Good idea except that is already the way it works. For everthing that nscd caches there's no problem. It is only an issue for /etc/shadow with files as the name service.
--Glenn On Jan 27, 2009, at 5:02 PM, Jeffrey Hutzelman <jhutz at cmu.edu> wrote: > --On Tuesday, January 27, 2009 04:46:53 PM -0800 Jan Parcel > <jan.parcel at sun.com> wrote: > >> >>> That said, I can't think of any better answers, short of loopback >>> mounting all of /etc into each zone in some alternate location, and >>> then making /etc/passwd and /etc/shadow (and maybe other things) be >>> symlinks. Of course, you'd want to remove /usr/bin/passwd in that >>> case, but that's a good idea anyway, for reasons you already >>> described. >> >> How would we get around the fact that the global zone /etc might have >> information we do not want the local zones to have? >> >> ike keys, ipsec information, possibly some hostnames and addresses, >> configuration in /etc/dt, apache configuration, lots of things come >> to >> mind. > > I didn't say that was a good answer, only that I couldn't think of > anything > better. > > Oh, hm, but I can - punt on having a passwd file in the local zones > at all, > and instead handle passwd/shadow lookups via a door call to the global > zone. This could be handled by an NSS backend used in place of the > usual > files backend, and could use either a dedicated server that looks > only in > /etc/passwd, or just call the global zone nscd. > > -- Jeff > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org --Glenn -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20090127/827e6282/attachment.html>
