The "ZONE" privilege is shorthand for all zone privileges (which is
a subset of "ALL" privileges found in the global zone).  Are you
talking about Apache or Apache 2?  If Apache 2, check out:

By default, Apache2 wants to create/write files in directories that
are owned by root which would lead to the need for all zone privileges.
The BluePrint mentioned above discusses the 2 (I believe) changes that
are needed to allow you to run Apache 2 as a non-root user in a zone.


Christine Tran wrote:
I am attempting to run apache as a  non-root user in a non-global zone.  I'm 
not able to start apache, my error_log says:

Permission denied: mod_rewrite: could not create rewrite_log_lock

Thinking that this may be related to a privilege issue, I ran ppriv -e -D and 

httpsd.worker[14906]: missing privilege "ZONE" (euid = 170, syscall = 5) needed 
at tdirenter+0x300
Server start FAILED

What is "ZONE"?  There is proc_zone but that doesn't sound right, "allow a process 
to send signals to processes in other zones"?  Googling gives me some info on mod_rewrite, 
that I'm hitting some semaphore limits, shm and ipcs.

This works fine when I start apache as a non-root user in the global zone.  I would like 
to make this work in a non-global zone.  What is privilege "ZONE"?  Has anyone 
seen this? What should I do next? (OK, privdebug is a given.)

zones-discuss mailing list

Glenn Brunette
Distinguished Engineer
Director, GSS Security Office
Sun Microsystems, Inc.
zones-discuss mailing list

Reply via email to