Thanks for taking a look.

Yeah, I saw that too. And although it is the same error message, I'm not using Open Solaris and he is reporting a bug whereby he can subvert security by doing an nfs mount.

My issue is that I am trying to mount a drive on my host OS (Mac OS X 10.5.7) from a Solaris VM (not Open Solaris) on the same machine.

I'm going to take a bit of time and see if I can reproduce that for you this weekend... Sorry I haven't had the time just yet, but I'll take a longer look and report my findings for you.

Thanks.

Some more info, I tried adding the -o vers=3 to the mount command on Solaris and I don't get the warning message anymore, but it is still read only. When I try to touch a new file it says "cannot create".

I can mount it from another mac on the same network, and it is read/write. But if I create the nic on the Solaris VM in bridged mode instead of host only, the same thing happens. I can mount it but it's read only.

bash-3.00# mount -F nfs -o vers=3 192.168.1.2:/nfs /opt/mls/macnfs

bash-3.00# ls /opt/mls/macnfs/

text.txt

bash-3.00# touch /opt/mls/macnfs/test2.txt

touch: /opt/mls/macnfs/test2.txt cannot create

And vi tells me that it's a read-only file system:

bash-3.00# pwd

/opt/mls/macnfs

bash-3.00# vi test1.txt

This is a test file

~

~

"test1.txt" Read-only file system

Tomorrow, when I get to work I'll try mounting it from another Solaris box on the same network but my guess is that the same thing will happen.

I found the answer. And unfortunately, the answer is that you can't do it.

http://www.sun.com/bigadmin/sundocs/articles/trsoltechfaq.jsp

Question: Can you mount a file system into the global zone with read-write permissions?

Answer:

You cannot NFS mount a file system into the global zone with read-write permissions.

Unlabeled clients that use the admin_low security template, which is the default template for unlabeled systems, are less trusted than labeled clients that run at the ADMIN_LOW label.

For example, consider the DNS server. On a labeled server, all zones use the nscd daemon in the global zone. This daemon communicates with the DNS server at the label ADMIN_LOW. However, the DNS server is not trusted in any other regard, so it should not have access to the global zone.

Similarly, the pam_tsol_account module does not allow remote logins from an unlabeled system that is using the admin_low security template.

Files that are LOFS-mounted in the global zone can be modified, that is, have read-write permissions, in the global zone.

So although I probably could do it in one of the lower zones, it would not suit my purposes.

I'm going to try rsync.

Thanks for looking at this Mikero.

James.

Just as I got Solaris installed and started playing with it... heh

I've always been more of a linux/FreeBSD sort of guy, so i don't have much xp in the way of Solaris, but I definitely wanted to give it a shot.

Too bad we couldn't get it to work as you were hoping, but it's interesting to note the issue either way. And really, rsync is a gem, i've found endless use for it.

So, would this issue be because of a feature of Trusted Extensions, or of Solaris itself?

Sorry to disappoint you

It is a Trusted Extensions issue. If you think about it, it makes sense. It would be a huge security hole if you could mount any old nfs as r/w from the global zone in TX.

Mounting the nfs from another Solaris machine without TX installed worked just fine.

The feature does make total sense, I did do a little 'humph, that's kinda good it does that actually... '

I just wasn't sure if it was direclty a TX thing or just a Solaris default security policy thing.

Cool, well looks like this one is marked as answered.

Cheers 😃