Nicolas Williams wrote:

                           I'd even go further and say that any user
in the global zone would not have access to /export/z1.  [...]

But if we resolve loopback NFS mount issues then any zone could access
any other zone's NFS shares provided they have logical or physical
connectivity between them.  So why not allow global zone access then,
mediated, perhaps, by NFSv4-style ID mapping?

What about the case where the customer wants to administer the zone they purchased and they do not want the global zone admins to have local access to their data?

I'd say make it simple - in order to get access, you must be able to mount the export and abide both by the share level machine access rules and either the UID mapping
(NFSv3) or ID mapping (NFSv4) rules.

Let the owner of the zone explicitly control the access to their data.

zones-discuss mailing list

Reply via email to