Hi Bernd,

That is interesting, both in good and bad ways.

That method weakens the security of the system.

For example, if the global zone's root user has /usr/local in its $PATH, a non-global zone root user could insert a trojan horse into an existing script or program in /usr/local.

This attack could be used to give the non-global root user access to the root account on the global zone, or execute more subtle actions.

In general, unless you are the only user of the system and its zones, you should not give a zone write-access to any files that are used by the global zone's users.

Bernd Finger - Sun Germany wrote:
Hi,

DJR wrote:
I installed my zones, in a sparse zone format.

question is, is there a way to NOT use /usr/local from the global zone and
use a local copy or start with a clean /usr/local on the zone besides in a
whole root format where it copies the global over to the zone. I do not want
to rebuild the zone if possible, is there any way around this.

A way that worked for me is to "escape" the /usr directory using a symbolic link:

1) In the global zone, move /usr/local to /_usr_local (or any other directory in a file system that is not mounted read only in one of the local zones)
$ mv /usr/local /_usr_local

2) In the global zone, create a symbolic link that points from /usr/local to the new location:
$ ln -s /_usr_local /usr/local
$ ls -ld /usr/local
lrwxrwxrwx 1 root root 11 May 4 08:10 /usr/local -> /_usr_local

3) In the global zone, create a directory <zonepath>/root/_usr_local for each local zone . As each local zone's /usr is a read only copy of the /usr tree of the global zone, its file /usr/local is a link to a (writable) directory outside of that file system in that zone.


--
--------------------------------------------------------------------------
Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to