Bug #1612: ? security problem with zones - illumos gate - illumos

Actions

Copy link

Bug #1612

closed

? security problem with zones

Added by Richard PALO over 10 years ago. Updated about 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Start date:

2011-10-08

Due date:

% Done:

Estimated time:

Difficulty:

Medium

Tags:

Gerrit CR:

Description

Hi, I'm running oi_151a based on Illumos...
Having created a zfs data set /zones and having chmod 700 /zones

richard@x3200:~# ls -lapd /zones
drwx------   3 root     root           3 oct.  7 14:22 /zones/

normally, only root has access.

I created a dev-zone

richard@x3200:~# zonecfg -z dev-zone info
zonename: dev-zone
zonepath: /zones/dev-zone
brand: ipkg
autoboot: true
bootargs: 
pool: 
limitpriv: 
scheduling-class: 
ip-type: exclusive
hostid: 
fs-allowed: 
net:
    address non spécifié
    allowed-address non spécifié
    physical: vnic0
    defrouter non spécifié

installed it and all, and seems fine.

richard@x3200:~# zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              ipkg     shared
   1 dev-zone         running    /zones/dev-zone                ipkg     excl

Invoking 'df' unprivileged I can see paths deeper than /zones

richard@x3200:~$ df
Filesystem           1K-blocks      Used Available Use% Mounted on
rpool/ROOT/oi_151a    20765214   8315315  12449899  41% /
swap                   4897856       488   4897368   1% /etc/svc/volatile
/usr/lib/libc/libc_hwcap2.so.1
                      20765214   8315315  12449899  41% /lib/libc.so.1
swap                   4897412        44   4897368   1% /tmp
swap                   4897480       112   4897368   1% /var/run
rpool/export          12449932        33  12449899   1% /export
rpool/export/dossiers
                      12449940        41  12449899   1% /export/dossiers
rpool/export/home     12449931        32  12449899   1% /export/home
rpool/export/home/richard
                      25460853  13010954  12449899  52% /export/home/richard
rpool                 12449944        45  12449899   1% /rpool
rpool/zones           12449931        32  12449899   1% /zones
df: `/zones/dev-zone': Permission refusée
df: `/zones/dev-zone/root': Permission refusée
df: `/zones/dev-zone/root/dev': Permission refusée
df: `/zones/dev-zone/root/proc': Permission refusée
df: `/zones/dev-zone/root/system/contract': Permission refusée
df: `/zones/dev-zone/root/etc/mnttab': Permission refusée
df: `/zones/dev-zone/root/system/object': Permission refusée
df: `/zones/dev-zone/root/etc/svc/volatile': Permission refusée
df: `/zones/dev-zone/root/lib/libc.so.1': Permission refusée
df: `/zones/dev-zone/root/dev/fd': Permission refusée
df: `/zones/dev-zone/root/tmp': Permission refusée
df: `/zones/dev-zone/root/var/run': Permission refusée
/export/home/richard  25460853  13010954  12449899  52% /home/richard

Wouldn't this be considered a breach of security?

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

illumos gate

Custom queries

Bug #1612

? security problem with zones

Updated by Yuri Pankov over 10 years ago

Updated by Rich Lowe over 10 years ago

Updated by Milan Jurik about 10 years ago