--On Tuesday, January 27, 2009 07:53:34 PM -0600 Mike Gerdts <mgerdts at gmail.com> wrote:
> On Tue, Jan 27, 2009 at 6:16 PM, Jeffrey Hutzelman <jhutz at cmu.edu> wrote: >> >> --On Tuesday, January 27, 2009 03:57:29 PM -0800 Jan Parcel >> <jan.parcel at sun.com> wrote: >> >> > Actually it is a pretty good workaround if combined with: >> > >> > 1. Doing the copy very frequently >> > 2. Basing the decision to copy upon diffs rather than date. >> > 3. removing /usr/bin/passwd in the labeled zones >> > >> > The reason: >> > >> > The global zone's passwd file's atomic safety is being preserved using >> > the original rules and the global zone is using that passwd file. >> > >> > The only things that get these unsafe copy operations are COPIES. If >> > the global zone's passwd file is still good, then you can still log >> > into TJDS or TCDE and you can still log into the global zone via the >> > console (if enabled) -- so you can still get in to fix things. In >> > addition, if the copy is set to run once every minute or two, any one >> > bad copy will only last a minute or two, if the decision to copy is >> > based upon diffs rather than on "-newer" logic. >> >> Sure but what happens if I try to log in to a zone (or su, or...) while >> the zone's passwd file is only a partial copy? What happens if the >> partial copy includes an incomplete line, such that the meaning of an >> entry is changed. Depending on where the truncation occurs, this could >> be bad. > > [disclaimer: I haven't used trusted extensions] > > How about this: > > mkdir /etc/pwstuff > zonecfg -z $zone > add fs > set dir=/etc/pwstuff > set special=/etc/zones-etc > set type=lofs > set options=ro > end > cd /zones/$zone/root/etc > rm passwd shadow > ln -s pwstuff/passwd passwd > ln -s pwstuff/shadow shadow > > When the password and shadow file are updated: > > cp -p /etc/passwd /etc/pwstuff/ptmp \ > && mv /etc/pwstuff/ptmp /etc/pwstuff/passwd > cp -p /etc/shadow /etc/pwstuff/stmp \ > && mv /etc/pwstuff/stmp /etc/pwstuff/shadow Oh, yes, you could do that -- combine the previously-discussed workarounds in a safe way, so that local-zones see an atomically-updated copy of the passwd and shadow files, but don't get to see the complete contents of /etc. Of course, this still requires something in the global zone to periodically copy the real passwd and shadow files to the locations visible to the local zones, but that's not a major difficulty. -- Jeff
