Brian Kolaci wrote:
IHAC that is looking to split out zone management roles.

The zone administrator creates and manages the local zones
however that person should not be able to see the data
in the zone for security purposes.  They should only be able
to manipulate the resources assigned to the zone, as well
as create/destroy zones.

The issue that comes up is that zlogin automatically grants
them unauthenticated root privileges in the zone.

The other issue is that the GZ admin can read any files in a zone without using zlogin. The only exception to that is a fs that the non-GZ admin NFS-mounts, and that exception will only last until a few CR's are delivered.

Console access
should be fine since that is authenticated, however the default
without -C gives them full access.  So with the current scenario
its an all or nothing proposition.

I propose that zlogin be split into two different programs, one
for console access and one for running programs and/or shell.
A simple way to do this (and would be backward compatible) would be to
create a hard link to zlogin, say 'zconsole' that when it is executed
the program can test arg0 and automatically apply the -C functionality
if it is called zconsole.  This would allow better separation of
duties and allow two different profiles in exec_attr to differentiate
what zone administrators can do.


Sounds like a good answer. It seems to me that the GZ admin could implement this by writing a short program. What am I missing?


--
--------------------------------------------------------------------------
Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to