Bug 6793488 - lofs passwd/shadow in labeled zones

Tue, 27 Jan 2009 19:53:34 -0600 

On Tue, Jan 27, 2009 at 6:16 PM, Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
>
> --On Tuesday, January 27, 2009 03:57:29 PM -0800 Jan Parcel
> <jan.parcel at sun.com> wrote:
>
> > Actually it is a pretty good workaround if combined with:
> >
> > 1.  Doing the copy very frequently
> > 2.  Basing the decision to copy upon diffs rather than date.
> > 3.  removing /usr/bin/passwd in the labeled zones
> >
> > The reason:
> >
> > The global zone's passwd file's atomic safety is being preserved using
> > the  original rules and the global zone is using that passwd file.
> >
> > The only things that get these unsafe copy operations are COPIES.  If
> > the global zone's passwd file is still good, then you can still log into
> > TJDS or TCDE and you can still log into the global zone via the console
> > (if enabled) -- so you can still get in to fix things.  In addition,
> > if the copy is set to run once every minute or two, any one bad copy
> > will only last a minute or two, if the decision to copy is based
> > upon diffs rather than on "-newer" logic.
>
> Sure but what happens if I try to log in to a zone (or su, or...) while the
> zone's passwd file is only a partial copy?  What happens if the partial
> copy includes an incomplete line, such that the meaning of an entry is
> changed.  Depending on where the truncation occurs, this could be bad.

[disclaimer: I haven't used trusted extensions]

How about this:

mkdir /etc/pwstuff
zonecfg -z $zone
 add fs
  set dir=/etc/pwstuff
  set special=/etc/zones-etc
  set type=lofs
  set options=ro
  end
cd /zones/$zone/root/etc
rm passwd shadow
ln -s pwstuff/passwd passwd
ln -s pwstuff/shadow shadow

When the password and shadow file are updated:

cp -p /etc/passwd /etc/pwstuff/ptmp \
     && mv /etc/pwstuff/ptmp /etc/pwstuff/passwd
cp -p /etc/shadow /etc/pwstuff/stmp \
     && mv /etc/pwstuff/stmp /etc/pwstuff/shadow

The assumptions are that:

1) cp(1) exits with status 0 IFF the file was copied successfully and
permissions were set properly
2) mv(1) uses rename(2) and rename(2) is atomic.

Presumably you may want to do similar things with the various other
name service files.

--
Mike Gerdts
http://mgerdts.blogspot.com/

Reply via email to