Jeff Victor wrote:



Brian Kolaci wrote:

IHAC that is looking to split out zone management roles.

The zone administrator creates and manages the local zones
however that person should not be able to see the data
in the zone for security purposes.  They should only be able
to manipulate the resources assigned to the zone, as well
as create/destroy zones.

The issue that comes up is that zlogin automatically grants
them unauthenticated root privileges in the zone.


The other issue is that the GZ admin can read any files in a zone without using zlogin. The only exception to that is a fs that the non-GZ admin NFS-mounts, and that exception will only last until a few CR's are delivered.

Two items on this front.  First, I was referring to someone (not root)
that has the Zones Management profile which gives them zoneadm, zonecfg
and zlogin.  Second, I've recommended that they convert root to a role
and strip privs (such as file_dac_read, file_dac_write) and protect
the filesystems and zonepaths as well as write access to user_attr,
exec_attr, etc.


Console access
should be fine since that is authenticated, however the default
without -C gives them full access.  So with the current scenario
its an all or nothing proposition.

I propose that zlogin be split into two different programs, one
for console access and one for running programs and/or shell.
A simple way to do this (and would be backward compatible) would be to
create a hard link to zlogin, say 'zconsole' that when it is executed
the program can test arg0 and automatically apply the -C functionality
if it is called zconsole.  This would allow better separation of
duties and allow two different profiles in exec_attr to differentiate
what zone administrators can do.


Sounds like a good answer. It seems to me that the GZ admin could implement this by writing a short program. What am I missing?

Just the piece I mentioned above.  One of the goals is to strip privs
from the root account since not even root should be able to see the
data in the local zones on a secure server.  The ability to manage
zones should be isolated from the ability to view content in the zones.
This should be out of the box and not something that the customer needs
to write/implement themselves.  The backward compatible proposal above
would just be a step to getting there.

_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to