Currently, invoking the zadm login command invokes zlogin leaving the inheritable privilege set quite restricted. That ends up with the zone shell having less privileges that one might expect:
bloody% pfexec ptree 2377
2377 /usr/bin/perl /opt/ooce/bin/zadm login lx
2381 /usr/sbin/zlogin lx
2382 /bin/login -h zone:global -f root
2388 -bash
bloody% pfexec ppriv 2377
2377: /usr/bin/perl /opt/ooce/bin/zadm login lx
flags = PRIV_AWARE
E: all
I: basic,file_dac_write,!file_link_any,!net_access,!proc_info,!proc_session
P: all
L: all
bloody# ppriv 2381
2381: /usr/sbin/zlogin lx
flags = PRIV_AWARE
E: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
P: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
bloody% pfexec ppriv 2388
2388: -bash
flags = PRIV_AWARE_RESET
E: basic,contract_event,contract_identity,contract_observer,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_lock_memory,proc_owner,proc_prioup,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource,sys_smb
I: basic,file_dac_write,!file_link_any,!net_access,!proc_info,!proc_session
... P & L are the same as E
Currently, invoking the
zadm login
command invokeszlogin
leaving the inheritable privilege set quite restricted. That ends up with the zone shell having less privileges that one might expect: