight security :) ) to a limited > set of clients. Then along comes Mr Global SA and exports it > with auth_sys to any old nfs client.. > > seems like that might be an issue ? >
Seems like you need Solaris Trusted Extensions. :-) But in the end, a sufficiently-privileged user in the global zone can do anything. -------------------------------------------------------------------------- Jeff VICTOR Sun Microsystems jeff.victor @ sun.com OS Ambassador Sr. Technical Specialist Solaris 10 Zones FAQ: http://www.opensolaris.org/os/community/zones/faq --------------------------------------------------------------------------
