Miles Benson wrote:
I'm not sure what I'm seeing is by design or by misconfiguration. I created a filesystem
"tank/zones" to hold some zones, then created a specific zone filesystem
"tank/zones/basezone". Then built a zone, setting zonepath=/tank/zones/basezone.
If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone
This in itself is not ideal - if a zone become compromised then it's revealing
something about the underlying pool and filesystems. I can live with it.
However, if I become root in the zone then the ancestor filesystem is
*writable*. I can write a file in /tank/zones! So if I delegate root access to
a zone to someone, all of a sudden they can write to the entire pool?
Am I doing something wrong? Any and all suggestions welcome!
So how do the higher datasets appear in the namespace of
the zone? That is, you're implying that somehow /tank/zones
is mounted inside the zone. Is that true? I can't reproduce
this on my opensolaris system running b123. Can you provide
more details on your zone configuration and what you did to
make /tank/zones visible inside the zone.
zones-discuss mailing list