Jeff Victor wrote:
Brian Kolaci wrote:

Jeff Victor wrote:

Brian Kolaci wrote:

IHAC that is looking to split out zone management roles.

The zone administrator creates and manages the local zones
however that person should not be able to see the data
in the zone for security purposes.  They should only be able
to manipulate the resources assigned to the zone, as well
as create/destroy zones.

The issue that comes up is that zlogin automatically grants
them unauthenticated root privileges in the zone.

The other issue is that the GZ admin can read any files in a zone without using zlogin. The only exception to that is a fs that the non-GZ admin NFS-mounts, and that exception will only last until a few CR's are delivered.

Two items on this front.  First, I was referring to someone (not root)
that has the Zones Management profile which gives them zoneadm, zonecfg
and zlogin.  Second, I've recommended that they convert root to a role
and strip privs (such as file_dac_read, file_dac_write) and protect
the filesystems and zonepaths as well as write access to user_attr,
exec_attr, etc.

What method will be used to prevent a zone admin from creating another zone, mounting the fs with sensitive info in that zone, logging into the new zone as root, and viewing the data?

Glad you brought that up.  This was already solved.  The typical administrator
in this case doesn't have the root password for any zones.  The most they would
see is the encrypted password for the sysidcfg file, but even that will probably
be locked down.  This is part of the automated zone creation tools I helped
write that also provides the finish scripts and a jumpstart-like framework
so that all they need to do is specify the components needed to build the zone.
Currently these folk are non-root admins with a special profile that doesn't
include zlogin access, however they did need a custom 'zcopy' program that
copies sysidcfg and other files like a SMF manifest and params to build the zone
and send an email to the admin when its complete.
zones-discuss mailing list

Reply via email to