Le 27 sept. 09 à 12:55, Miles Benson a écrit :
Hi All,
I'm not sure what I'm seeing is by design or by misconfiguration. I
created a filesystem "tank/zones" to hold some zones, then created a
specific zone filesystem "tank/zones/basezone". Then built a zone,
setting zonepath=/tank/zones/basezone.
If I zlogin to basezone, and do zfs list, it shows the ancestors to
basezone
tank
tank/zones
tank/zones/basezone
tank/zones/basezone/ROOT
tank/zones/basezone/ROOT/zbe
This in itself is not ideal - if a zone become compromised then it's
revealing something about the underlying pool and filesystems. I
can live with it.
However, if I become root in the zone then the ancestor filesystem
is *writable*. I can write a file in /tank/zones! So if I delegate
root access to a zone to someone, all of a sudden they can write to
the entire pool?
Am I doing something wrong? Any and all suggestions welcome!
AFAIK, you shouldn't see all these in your zone.
Are you in S10 or on OS ?
Did you delegate any dataset or set the "zoned" flag on ZFS ?
Nicolas
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
