Jeff,
If there is a link pointing from /usr/local to /_usr_local, this link will be
present in each zone and pointing to directory _usr_local in the / file system
of that zone only.
Example: After logging in to local zone z_01 (with zonepath /zone/z_01) and
creating a file /usr/local/test1, there will be a file /_usr_local/test1 in that
local zone only. Or, from the global zone's perspective, the only new file on
that system will be /zone/z_01/root/_usr_local/test1.
Regards,
Bernd
Jeff Victor wrote:
Hi Bernd,
That is interesting, both in good and bad ways.
That method weakens the security of the system.
For example, if the global zone's root user has /usr/local in its $PATH,
a non-global zone root user could insert a trojan horse into an existing
script or program in /usr/local.
This attack could be used to give the non-global root user access to the
root account on the global zone, or execute more subtle actions.
In general, unless you are the only user of the system and its zones,
you should not give a zone write-access to any files that are used by
the global zone's users.
Bernd Finger - Sun Germany wrote:
Hi,
DJR wrote:
I installed my zones, in a sparse zone format.
question is, is there a way to NOT use /usr/local from the global
zone and
use a local copy or start with a clean /usr/local on the zone besides
in a
whole root format where it copies the global over to the zone. I do
not want
to rebuild the zone if possible, is there any way around this.
A way that worked for me is to "escape" the /usr directory using a
symbolic link:
1) In the global zone, move /usr/local to /_usr_local (or any other
directory in a file system that is not mounted read only in one of the
local zones)
$ mv /usr/local /_usr_local
2) In the global zone, create a symbolic link that points from
/usr/local to the new location:
$ ln -s /_usr_local /usr/local
$ ls -ld /usr/local
lrwxrwxrwx 1 root root 11 May 4 08:10 /usr/local ->
/_usr_local
3) In the global zone, create a directory <zonepath>/root/_usr_local
for each local zone . As each local zone's /usr is a read only copy of
the /usr tree of the global zone, its file /usr/local is a link to a
(writable) directory outside of that file system in that zone.
--
*******************************************************************
Sun Microsystems GmbH Bernd Finger
Altrottstr. 31 Service Alliance Operations
D-69190 Walldorf Phone: +49-6227-356-238
Germany Fax: +49-6227-356-222
mailto:[EMAIL PROTECTED] Blog: http://blogs.sun.com/blogfinger
http://www.sun.com/third-party/global/sap/service/support.html
Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1,
D-85551 Kirchheim-Heimstetten
Amtsgericht München: HRB 161028
Geschäftsführer: Marcel Schneider, Wolfgang Engels, Dr. Roland Bömer
Vorsitzender des Aufsichtsrates: Martin Häring
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
