Robert Gordon wrote:

On Feb 14, 2007, at 3:17 PM, Edward Pilatowicz wrote:

this all makes logical sense to me.

i would refine your second point though because it doesn't take into
account lofs mounts.

ex,  if i have /export/foo in the global zone and then in zonecfg i
configure a "filesystem" resource such that this directory is also
lofs mounted in the zone at /export/foo, then who should be able
to export the filesystem?

it seems to me that both the local zone and the global zone
should be able to export it (or not export it) independantly.


There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA and exports it
with auth_sys to any old nfs client..

seems like that might be an issue ?

Seems like you need Solaris Trusted Extensions. :-)

But in the end, a sufficiently-privileged user in the global zone can do 

Jeff VICTOR              Sun Microsystems            jeff.victor @
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:
zones-discuss mailing list

Reply via email to