Note: This is an archival copy of Security Sun Alert 201291 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000973.1.
Solaris 10 Operating System
Date of Resolved Release
Local privileged users inside a non-global zone may be able to move or rename files which are part of a read-only mounted loopback file system (see lofs(7FS)). This filesystem may be shared with the global zone, which would result in the files being removed from the global zone also. This can result in a Denial of Service (DoS) to the non-global zone and the global zone.
This issue can occur in the following releases:
Note: Solaris 8 and Solaris 9 are not impacted by this issue.
This issue only impacts systems which have non-global zones configured with the read-only LOFS root filesystem using the root filesystem of the global zone as the underlying filesystem.
To determine if a system is configured with non-global zones utilizing read-only loopback filesystems the following commands can be run from the global zone:
1. Display the name of the current zones on the system:
$ zoneadm list -cv ID NAME STATUS PATH 0 global running / 2 localzone1 running /zones/localzone1 3 localzone2 running /export/localzone2
2. Search the mounted file system table file (mnttab(4)) for read-only and loopback entries for the path to the non-global zones (as listed under the "PATH" heading above):
$ egrep "(/zones/localzone1|/export/localzone2).*lofs.*ro" /lib - /zones/localzone1/root/lib lofs - no ro,nodevices,nosub /usr - /export/localzone2/root/usr lofs - no ro,nodevices,nosub
Any pathname which is found by the egrep(1) command is affected by this issue.
If this issue has been exploited, the user may notice files missing or moved out of the affected filesystem, either in the global zone or in the non-global zone. Services which depend on these files may no longer be available.
There is no workaround. Please see the "Resolution" section below.
This issue is addressed in the following releases:
This solution has no attachment