Jeff,

If there is a link pointing from /usr/local to /_usr_local, this link will be present in each zone and pointing to directory _usr_local in the / file system of that zone only.


Example: After logging in to local zone z_01 (with zonepath /zone/z_01) and creating a file /usr/local/test1, there will be a file /_usr_local/test1 in that local zone only. Or, from the global zone's perspective, the only new file on that system will be /zone/z_01/root/_usr_local/test1.

Regards,

Bernd

Jeff Victor wrote:
Hi Bernd,

That is interesting, both in good and bad ways.

That method weakens the security of the system.

For example, if the global zone's root user has /usr/local in its $PATH, a non-global zone root user could insert a trojan horse into an existing script or program in /usr/local.

This attack could be used to give the non-global root user access to the root account on the global zone, or execute more subtle actions.

In general, unless you are the only user of the system and its zones, you should not give a zone write-access to any files that are used by the global zone's users.

Bernd Finger - Sun Germany wrote:
Hi,

DJR wrote:
I installed my zones, in a sparse zone format.

question is, is there a way to NOT use /usr/local from the global zone and use a local copy or start with a clean /usr/local on the zone besides in a whole root format where it copies the global over to the zone. I do not want
to rebuild the zone if possible, is there any way around this.

A way that worked for me is to "escape" the /usr directory using a symbolic link:

1) In the global zone, move /usr/local to /_usr_local (or any other directory in a file system that is not mounted read only in one of the local zones)
$ mv /usr/local /_usr_local

2) In the global zone, create a symbolic link that points from /usr/local to the new location:
$ ln -s /_usr_local /usr/local
$ ls -ld /usr/local
lrwxrwxrwx 1 root root 11 May 4 08:10 /usr/local -> /_usr_local

3) In the global zone, create a directory <zonepath>/root/_usr_local for each local zone . As each local zone's /usr is a read only copy of the /usr tree of the global zone, its file /usr/local is a link to a (writable) directory outside of that file system in that zone.




--
*******************************************************************
Sun Microsystems GmbH         Bernd Finger
Altrottstr. 31                Service Alliance Operations
D-69190 Walldorf              Phone: +49-6227-356-238
Germany                       Fax:   +49-6227-356-222
mailto:[EMAIL PROTECTED]             Blog:  http://blogs.sun.com/blogfinger
http://www.sun.com/third-party/global/sap/service/support.html

Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1,
D-85551 Kirchheim-Heimstetten
Amtsgericht München: HRB 161028
Geschäftsführer: Marcel Schneider, Wolfgang Engels, Dr. Roland Bömer
Vorsitzender des Aufsichtsrates: Martin Häring
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to