[OpenIndiana-discuss] Zone Privileges for a Normal User

Andrew Gabriel illumos at cucumber.demon.co.uk
Mon Nov 7 08:42:07 UTC 2011 

I think "manage" is for starting, stopping, etc (zoneadm) the zone, not 
for configuring it (zonecfg).
If "manage" allowed the user to configure the zone, they could also 
change who could login and manage the zone, remove IP address 
restrictions, etc, which is not desirable.


Deniz Rende wrote:
> Hello,
>
> The link provided below is a very good source
>
> http://trochejen.blogspot.com/2010/06/zones-delegated-administration.html
>
>
>  but it still does not answer my question why even though I set
> specifically user to manage in the regarding file:
>
> solaris.admin.wusb.read,solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq,solaris.profmgr.read,solaris.zone.login/zdev2,solaris.zone.manage/zdev2
>
> the user is unable to zonecfg zdve2.
>
>
> So I am wondering if this entry:
>
> solaris.zone.manage/zdev2
>
> has some problems in openindiana or does this only apply to Solaris 11?
>
>
> On Fri, Nov 4, 2011 at 6:21 PM, Deniz Rende <deniz.rende at gmail.com> wrote:
>
>   
>> Hello,
>>
>> I am using openindiana 151a server edition in VirtualBox.
>>
>> root at oi151a:~# uname -a
>> SunOS oi151a 5.11 oi_151a i86pc i386 i86pc Solaris
>>
>> I have the following zones in the system:
>>
>> root at oi151a:~# zoneadm list -civ
>>   ID NAME             STATUS     PATH                           BRAND
>>  IP
>>    0 global           running    /                              ipkg
>> shared
>>    1 zdev             running    /zones/zdev                    ipkg
>> shared
>>    2 zdev2            running    /zones/zdev2                   ipkg
>> shared
>>
>> I have a user called macuser1 with the following auths and profiles:
>>
>> macuser1 at oi151a:~$ auths
>>
>> solaris.admin.wusb.read,solaris.device.cdrw,solaris.device.mount.removable,solaris.mail.mailq,solaris.profmgr.read,solaris.zone.login/zdev2,solaris.zone.manage/zdev2
>>
>>
>> macuser1 at oi151a:~$ profiles
>> Zone Management
>> ZFS File System Management
>> Basic Solaris User
>> All
>>
>> What I am trying to do is to dedicate the zdev2 zone to the macuser1 but
>> also let this user to manage it.
>>
>> I got the first part successfully:
>>
>> macuser1 at oi151a:~$ pfexec zlogin zdev2
>> [Connected to zone 'zdev2' pts/3]
>> Last login: Fri Nov  4 17:22:49 on pts/3
>> OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September 2011
>> root at zdev2:~#
>>
>> and as intended the user is not able to login to zdev zone:
>>
>> macuser1 at oi151a:~$ pfexec zlogin zdev
>> zlogin: macuser1 is not authorized  to login to zdev zone.
>>
>> which is good, but I can't get the user to configure it's own zone, ie:
>>
>> macuser1 at oi151a:~$ pfexec zonecfg -z zdev2
>> WARNING: you do not have write access to this zone's configuration file;
>> going into read-only mode.
>> zonecfg:zdev2>exit
>>
>> which is giving me read-only mode.
>>
>> How do I let this user to manage ( i,e use zonecfg ) zdev2 zone? I
>> appreciate the feedback.
>>
>> Regards,
>>
>> Deniz Rende
>>
>>
>> --
>> Deniz Rende
>>     

-- 
Andrew Gabriel

More information about the OpenIndiana-discuss mailing list