--On Tuesday, January 27, 2009 03:57:29 PM -0800 Jan Parcel <jan.parcel at sun.com> wrote:
> Actually it is a pretty good workaround if combined with: > > 1. Doing the copy very frequently > 2. Basing the decision to copy upon diffs rather than date. > 3. removing /usr/bin/passwd in the labeled zones > > The reason: > > The global zone's passwd file's atomic safety is being preserved using > the original rules and the global zone is using that passwd file. > > The only things that get these unsafe copy operations are COPIES. If > the global zone's passwd file is still good, then you can still log into > TJDS or TCDE and you can still log into the global zone via the console > (if enabled) -- so you can still get in to fix things. In addition, > if the copy is set to run once every minute or two, any one bad copy > will only last a minute or two, if the decision to copy is based > upon diffs rather than on "-newer" logic. Sure but what happens if I try to log in to a zone (or su, or...) while the zone's passwd file is only a partial copy? What happens if the partial copy includes an incomplete line, such that the meaning of an entry is changed. Depending on where the truncation occurs, this could be bad. This sort of race has security implications which should not be ignored. That said, I can't think of any better answers, short of loopback mounting all of /etc into each zone in some alternate location, and then making /etc/passwd and /etc/shadow (and maybe other things) be symlinks. Of course, you'd want to remove /usr/bin/passwd in that case, but that's a good idea anyway, for reasons you already described. -- Jeff
