Logical Domains 1.3 Administration Guide

Adding the Privileges Needed to Migrate Domains

In addition to the Logical Domains authorizations (solaris.ldoms.*), you must use the file_dac_read and file_dac_search privileges to migrate a domain to another system. By having these privileges, the user can read the Logical Domains Manager key, /var/opt/SUNWldm/server.key, which is only readable by superuser for security reasons.

ProcedureAdd Other Privileges to Enable Domain Migration

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use the usermod command to add the file_dac_read and file_dac_search privileges for a user.


    # usermod -K defaultpriv=basic,file_dac_read,file_dac_search username
    

    For more information about the usermod command, see the usermod(1M) man page.

    The following command adds the file_dac_read and file_dac_search privileges for the ldm_mig user:


    # usermod -K defaultpriv=basic,file_dac_read,file_dac_search ldm_mig
    

ProcedureDelete All Privileges for a Local User Account

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Use the usermod command to delete all the privileges for a user.


    # usermod -K defaultpriv=basic username
    

    For more information about the usermod command, see the usermod(1M) man page.

    The following command deletes the privileges for the ldm_mig user:


    # usermod -K defaultpriv=basic ldm_mig