Project

General

Profile

Actions

Bug #980

open

svc.configd should be less trusting of cross-zone callers

Added by Rich Lowe about 11 years ago. Updated almost 11 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
cmd - userland programs
Start date:
2011-05-01
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

svc.configd will accept door calls from anyone with permission on the door, but its authentication scheme is based on the authorizations contained in the name service of the local zone. If the name service isn't synced, this will lead to confusion at best. At present, this is only a nit, but with Joyent's changes (#945/#947) it becomes much more obvious that a cross-zone call is something you can do, and we should probably fix it.

I propose that svc.configd should require that a caller have all privileges if it is coming from a zone other than that in which configd is running.

Due to this same basic issue with regard to the filesystem, by default only root may enter the zone root from the NGZ, so the GZ admin would have to put effort into getting themselves into this mess (giving at least file_dac_search and probably others to a GZ user), so I don't consider it pressing.

Actions

Also available in: Atom PDF