Re: [zones-discuss] Ancestor filesystems writable by zone admin - by design?
Le 27 sept. 09 à 12:55, Miles Benson a écrit : Hi All, I'm not sure what I'm seeing is by design or by misconfiguration. I created a filesystem tank/zones to hold some zones, then created a specific zone filesystem tank/zones/basezone. Then built a zone, setting zonepath=/tank/zones/basezone. If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone tank tank/zones tank/zones/basezone tank/zones/basezone/ROOT tank/zones/basezone/ROOT/zbe This in itself is not ideal - if a zone become compromised then it's revealing something about the underlying pool and filesystems. I can live with it. However, if I become root in the zone then the ancestor filesystem is *writable*. I can write a file in /tank/zones! So if I delegate root access to a zone to someone, all of a sudden they can write to the entire pool? Am I doing something wrong? Any and all suggestions welcome! AFAIK, you shouldn't see all these in your zone. Are you in S10 or on OS ? Did you delegate any dataset or set the zoned flag on ZFS ? Nicolas ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Ancestor filesystems writable by zone admin - by design?
Miles Benson wrote: Hi All, I'm not sure what I'm seeing is by design or by misconfiguration. I created a filesystem tank/zones to hold some zones, then created a specific zone filesystem tank/zones/basezone. Then built a zone, setting zonepath=/tank/zones/basezone. If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone tank tank/zones tank/zones/basezone tank/zones/basezone/ROOT tank/zones/basezone/ROOT/zbe This in itself is not ideal - if a zone become compromised then it's revealing something about the underlying pool and filesystems. I can live with it. However, if I become root in the zone then the ancestor filesystem is *writable*. I can write a file in /tank/zones! So if I delegate root access to a zone to someone, all of a sudden they can write to the entire pool? Am I doing something wrong? Any and all suggestions welcome! So how do the higher datasets appear in the namespace of the zone? That is, you're implying that somehow /tank/zones is mounted inside the zone. Is that true? I can't reproduce this on my opensolaris system running b123. Can you provide more details on your zone configuration and what you did to make /tank/zones visible inside the zone. Jerry ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Ancestor filesystems writable by zone admin - by design?
Thanks for getting back. Anyway, I've done some more digging. It seems to be related to having delegated a dataset to a zone. I have two zones 'basezone' and 'paulzone'. Forget the fact that I used the example of basezone above for a moment. basezone has no delegated dataset and when you zlogin you can do r...@muttley:~# zlogin basezone [Connected to zone 'basezone' pts/2] Last login: Mon Sep 28 19:29:31 on pts/2 Sun Microsystems Inc. SunOS 5.11 snv_111bNovember 2008 r...@basezone:~# zfs list NAME USED AVAIL REFER MOUNTPOINT tank 93.8G 2.57T 53.6K /tank tank/zones1.12G 2.57T 41.1K /tank/zones tank/zones/basezone314M 2.57T 37.5K /tank/zones/basezone tank/zones/basezone/ROOT 314M 2.57T 34.0K legacy tank/zones/basezone/ROOT/zbe 314M 2.57T 309M legacy r...@basezone:~# touch /tank/zones/foobar touch: cannot create /tank/zones/foobar: No such file or directory r...@basezone:~# so all's well and good. paulzone on the other hand was cloned from basezone and then I created a new filesystem /tank/zones/pauldata and delegated it: r...@muttley:~# zonecfg -z paulzone info zonename: paulzone zonepath: /tank/zones/paulzone brand: ipkg autoboot: true bootargs: pool: limitpriv: scheduling-class: ip-type: shared hostid: net: address: 192.168.246.249/29 physical: e1000g0 defrouter: 192.168.246.254 dataset: name: tank/zones/pauldata r...@muttley:~# so if we zlogin to that zone... r...@muttley:~# zlogin paulzone [Connected to zone 'paulzone' pts/2] Last login: Mon Sep 28 19:30:10 on pts/2 Sun Microsystems Inc. SunOS 5.11 snv_111bNovember 2008 r...@oberon:~# zfs list NAMEUSED AVAIL REFER MOUNTPOINT tank 93.8G 2.57T 53.6K /tank tank/zones 1.12G 2.57T 41.1K /tank/zones tank/zones/pauldata 390M 19.6G 390M /tank/zones/pauldata tank/zones/pauldata/svnrepository 105K 19.6G 105K /tank/zones/pauldata/svnrepository tank/zones/paulzone 404M 4.61G 37.5K /tank/zones/paulzone tank/zones/paulzone/ROOT404M 4.61G 34.0K legacy tank/zones/paulzone/ROOT/zbe404M 4.61G 701M legacy r...@oberon:~# touch /tank/zones/foobar r...@oberon:~# ls -l /tank/zones/foobar -rw-r--r-- 1 root root 0 Sep 28 19:38 /tank/zones/foobar r...@oberon:~# not so good. This is an opensolaris machine, r...@muttley:~# uname -a SunOS muttley 5.11 snv_111b i86pc i386 i86pc Solaris I pretty much followed the instructions in, er, your book to set all this up :-) but I've probably missed a step somewhere. Thanks Miles -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Ancestor filesystems writable by zone admin - by design?
Miles Benson wrote: Hi Jerry, Ok, that makes sense. And I've checked and you're right, it's all in the non-global zone. My mistake and I'm glad I was wrong. However, I think the thing which set me off on the wrong track in the first place was the zfs list output showing the available space. Which quota is that data space coming out of? The zone's filesystem has a 5G quota and the data filesystem has a 20G quota. zfs list shows these as I'd expect but it shows /tank/zones having the full run of the 2.5T main pool. I'd guess that it's in the 5G basic zone filesystem and that zfs list is just a bit confused? I can't really answer this without seeing the quota's you have set on each dataset. However, the output you sent earlier, which I've included here, seems to show the correct quotas on the two datasets that are actually available inside the zone. This matches up to what you've said above (20GB and 5GB). r...@oberon:~# zfs list NAMEUSED AVAIL REFER MOUNTPOINT tank 93.8G 2.57T 53.6K /tank tank/zones 1.12G 2.57T 41.1K /tank/zones tank/zones/pauldata 390M 19.6G 390M /tank/zones/pauldata tank/zones/pauldata/svnrepository 105K 19.6G 105K /tank/zones/pauldata/svnrepository tank/zones/paulzone 404M 4.61G 37.5K /tank/zones/paulzone tank/zones/paulzone/ROOT404M 4.61G 34.0K legacy tank/zones/paulzone/ROOT/zbe404M 4.61G 701M legacy I'm unclear why the size of the datasets that aren't available inside the zone is a concern, other than that you'd prefer those to not be visible at all. That's really not a zone's issue and would be more appropriate to discuss over on the zfs alias. Thanks, Jerry ___ zones-discuss mailing list zones-discuss@opensolaris.org
