Information Technology Reference
In-Depth Information
GZ#
zonecfg -z timelord
zonecfg:timelord>
add capped-memory
zonecfg:timelord:capped-memory>
set physical=100m
zonecfg:timelord:capped-memory>
set swap=100m
zonecfg:timelord:capped-memory>
set locked=20m
zonecfg:timelord:capped-memory>
end
zonecfg:timelord>
add capped-cpu
zonecfg:timelord:capped-cpu>
set ncpus=0.1
zonecfg:timelord:capped-cpu>
end
zonecfg:timelord>
set max-lwps=200
zonecfg:timelord>
exit
Now that we have “shrink-wrapped” the security boundary even more tightly
than the default, we're ready to use this Container.
GZ#
zoneadm -z timelord boot
GZ#
zlogin timelord
timelord#
ntpdate
-u 0.pool.ntp.org 1.pool.ntp.org
16 May 14:40:35 ntpdate[25070]: adjust time server offset -0.394755 sec
The output of
ntpdate
shows that that it was able to contact an NTP server and
adjust this system's time clock by almost 0.4 second.
Experience with privileges can allow you to further tighten the security bound-
ary. For example, if you want to prevent the Container from changing its own host
name, you could remove the
sys_admin
privilege from the Container's limit set.
After removing the privilege and rebooting the Container, you can demonstrate
the effect:
timelord#
hostname spacelord
hostname: error in setting name: Not owner
We can easily prove that the failure was caused by the missing privilege:
timelord#
ppriv -e -D hostname spacelord
hostname[4231]: missing privilege "sys_admin" (euid = 0, syscall = 139) needed at
systeminfo+0x139
hostname: error in setting name: Not owner
Many attacks on computers require the ability to take advantage of a security
weakness in software that listens to the network. The ability to turn off all such
Search WWH ::
Custom Search