Nicolas Williams wrote:
On Wed, Feb 14, 2007 at 03:27:30PM -0600, Robert Gordon wrote:
There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA and exports it
with auth_sys to any old nfs client..
seems like that might be an issue ?
Clearly if a zone is in charge of its exports then there should be no
trivial way for a g-z admin to interfere short of using zlogin to
interfere from within that zone.
There are already precedents to *not* do that. A non-global zone must trust
its global zone. This includes trusting the global zone to not:
* Halt it
* Edit its configuration files
* Run "zlogin svcadm disable ..."
* Run format and modify the layout of any disks that the zone is using
If there is data that HostA's global zone must not have access to, that data
must be on a different computer.
The interesting question is: how this works on upgrade where the g-z had
shares inside a zone. Do we move these shares into the zone, or do we
have a concept of zones that delegate sharing power to the g-z?
--
--------------------------------------------------------------------------
Jeff VICTOR Sun Microsystems jeff.victor @ sun.com
OS Ambassador Sr. Technical Specialist
Solaris 10 Zones FAQ: http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
