[zones-discuss] pidentd

2007-05-04 Thread goudal
Hello, I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn not work on zones as it can't open kmem. Is there any way to make it work ? f.g. ___ zones-discuss mailing list zones-d

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: > I would like to have users on a zone, but we use pidentd to control some > network connections. > It seems that pidentd doesn not work on zones as it can't open kmem. > > Is there any way to make it work ? Essentially, no. Opening /dev/kmem in the zone wouldn't be a

Re: [zones-discuss] pidentd

2007-05-04 Thread goudal
James Carlson <[EMAIL PROTECTED]> > Cc: zones-discuss@opensolaris.org > Date: Fri, 04 May 2007 07:04:14 EDT > Subject: Re: [zones-discuss] pidentd >[EMAIL PROTECTED] writes: >> I would like to have users on a zone, but we use pidentd to control some >> network connections. >> It seems that piden

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
> >That's a real pain as that prevent us to use zones as hosting servers for >users : >- we are a school and we just want to identify connections. Starting with mail >sending. >Zones would break our identification model. >It would be real nice if some solution could be found. I've done some

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: > I've done some work on pidentd prior to the new IP instances code using the > ability to intercept calls for all zones in the global zone with the > SO_ALLZONES socket option (which may not work anymore after the IP > instances putback) Nifty! Not sure about the socke

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
>Not sure about the socket option (should still work ... ?), but IP >Instances did nuke the symbols that pidentd was reading out of the >kernel, so that utility is now broken. I also have no idea about that option and how it is affected by the IP instances project. I am assuming it is now "per-

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: > >I'd sort of like to know how it does that reliably ... does it fork > >and enter the zone? > > It does not resolve names local to the local zones; but it can easily > find all the appropriate uids and processes. No different from traditional > Solaris with multiple in

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
>[EMAIL PROTECTED] writes: >> >I'd sort of like to know how it does that reliably ... does it fork >> >and enter the zone? >> >> It does not resolve names local to the local zones; but it can easily >> find all the appropriate uids and processes. No different from traditional >> Solaris with mul

Re: [zones-discuss] A seperate /usr/local/

2007-05-04 Thread Jeff Victor
Hi Bernd, That is interesting, both in good and bad ways. That method weakens the security of the system. For example, if the global zone's root user has /usr/local in its $PATH, a non-global zone root user could insert a trojan horse into an existing script or program in /usr/local. This a

Re: [zones-discuss] A seperate /usr/local/

2007-05-04 Thread Bernd Finger - Sun Germany
Jeff, If there is a link pointing from /usr/local to /_usr_local, this link will be present in each zone and pointing to directory _usr_local in the / file system of that zone only. Example: After logging in to local zone z_01 (with zonepath /zone/z_01) and creating a file /usr/local/test1,

Re: [zones-discuss] pidentd

2007-05-04 Thread David . Comay
Oh. I though that pidentd was supposed to resolve UIDs locally. That's one of the features of the protocol; it provides "here's who *I* think the user is" information back to the requester. Of course, that's why I thought IDENT was a fairly bogus mechanism since you're asking the remote system

Re: [zones-discuss] pidentd

2007-05-04 Thread Casper . Dik
>> Oh. I though that pidentd was supposed to resolve UIDs locally. >> That's one of the features of the protocol; it provides "here's who >> *I* think the user is" information back to the requester. > >Of course, that's why I thought IDENT was a fairly bogus mechanism >since you're asking the rem

Re: [zones-discuss] pidentd

2007-05-04 Thread James Carlson
[EMAIL PROTECTED] writes: > > Oh. I though that pidentd was supposed to resolve UIDs locally. > > That's one of the features of the protocol; it provides "here's who > > *I* think the user is" information back to the requester. > > Of course, that's why I thought IDENT was a fairly bogus mechanis

Re: [zones-discuss] pidentd

2007-05-04 Thread Frédéric Goudal
Le 4 mai 07 à 19:34, [EMAIL PROTECTED] a écrit : Oh. I though that pidentd was supposed to resolve UIDs locally. That's one of the features of the protocol; it provides "here's who *I* think the user is" information back to the requester. Of course, that's why I thought IDENT was a fairly

[zones-discuss] how to allow writeable /usr directory on a zone?

2007-05-04 Thread Jazz Geek
HI All, I have a problem in that my application needs to write things to the /usr/lib/* directories. However, on the Zone, it's READ ONLY. Is there anyway I can make the /usr/lib/* a normal rwx directory? Thank you for your help. SB This message posted from opensolaris.org

Re: [zones-discuss] pidentd

2007-05-04 Thread Erik Nordmark
James Carlson wrote: [EMAIL PROTECTED] writes: I would like to have users on a zone, but we use pidentd to control some network connections. It seems that pidentd doesn not work on zones as it can't open kmem. Is there any way to make it work ? Essentially, no. Opening /dev/kmem in the zone

[zones-discuss] Best practice -> mounting file system on local zone

2007-05-04 Thread Ramesh Mudradi
Hello, Can some one shed some light on pros/cons on various ways of mounting a file system onto local zone ? I believe there are four different ways to mount a device/file system on loca zone as per the below url, but it is not very clear how they are different. http://www.sun.com/bigadmin/fea

Re: [zones-discuss] how to allow writeable /usr directory on a zone?

2007-05-04 Thread Rayson Ho
You need a "Whole Root Zone" (no sharing) instead of a "Sparse Root Zone"... I think you can control the sharing between the global zone and the non-global zone by using setting "inherit-pkg-dir": http://www.solarisinternals.com/wiki/index.php/Zones Rayson On 5/4/07, Jazz Geek <[EMAIL PROTE