I found an interesting topic in the newly released Solaris Security Toolkit (v4.2).
Quote:
"Because of security risks, you should never access a non-global zone file system from outside that zone. A path that is not dangerous in a non-global zone can be dangerous in the global zone. For example, a non-global zone administrator can link the /etc/shadow file to the ../../../shadow file. Inside the non-global zone, this is harmless, but modifications to the file from the global zone, using the path /opt/testzone/etc/shadow, would edit the global zones /etc/passwd file. Again, a non-global zone should never be hardened, undone, cleaned, or even audited unless you are logged into that zone."
Now this is VERY interesting. If I understand this correctly, I should never (!) access files in the /zone/myzone/root directory when inside the global zone!
One example is copying files:
# cp /var/tmp/tmp-file /zone/myzone/var/tmp
Instead I would use Brendan Greggs zcp script:
http://users.tpg.com.au/adsln4yb/Zones/zcpThis is a major disadvantage because I really thought it was a great way of doing things without the zone's ability to know about it.
A couple of things that I find useful:
1. Backups.
Backup all the zones from the global zone without having to install a backup client or putting backup scripts in each local zone.
2. Hardening/Auditing with SST
Only use SST in the global zone, harden and audit all file changes from a central location, without having to install SST in all zones.
3. BART
Monitor file changes in zones without the zone knowing about it. Keep the fingerprints for all zones in the global zone and only run it from a centralized point. One GREAT example is monitoring web content for unauthorized changes. If a change is found, overwrite the content by copying a clean content tree to the web zone.
Did I understand this correctly?
/Magnus
