Wednesday, May 16, 2007

Zone Install Path and Permissions

I've recently created a zone for Apache and MySQL on a colleague's workstation. The colleague works from the global zone, as it is his workstation, and I figured zones would be an excellent way of isolating his development environment from his workspace. He generally uses editors such as Bluefish and so fourth to edit the .php files in the zone's htdocs directory, which in the case is something like /export/zones/web-zone2/root/opt/coolstack/apache2/htdocs. He wanted the ability to save files to the htdocs directory from the global zone. Given the nature of zones, and the necessary security precaution that the zone install path should be chmod'd 700 or else the zone won't verify or boot, I had to come up with a way to boot the zone and still give him the ability to save directly to the htdocs directory in the zone without manually chmod'ing back and fourth.

I figured zoneadm or the other zone tools probably don't check for ACLs, just UNIX-style permissions, so I decided to give this a try:

# chmod A+user:dlapoint:execute:allow /export/zones/web-zone2
# chmod A+user:dlapoint:list_directory:allow /export/zones/web-zone2
Its nasty; however, it does work, and now he's able to read and write files to that htdocs directory without having zoneadm -z verify or zoneadm -z boot gripe about the permissions on the zone install dir being 'insecure'. There are some other ways I could've gone about this, such as sharing the htdocs from the global zone with web-zone1, but I felt that didn't provide the level of isolation that was desired.


Anonymous Anonymous said...

You maked clear points about online business ideas through your blog and it is very useful to make money from online at home in part time jobs Thanks.

How to create Blog

How to Make Money Online

Affiliate Programs

1:33 AM  

Post a Comment

<< Home