I'm not sure what I'm seeing is by design or by misconfiguration. I created a
filesystem "tank/zones" to hold some zones, then created a specific zone
filesystem "tank/zones/basezone". Then built a zone, setting
If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone
This in itself is not ideal - if a zone become compromised then it's revealing
something about the underlying pool and filesystems. I can live with it.
However, if I become root in the zone then the ancestor filesystem is
*writable*. I can write a file in /tank/zones! So if I delegate root access to
a zone to someone, all of a sudden they can write to the entire pool?
Am I doing something wrong? Any and all suggestions welcome!
This message posted from opensolaris.org
zones-discuss mailing list