> Tom Haynes wrote:
> >
> > What about the case where the customer wants to
> administer the zone they purchased
> > and they do not want the global zone admins to have
> local access to 
> > their data?
> That would violate basics of the zones model.  The
> global zone admin has 
> complete access to all devices attached to the
> system.  How would you prevent 
> the GZ admin from halting the zone, manually mounting
> the non-global zone's 
> disk partitions into the global zone, and accessing
> the data?
> Preventing the global zone from accessing certain
> hardware components would 
> "open a very large can of worms."

In terms of that sort of isolation, even hardware domain config (on
something like an E25K for example) has to be controlled by _someone_;
and said someone probably also has physical access to the hardware, which
trumps everything else.  I suppose you can have guarded datacenters and
complicated two-man rules for hardware or SC/Dom0/global zone root
access; short of that, keeping out the folks that control the overall config
is a pipe dream.

Filesystem encryption would help a little, but top-level privs plus advanced
tracing facilities could capture the data in unencrypted form,
since to process it, it has to be decrypted sometime.

Ultimately everything comes down to minutes required for someone
sufficiently capable and well-equipped to get away undetected (at least
in the short term) with accessing or modifying something they're not
supposed to.  That even applies to bank vaults.  It's just how much
you're willing to pay to protect data of value x from threat y; managed
risk (assuming a proper understanding of the factors and available methods
for dealing with them), nothing more.

Maybe a deity can provide absolute security in some metaphysical sense
(although evidence suggests that doesn't usually keep their supporters from
getting killed); nothing less than omni-everything is up to the job.

The point of that rant is that the _customer_ needs to be made to understand
that _nothing_ provides that absolute security, that _they_ should be
expected to pay for the level of security they want, and maybe that
it would probably be useful if there were a standard approximation of an
answer to their obvious question "how much more security does the next
more expensive approach actually get me?" (not neglecting that perhaps
spending more on background checks for your global zone admins,
rigorous procedures, configuration control, tripwire/ASET/auditing with
offsite logs, etc might be a good idea too...)

Maybe there's even a legal angle; think of the warning labels on everything
including disposable lighters that basically say that if it's abused, bad things
can happen.  So you don't want to fail to warn the customer if their
expectations are grossly unreasonable.

Short of separate boxes not sharing SAN (i.e. something with _no_
single point of control), I'd say it's more fault isolation that goes up with
more expensive choices (zones, virtualization, logical domains, hardware 
domains) than it is overall security isolation.
This message posted from opensolaris.org
zones-discuss mailing list

Reply via email to