On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
> There maybe a conflicting security requirement here. Lets say
> I'm SA of the zone and i have exported /export/foo with krb5i
> (since my foo really needs tight security :) ) to a limited
> set of clients. Then along comes Mr Global SA and exports it
> with auth_sys to any old nfs client..
> seems like that might be an issue ?

Clearly if a zone is in charge of its exports then there should be no
trivial way for a g-z admin to interfere short of using zlogin to
interfere from within that zone.

The interesting question is: how this works on upgrade where the g-z had
shares inside a zone.  Do we move these shares into the zone, or do we
have a concept of zones that delegate sharing power to the g-z?
zones-discuss mailing list

Reply via email to