thr3ads.net - zfs discuss - [zfs-discuss] Ancestor filesystems writable by zone admin

If this information is useful, please help other people find it:
Share via:

Miles Benson

2009-Sep-27 10:55 UTC

[zfs-discuss] Ancestor filesystems writable by zone admin - by design?

Hi All,

I''m not sure what I''m seeing is by design or by
misconfiguration.  I created a filesystem "tank/zones" to hold some
zones, then created a specific zone filesystem "tank/zones/basezone". 
Then built a zone, setting zonepath=/tank/zones/basezone.

If I zlogin to basezone, and do zfs list, it shows the ancestors to basezone

tank
tank/zones
tank/zones/basezone
tank/zones/basezone/ROOT
tank/zones/basezone/ROOT/zbe

This in itself is not ideal - if a zone become compromised then it''s
revealing something about the underlying pool and filesystems.  I can live with
it.

However, if I become root in the zone then the ancestor filesystem is
*writable*. I can write a file in /tank/zones!  So if I delegate root access to
a zone to someone, all of a sudden they can write to the entire pool?

Am I doing something wrong?  Any and all suggestions welcome!

Thanks
Miles
-- 
This message posted from opensolaris.org

zfs discuss - Sep 2009 - Ancestor filesystems writable by zone admin - by design?

[zfs-discuss] Ancestor filesystems writable by zone admin - by design?