[OpenIndiana-discuss] Zone Privileges for a Normal User

Bernd Helber bernd at helber-it-services.com
Mon Nov 7 05:18:43 UTC 2011 

Dear Deniz,

as i understood you would take Advantage of RBAC
You may consider to take a look at the Oracle Website

http://www.oracle.com/technetwork/documentation/solaris-10-192992.html

Also have a look at the RBAC Chapters

Additionally you should have a lookt the former blogs.sun.com

http://search.oracle.com/search/search?search_p_main_operator=all&group=Blogs&q=rbac%20zones

That may enlighten you. ;)

Cheers

Am 07.11.11 02:20, schrieb Deniz Rende:
> Hello,
> 
> The link provided below is a very good source
> 
> http://trochejen.blogspot.com/2010/06/zones-delegated-administration.html
> 
> 
>  but it still does not answer my question why even though I set
> specifically user to manage in the regarding file:
> 
> solaris.admin.wusb.read,solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq,solaris.profmgr.read,solaris.zone.login/zdev2,solaris.zone.manage/zdev2
> 
> the user is unable to zonecfg zdve2.
> 
> 
> So I am wondering if this entry:
> 
> solaris.zone.manage/zdev2
> 
> has some problems in openindiana or does this only apply to Solaris 11?
> 
> 
> On Fri, Nov 4, 2011 at 6:21 PM, Deniz Rende <deniz.rende at gmail.com> wrote:
> 
>> Hello,
>>
>> I am using openindiana 151a server edition in VirtualBox.
>>
>> root at oi151a:~# uname -a
>> SunOS oi151a 5.11 oi_151a i86pc i386 i86pc Solaris
>>
>> I have the following zones in the system:
>>
>> root at oi151a:~# zoneadm list -civ
>>   ID NAME             STATUS     PATH                           BRAND
>>  IP
>>    0 global           running    /                              ipkg
>> shared
>>    1 zdev             running    /zones/zdev                    ipkg
>> shared
>>    2 zdev2            running    /zones/zdev2                   ipkg
>> shared
>>
>> I have a user called macuser1 with the following auths and profiles:
>>
>> macuser1 at oi151a:~$ auths
>>
>> solaris.admin.wusb.read,solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq,solaris.profmgr.read,solaris.zone.login/zdev2,solaris.zone.manage/zdev2
>>
>>
>> macuser1 at oi151a:~$ profiles
>> Zone Management
>> ZFS File System Management
>> Basic Solaris User
>> All
>>
>> What I am trying to do is to dedicate the zdev2 zone to the macuser1 but
>> also let this user to manage it.
>>
>> I got the first part successfully:
>>
>> macuser1 at oi151a:~$ pfexec zlogin zdev2
>> [Connected to zone 'zdev2' pts/3]
>> Last login: Fri Nov  4 17:22:49 on pts/3
>> OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September 2011
>> root at zdev2:~#
>>
>> and as intended the user is not able to login to zdev zone:
>>
>> macuser1 at oi151a:~$ pfexec zlogin zdev
>> zlogin: macuser1 is not authorized  to login to zdev zone.
>>
>> which is good, but I can't get the user to configure it's own zone, ie:
>>
>> macuser1 at oi151a:~$ pfexec zonecfg -z zdev2
>> WARNING: you do not have write access to this zone's configuration file;
>> going into read-only mode.
>> zonecfg:zdev2>exit
>>
>> which is giving me read-only mode.
>>
>> How do I let this user to manage ( i,e use zonecfg ) zdev2 zone? I
>> appreciate the feedback.
>>
>> Regards,
>>
>> Deniz Rende
>>
>>
>> --
>> Deniz Rende
>>
>>
> 
>

More information about the OpenIndiana-discuss mailing list