> Tom Haynes wrote: > > > > What about the case where the customer wants to > administer the zone they purchased > > and they do not want the global zone admins to have > local access to > > their data? > > That would violate basics of the zones model. The > global zone admin has > complete access to all devices attached to the > system. How would you prevent > the GZ admin from halting the zone, manually mounting > the non-global zone's > disk partitions into the global zone, and accessing > the data? > > Preventing the global zone from accessing certain > hardware components would > "open a very large can of worms."
In terms of that sort of isolation, even hardware domain config (on something like an E25K for example) has to be controlled by _someone_; and said someone probably also has physical access to the hardware, which trumps everything else. I suppose you can have guarded datacenters and complicated two-man rules for hardware or SC/Dom0/global zone root access; short of that, keeping out the folks that control the overall config is a pipe dream. Filesystem encryption would help a little, but top-level privs plus advanced tracing facilities could capture the data in unencrypted form, since to process it, it has to be decrypted sometime. Ultimately everything comes down to minutes required for someone sufficiently capable and well-equipped to get away undetected (at least in the short term) with accessing or modifying something they're not supposed to. That even applies to bank vaults. It's just how much you're willing to pay to protect data of value x from threat y; managed risk (assuming a proper understanding of the factors and available methods for dealing with them), nothing more. Maybe a deity can provide absolute security in some metaphysical sense (although evidence suggests that doesn't usually keep their supporters from getting killed); nothing less than omni-everything is up to the job. The point of that rant is that the _customer_ needs to be made to understand that _nothing_ provides that absolute security, that _they_ should be expected to pay for the level of security they want, and maybe that it would probably be useful if there were a standard approximation of an answer to their obvious question "how much more security does the next more expensive approach actually get me?" (not neglecting that perhaps spending more on background checks for your global zone admins, rigorous procedures, configuration control, tripwire/ASET/auditing with offsite logs, etc might be a good idea too...) Maybe there's even a legal angle; think of the warning labels on everything including disposable lighters that basically say that if it's abused, bad things can happen. So you don't want to fail to warn the customer if their expectations are grossly unreasonable. Short of separate boxes not sharing SAN (i.e. something with _no_ single point of control), I'd say it's more fault isolation that goes up with more expensive choices (zones, virtualization, logical domains, hardware domains) than it is overall security isolation. This message posted from opensolaris.org _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
