I found an interesting topic in the newly released Solaris Security Toolkit
(v4.2).
Quote:
"Because of security risks, you should never access a non-global zone file
system from outside that zone. A path that is not dangerous in a non-global
zone can be dangerous in the global zone. For example, a non-global zone
administrator can link the /etc/shadow file to the ../../../shadow file. Inside
the non-global zone, this is harmless, but modifications to the file from the
global zone, using the path /opt/testzone/etc/shadow, would edit the global
zone?s /etc/passwd file. Again, a non-global zone should never be hardened,
undone, cleaned, or even audited unless you are logged into that zone."
Now this is VERY interesting. If I understand this correctly, I should never
(!) access files in the /zone/myzone/root directory when inside the global
zone!
One example is copying files:
# cp /var/tmp/tmp-file /zone/myzone/var/tmp
Instead I would use Brendan Greggs zcp script:
http://users.tpg.com.au/adsln4yb/Zones/zcp
This is a major disadvantage because I really thought it was a great way of
doing things without the zone's ability to know about it.
A couple of things that I find useful:
1. Backups.
Backup all the zones from the global zone without having to install a backup
client or putting backup scripts in each local zone.
2. Hardening/Auditing with SST
Only use SST in the global zone, harden and audit all file changes from a
central location, without having to install SST in all zones.
3. BART
Monitor file changes in zones without the zone knowing about it. Keep the
fingerprints for all zones in the global zone and only run it from a
centralized point. One GREAT example is monitoring web content for unauthorized
changes. If a change is found, overwrite the content by copying a clean content
tree to the web zone.
Did I understand this correctly?
/Magnus
