Solaris security feature: ZFS "zoned"
One of the coolest features in Solaris in my opinion is the "zoned" property of the ZFS.
What does it do?
ZFS datasets can be exported to non-global zones using the "add dataset" property in zonecfg command. Now the user in the non-global zone may set setuid/symbolic links which are o.k. inside the non-global zone but not acceptable in global zone. So zfs sets the "zoned" property automatically once the dataset is delegated to the non-global zone. It doesn't get cleared automatically once you remove the delegation. It has to be manually removed. If the property is not set off, sharing and other operations don't succeed on the global zone!
bash-3.00# zonecfg -z sparse-zone
zonecfg:sparse-zone> add dataset
zonecfg:sparse-zone:dataset> set name=test/testfs
zonecfg:sparse-zone:dataset> end
zonecfg:sparse-zone> exit
bash-3.00# zoneadm -z sparse-zone reboot
bash-3.00# zlogin sparse-zone
[Connected to zone 'sparse-zone' pts/1]
Last login: Tue Nov 3 00:09:04 on pts/1
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# bash
bash-3.00# zfs list
NAME USED AVAIL REFER MOUNTPOINT
test 122K 19.6G 23K /test
test/testfs 22K 19.6G 22K /global/test
bash-3.00# exit
exit
# exit
[Connection to zone 'sparse-zone' pts/1 closed]
bash-3.00# zonecfg -z sparse-zone
zonecfg:sparse-zone> remove dataset
zonecfg:sparse-zone> exit
bash-3.00# zoneadm -z sparse-zone reboot
bash-3.00# zlogin sparse-zone
[Connected to zone 'sparse-zone' pts/1]
Last login: Tue Nov 3 01:58:01 on pts/1
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
# bash
bash-3.00# zfs list
no datasets available
bash-3.00# exit
# ^D
[Connection to zone 'sparse-zone' pts/1 closed]
bash-3.00# zfs sharenfs=on test/testfs
cannot set property for 'test/testfs': 'sharenfs' cannot be set on dataset in a non-global zone
bash-3.00# zfs set zoned=off test/testfs
bash-3.00# zfs sharenfs=on test/testfs
bash-3.00# dfshares
RESOURCE SERVER ACCESS TRANSPORT
xxxxx:/global/test xxxxx - -
Really 