Re: [zones-discuss] file system access from global zone
Jordan Brown wrote: > Jerry Jelinek wrote: >> Jordan Brown wrote: >>> bart(1M) says about its -R option: >>> >>> Note - The root file system of any non-global zones >>> must not be referenced with the -R option. Doing >>> so might damage the global zone's file system, >>> might compromise the security of the global >>> zone, and might damage the non-global zone's >>> file system. See zones(5). >>> >>> Why? >> >> >> Accessing a ngz fs from the gz is always dangerous since >> a hostile ngz root admin can make changes which >> refer to the gz, if you are looking at the fs from the >> gz. If you are only reading and don't care >> if you are reading the wrong stuff, it is not a >> big deal. You should never write and attempt to >> change anything when running in the gz and reaching >> into the ngz hierarchy. E.g. editing {zonepath}/etc/passwd >> could be made to refer to gz /etc/passwd with a simple >> symlink. > > That makes sense, but the statement in the man page seems far too strong > for this situation... how many zones configurations involve potentially > malicious local zone administrators? I know mine never do. > > The caveats that you suggest seem along the lines of the usual caveats > about administrators working with files that are not trusted, applicable > in almost any environment. I think the problem is that people tend to think of the zone as a self-contained security boundary where any malicious activity by a zone admin will be contained. Conversely, they also tend to think that they can do arbitrary administrative tasks on that zone file system without logging into the zone. After all, the file system is just right there. That is an easy mistake to make, since you only have containment inside the zone. Jerry ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] file system access from global zone
Jerry Jelinek wrote: > Jordan Brown wrote: >> bart(1M) says about its -R option: >> >> Note - The root file system of any non-global zones >> must not be referenced with the -R option. Doing >> so might damage the global zone's file system, >> might compromise the security of the global >> zone, and might damage the non-global zone's >> file system. See zones(5). >> >> Why? > > > Accessing a ngz fs from the gz is always dangerous since > a hostile ngz root admin can make changes which > refer to the gz, if you are looking at the fs from the > gz. If you are only reading and don't care > if you are reading the wrong stuff, it is not a > big deal. You should never write and attempt to > change anything when running in the gz and reaching > into the ngz hierarchy. E.g. editing {zonepath}/etc/passwd > could be made to refer to gz /etc/passwd with a simple > symlink. That makes sense, but the statement in the man page seems far too strong for this situation... how many zones configurations involve potentially malicious local zone administrators? I know mine never do. The caveats that you suggest seem along the lines of the usual caveats about administrators working with files that are not trusted, applicable in almost any environment. Thanks for the info. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] file system access from global zone
Jordan Brown wrote: > bart(1M) says about its -R option: > > Note - The root file system of any non-global zones > must not be referenced with the -R option. Doing > so might damage the global zone's file system, > might compromise the security of the global > zone, and might damage the non-global zone's > file system. See zones(5). > > Why? Accessing a ngz fs from the gz is always dangerous since a hostile ngz root admin can make changes which refer to the gz, if you are looking at the fs from the gz. If you are only reading and don't care if you are reading the wrong stuff, it is not a big deal. You should never write and attempt to change anything when running in the gz and reaching into the ngz hierarchy. E.g. editing {zonepath}/etc/passwd could be made to refer to gz /etc/passwd with a simple symlink. Jerry ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] file system access from global zone
bart(1M) says about its -R option: Note - The root file system of any non-global zones must not be referenced with the -R option. Doing so might damage the global zone's file system, might compromise the security of the global zone, and might damage the non-global zone's file system. See zones(5). Why? ___ zones-discuss mailing list zones-discuss@opensolaris.org