[OpenAFS] OpenAFS and Solaris 10 Zones
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 04 May 2005 18:16:47 -0400
On Wednesday, May 04, 2005 13:16:30 -0500 "Douglas E. Engert"
<deengert@anl.gov> wrote:
>
> What are the interactrions between the Solaris 10 Zones, and
> AFS cache and PAGs. Is there any chance that if the root user in
> one zone requests a PAG or sets the groups just right, they could
> somehow manage to look like they are a member of a PAG from
> another zone?
Yes. OpenAFS is not aware of zones at all, so the PAG namespace ends up
being global rather than per-zone. So not only can root from one zone
steal a PAG from another, but PAG-less users in different zones but with
the same uid will share tokens.
-- Jeff