[OpenAFS] OpenAFS and Solaris 10 Zones

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 04 May 2005 18:16:47 -0400

On Wednesday, May 04, 2005 13:16:30 -0500 "Douglas E. Engert" 
<deengert@anl.gov> wrote:

> What are the interactrions between the Solaris 10 Zones, and
> AFS cache and PAGs. Is there any chance that if the root user in
> one zone requests a PAG or sets the groups just right, they could
> somehow manage to look like they are a member of a PAG from
> another zone?

Yes.  OpenAFS is not aware of zones at all, so the PAG namespace ends up 
being global rather than per-zone.  So not only can root from one zone 
steal a PAG from another, but PAG-less users in different zones but with 
the same uid will share tokens.

-- Jeff