Miles Benson wrote:
Hi All,

I'm not sure what I'm seeing is by design or by misconfiguration.  I created a filesystem 
"tank/zones" to hold some zones, then created a specific zone filesystem 
"tank/zones/basezone".  Then built a zone, setting zonepath=/tank/zones/basezone.

If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone

tank
tank/zones
tank/zones/basezone
tank/zones/basezone/ROOT
tank/zones/basezone/ROOT/zbe

This in itself is not ideal - if a zone become compromised then it's revealing 
something about the underlying pool and filesystems.  I can live with it.

However, if I become root in the zone then the ancestor filesystem is 
*writable*. I can write a file in /tank/zones!  So if I delegate root access to 
a zone to someone, all of a sudden they can write to the entire pool?

Am I doing something wrong?  Any and all suggestions welcome!

So how do the higher datasets appear in the namespace of
the zone?  That is, you're implying that somehow /tank/zones
is mounted inside the zone.  Is that true?  I can't reproduce
this on my opensolaris system running b123.  Can you provide
more details on your zone configuration and what you did to
make /tank/zones visible inside the zone.

Jerry
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to