Accessing Solaris 10 Local Zones from the Global Zone, security risk
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Accessing Solaris 10 Local Zones from the Global Zone, security risk
by magnus-5
::
Rate this Message:
I found an interesting topic in the newly released Solaris Security Toolkit (v4.2).
Quote: "Because of security risks, you should never access a non-global zone file system from outside that zone. A path that is not dangerous in a non-global zone can be dangerous in the global zone. For example, a non-global zone administrator can link the /etc/shadow file to the ../../../shadow file. Inside the non-global zone, this is harmless, but modifications to the file from the global zone, using the path /opt/testzone/etc/shadow, would edit the global zones /etc/passwd file. Again, a non-global zone should never be hardened, undone, cleaned, or even audited unless you are logged into that zone." Now this is VERY interesting. If I understand this correctly, I should never (!) access files in the /zone/myzone/root directory when inside the global zone! One example is copying files: # cp /var/tmp/tmp-file /zone/myzone/var/tmp Instead I would use Brendan Greggs zcp script: http://users.tpg.com.au/adsln4yb/Zones/zcp This is a major disadvantage because I really thought it was a great way of doing things without the zone's ability to know about it. A couple of things that I find useful: 1. Backups. Backup all the zones from the global zone without having to install a backup client or putting backup scripts in each local zone. 2. Hardening/Auditing with SST Only use SST in the global zone, harden and audit all file changes from a central location, without having to install SST in all zones. 3. BART Monitor file changes in zones without the zone knowing about it. Keep the fingerprints for all zones in the global zone and only run it from a centralized point. One GREAT example is monitoring web content for unauthorized changes. If a change is found, overwrite the content by copying a clean content tree to the web zone. Did I understand this correctly? /Magnus |
|
|
Re: Accessing Solaris 10 Local Zones from the Global Zone, security risk
by Alexander Klimov
::
Rate this Message:
On Sun, 31 Jul 2005 magnus@... wrote:
> I found an interesting topic in the newly released Solaris Security Toolkit (v4.2). > > Quote: "Because of security risks, you should never access a > non-global zone file system from outside that zone. A path that is > not dangerous in a non-global zone can be dangerous in the global > zone. For example, a non-global zone administrator can link the > /etc/shadow file to the ../../../shadow file. Inside the non-global > zone, this is harmless, but modifications to the file from the > global zone, using the path /opt/testzone/etc/shadow, would edit the > global zone▓s /etc/passwd file. Again, a non-global zone should > never be hardened, undone, cleaned, or even audited unless you are > logged into that zone." > > Now this is VERY interesting. If I understand this correctly, I > should never (!) access files in the /zone/myzone/root directory > when inside the global zone! Did I understand this correctly? I think this is an overreaction. There are a lot of things which when done in uproper (even if common) way can lead to problems. For example, find ... -mtime ... | xargs rm can lead, e.g., to deletion of some other files if find finds something with space (e.g., file named "My files"). This does not mean that we should ban find, or xargs, or spaces in filenames. So yes, some attacks are possible, but it does not mean that you should always go inside the zone -- just be cautious (e.g., check if a file is in fact a soft link before editing it, or configure your editor to warn you about it). -- Regards, ASK |
| Free embeddable forum powered by Nabble | Forum Help |
