[OpenIndiana-discuss] Zone Privileges for a Normal User

Deniz Rende deniz.rende at gmail.com
Mon Nov 7 17:08:51 UTC 2011


Hi Andrew,

I think "manage" is for starting, stopping, etc (zoneadm) the zone, not for
> configuring it (zonecfg).


I see, I will go ahead and test this, thank you for the information.

-D.
On Mon, Nov 7, 2011 at 2:42 AM, Andrew Gabriel <illumos at cucumber.demon.co.uk
> wrote:

> I think "manage" is for starting, stopping, etc (zoneadm) the zone, not
> for configuring it (zonecfg).
> If "manage" allowed the user to configure the zone, they could also change
> who could login and manage the zone, remove IP address restrictions, etc,
> which is not desirable.
>
>
>
> Deniz Rende wrote:
>
>> Hello,
>>
>> The link provided below is a very good source
>>
>> http://trochejen.blogspot.com/**2010/06/zones-delegated-**
>> administration.html<http://trochejen.blogspot.com/2010/06/zones-delegated-administration.html>
>>
>>
>>  but it still does not answer my question why even though I set
>> specifically user to manage in the regarding file:
>>
>> solaris.admin.wusb.read,**solaris.device.cdrw,solaris.**
>> device.mount.removable,**solaris.mail.mailq,solaris.**
>> profmgr.read,solaris.zone.**login/zdev2,solaris.zone.**manage/zdev2
>>
>> the user is unable to zonecfg zdve2.
>>
>>
>> So I am wondering if this entry:
>>
>> solaris.zone.manage/zdev2
>>
>> has some problems in openindiana or does this only apply to Solaris 11?
>>
>>
>> On Fri, Nov 4, 2011 at 6:21 PM, Deniz Rende <deniz.rende at gmail.com>
>> wrote:
>>
>>
>>
>>> Hello,
>>>
>>> I am using openindiana 151a server edition in VirtualBox.
>>>
>>> root at oi151a:~# uname -a
>>> SunOS oi151a 5.11 oi_151a i86pc i386 i86pc Solaris
>>>
>>> I have the following zones in the system:
>>>
>>> root at oi151a:~# zoneadm list -civ
>>>  ID NAME             STATUS     PATH                           BRAND
>>>  IP
>>>   0 global           running    /                              ipkg
>>> shared
>>>   1 zdev             running    /zones/zdev                    ipkg
>>> shared
>>>   2 zdev2            running    /zones/zdev2                   ipkg
>>> shared
>>>
>>> I have a user called macuser1 with the following auths and profiles:
>>>
>>> macuser1 at oi151a:~$ auths
>>>
>>> solaris.admin.wusb.read,**solaris.device.cdrw,solaris.**
>>> device.mount.removable,**solaris.mail.mailq,solaris.**
>>> profmgr.read,solaris.zone.**login/zdev2,solaris.zone.**manage/zdev2
>>>
>>>
>>> macuser1 at oi151a:~$ profiles
>>> Zone Management
>>> ZFS File System Management
>>> Basic Solaris User
>>> All
>>>
>>> What I am trying to do is to dedicate the zdev2 zone to the macuser1 but
>>> also let this user to manage it.
>>>
>>> I got the first part successfully:
>>>
>>> macuser1 at oi151a:~$ pfexec zlogin zdev2
>>> [Connected to zone 'zdev2' pts/3]
>>> Last login: Fri Nov  4 17:22:49 on pts/3
>>> OpenIndiana (powered by illumos)    SunOS 5.11    oi_151a    September
>>> 2011
>>> root at zdev2:~#
>>>
>>> and as intended the user is not able to login to zdev zone:
>>>
>>> macuser1 at oi151a:~$ pfexec zlogin zdev
>>> zlogin: macuser1 is not authorized  to login to zdev zone.
>>>
>>> which is good, but I can't get the user to configure it's own zone, ie:
>>>
>>> macuser1 at oi151a:~$ pfexec zonecfg -z zdev2
>>> WARNING: you do not have write access to this zone's configuration file;
>>> going into read-only mode.
>>> zonecfg:zdev2>exit
>>>
>>> which is giving me read-only mode.
>>>
>>> How do I let this user to manage ( i,e use zonecfg ) zdev2 zone? I
>>> appreciate the feedback.
>>>
>>> Regards,
>>>
>>> Deniz Rende
>>>
>>>
>>> --
>>> Deniz Rende
>>>
>>>
>>
> --
> Andrew Gabriel
>
>
> ______________________________**_________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss@**openindiana.org<OpenIndiana-discuss at openindiana.org>
> http://openindiana.org/**mailman/listinfo/openindiana-**discuss<http://openindiana.org/mailman/listinfo/openindiana-discuss>
>



--


More information about the OpenIndiana-discuss mailing list