Category
Security
Release Phase
Resolved
ProductSolaris 10 Operating System
Bug Id
6366432
Date of Resolved Release01-FEB-2007
Impact
Local privileged users inside a non-global zone may be able to move or rename files which are part of a read-only mounted loopback file system (see lofs(7FS)). This filesystem may be shared with the global zone, which would result in the files being removed from the global zone also. This can result in a Denial of Service (DoS) to the non-global zone and the global zone.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 10 without patch 118833-28
x86 Platform
- Solaris 10 without patch 118855-28
Note: Solaris 8 and Solaris 9 are not impacted by this issue.
This issue only impacts systems which have non-global zones configured with the read-only LOFS root filesystem using the root filesystem of the global zone as the underlying filesystem.
To determine if a system is configured with non-global zones utilizing read-only loopback filesystems the following commands can be run from the global zone:
1. Display the name of the current zones on the system:
$ zoneadm list -cv
ID NAME STATUS PATH
0 global running /
2 localzone1 running /zones/localzone1
3 localzone2 running /export/localzone2
2. Search the mounted file system table file (mnttab(4)) for read-only and loopback entries for the path to the non-global zones (as listed under the "PATH" heading above):
$ egrep "(/zones/localzone1|/export/localzone2).*lofs.*ro"
/lib - /zones/localzone1/root/lib lofs - no ro,nodevices,nosub
/usr - /export/localzone2/root/usr lofs - no ro,nodevices,nosub
Any pathname which is found by the egrep(1) command is affected by this issue.
Symptoms
If this issue has been exploited, the user may notice files missing or moved out of the affected filesystem, either in the global zone or in the non-global zone. Services which depend on these files may no longer be available.
Workaround
There is no workaround. Please see the "Resolution" section below.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 10 with patch 118833-28 or later
x86 Platform
- Solaris 10 with patch 118855-28 or later
References
118855-28
118833-36
AttachmentsThis solution has no attachment