Robert Gordon wrote:
it seems to me that both the local zone and the global zone
should be able to export it (or not export it) independantly.


There maybe a conflicting security requirement here. Lets say
I'm SA of the zone and i have exported /export/foo with krb5i
(since my foo really needs tight security :) ) to a limited
set of clients. Then along comes Mr Global SA and exports it
with auth_sys to any old nfs client..

seems like that might be an issue ?

Exactly why this should not be allowed. Only a single NFS server should ever be exporting a given local file system. Even it it isn't krb5 vs sys it could be two different krb5 realms and different NFSMAPID_DOMAINS.

It can be either the global or local zone but not both at the same time. If a zone has been delegated the ability to be an NFS server (which IMO should NOT be the default - just like today with IP stack instances) then the global zone must not be able to share out the zones filesystems.

Darren J Moffat
zones-discuss mailing list

Reply via email to