Re: [zones-discuss] Ancestor filesystems writable by zone admin - by design?
Thanks for getting back. Anyway, I've done some more digging. It seems to be related to having delegated a dataset to a zone. I have two zones 'basezone' and 'paulzone'. Forget the fact that I used the example of basezone above for a moment. basezone has no delegated dataset and when you zlogin you can do r...@muttley:~# zlogin basezone [Connected to zone 'basezone' pts/2] Last login: Mon Sep 28 19:29:31 on pts/2 Sun Microsystems Inc. SunOS 5.11 snv_111bNovember 2008 r...@basezone:~# zfs list NAME USED AVAIL REFER MOUNTPOINT tank 93.8G 2.57T 53.6K /tank tank/zones1.12G 2.57T 41.1K /tank/zones tank/zones/basezone314M 2.57T 37.5K /tank/zones/basezone tank/zones/basezone/ROOT 314M 2.57T 34.0K legacy tank/zones/basezone/ROOT/zbe 314M 2.57T 309M legacy r...@basezone:~# touch /tank/zones/foobar touch: cannot create /tank/zones/foobar: No such file or directory r...@basezone:~# so all's well and good. paulzone on the other hand was cloned from basezone and then I created a new filesystem /tank/zones/pauldata and delegated it: r...@muttley:~# zonecfg -z paulzone info zonename: paulzone zonepath: /tank/zones/paulzone brand: ipkg autoboot: true bootargs: pool: limitpriv: scheduling-class: ip-type: shared hostid: net: address: 192.168.246.249/29 physical: e1000g0 defrouter: 192.168.246.254 dataset: name: tank/zones/pauldata r...@muttley:~# so if we zlogin to that zone... r...@muttley:~# zlogin paulzone [Connected to zone 'paulzone' pts/2] Last login: Mon Sep 28 19:30:10 on pts/2 Sun Microsystems Inc. SunOS 5.11 snv_111bNovember 2008 r...@oberon:~# zfs list NAMEUSED AVAIL REFER MOUNTPOINT tank 93.8G 2.57T 53.6K /tank tank/zones 1.12G 2.57T 41.1K /tank/zones tank/zones/pauldata 390M 19.6G 390M /tank/zones/pauldata tank/zones/pauldata/svnrepository 105K 19.6G 105K /tank/zones/pauldata/svnrepository tank/zones/paulzone 404M 4.61G 37.5K /tank/zones/paulzone tank/zones/paulzone/ROOT404M 4.61G 34.0K legacy tank/zones/paulzone/ROOT/zbe404M 4.61G 701M legacy r...@oberon:~# touch /tank/zones/foobar r...@oberon:~# ls -l /tank/zones/foobar -rw-r--r-- 1 root root 0 Sep 28 19:38 /tank/zones/foobar r...@oberon:~# not so good. This is an opensolaris machine, r...@muttley:~# uname -a SunOS muttley 5.11 snv_111b i86pc i386 i86pc Solaris I pretty much followed the instructions in, er, your book to set all this up :-) but I've probably missed a step somewhere. Thanks Miles -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Ancestor filesystems writable by zone admin - by design?
Hi All, I'm not sure what I'm seeing is by design or by misconfiguration. I created a filesystem tank/zones to hold some zones, then created a specific zone filesystem tank/zones/basezone. Then built a zone, setting zonepath=/tank/zones/basezone. If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone tank tank/zones tank/zones/basezone tank/zones/basezone/ROOT tank/zones/basezone/ROOT/zbe This in itself is not ideal - if a zone become compromised then it's revealing something about the underlying pool and filesystems. I can live with it. However, if I become root in the zone then the ancestor filesystem is *writable*. I can write a file in /tank/zones! So if I delegate root access to a zone to someone, all of a sudden they can write to the entire pool? Am I doing something wrong? Any and all suggestions welcome! Thanks Miles -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
