JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle VM Server for SPARC 2.2 Administration Guide     Oracle VM Server for SPARC
search filter icon
search icon

Document Information

Preface

Part I Oracle VM Server for SPARC 2.2 Software

1.  Overview of the Oracle VM Server for SPARC Software

2.  Installing and Enabling Software

3.  Oracle VM Server for SPARC Security

Delegating the Management of Logical Domains by Using RBAC

Using Rights Profiles and Roles

Managing User Rights Profiles

Assigning Roles to Users

Logical Domains Manager Profile Contents

Controlling Access to a Domain Console by Using RBAC

How to Control Access to All Domain Consoles by Using Roles

How to Control Access to All Domain Consoles by Using Rights Profiles

How to Control Access to a Single Console by Using Roles

How to Control Access to a Single Console by Using Rights Profiles

Enabling and Using Auditing

How to Enable Auditing

How to Disable Auditing

How to Review Audit Records

How to Rotate Audit Logs

4.  Setting Up Services and the Control Domain

5.  Setting Up Guest Domains

6.  Setting Up I/O Domains

7.  Using Virtual Disks

8.  Using Virtual Networks

9.  Migrating Domains

10.  Managing Resources

11.  Managing Domain Configurations

12.  Performing Other Administration Tasks

Part II Optional Oracle VM Server for SPARC Software

13.  Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool

14.  Oracle VM Server for SPARC Configuration Assistant (Oracle Solaris 10)

15.  Using the Oracle VM Server for SPARC Management Information Base Software

16.  Logical Domains Manager Discovery

17.  Using the XML Interface With the Logical Domains Manager

Glossary

Index

Controlling Access to a Domain Console by Using RBAC

By default, any user can access all domain consoles. To control access to a domain console, configure the vntsd daemon to perform authorization checking. The vntsd daemon provides a Service Management Facility (SMF) property named vntsd/authorization. This property can be configured to enable authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.


Caution

Caution - Do not configure the vntsd service to use a host other than localhost.

If you specify a host other than localhost, you are no longer restricted from connecting to guest domain consoles from the control domain. If you use the telnet command to remotely connect to a guest domain, the login credentials are passed as clear text over the network.


By default, an authorization to access all guest consoles is present in the local auth_attr database.

solaris.vntsd.consoles:::Access All LDoms Guest Consoles::

Use the usermod command to assign the required authorizations to users or roles in local files. This command permits only the user or role who has the required authorizations to access a given domain console or console group. To assign authorizations to users or roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

You can control the access to all domain consoles or to a single domain console.

How to Control Access to All Domain Consoles by Using Roles

  1. Restrict access to a domain console by enabling console authorization checking.
    primary# svccfg -s vntsd setprop vntsd/authorization = true
    primary# svcadm refresh vntsd
    primary# svcadm restart vntsd
  2. Create a role that has the solaris.vntsd.consoles authorization, which permits access to all domain consoles.
    primary# roleadd -A solaris.vntsd.consoles role-name
    primary# passwd all_cons
  3. Assign the new role to a user.
    primary# usermod -R role-name username

Example 3-2 Controlling Access to All Domain Consoles by Using Roles

First, you enable console authorization checking to restrict access to a domain console.

primary# svccfg -s vntsd setprop vntsd/authorization = true
primary# svcadm refresh vntsd
primary# svcadm restart vntsd
primary# ldm ls
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active     -n-cv-  UART    8     16G      0.2%  47m
ldg1             active     -n--v-  5000    2     1G       0.1%  17h 50m
ldg2             active     -t----  5001    4     2G        25%  11s

The following example shows how to create the all_cons role with the solaris.vntsd.consoles authorization, which permits access to all domain consoles.

primary# roleadd -A solaris.vntsd.consoles all_cons
primary# passwd all_cons
New Password:
Re-enter new Password:
passwd: password successfully changed for all_cons

This command assigns the all_cons role to the sam user.

primary# usermod -R all_cons sam

User sam assumes the all_cons role and can access any console. For example:

$ id
uid=700299(sam) gid=1(other)
-bash-3.2$ su all_cons
Password:
$ telnet 0 5000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.

Connecting to console "ldg1" in group "ldg1" ....
Press ~? for control options ..

$ telnet 0 5001
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.

Connecting to console "ldg2" in group "ldg2" ....
Press ~? for control options ..

This example shows what happens when an unauthorized user, dana, attempts to access a domain console:

$ id
uid=702048(dana) gid=1(other)
$ telnet 0 5000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection to 0 closed by foreign host.

How to Control Access to All Domain Consoles by Using Rights Profiles

  1. Create a rights profile with the solaris.vntsd.consoles authorization.
    • For the Oracle Solaris 10 OS, edit the /etc/security/prof_attr file.

      Include the following entry:

      LDoms Consoles:::Access LDoms Consoles:auths=solaris.vntsd.consoles
    • For the Oracle Solaris 11 OS, use the profiles command to create a new profile.
      primary# profiles -p "LDoms Consoles" \ 'set desc="Access LDoms Consoles"; set auths=solaris.vntsd.consoles'
  2. Assign the rights profile to a user.
    • For the Oracle Solaris 10 OS, assign the rights profile to a user.
      primary# usermod -P "All,Basic Solaris User,LDoms Consoles" username

      Be careful to specify any pre-existing profiles when adding the LDoms Consoles profile. The previous command shows that the user already had the All and Basic Solaris User profiles.

    • For the Oracle Solaris 11 OS, assign the rights profile to a user.
      primary# usermod -P +"LDoms Consoles" username
  3. Connect to the domain console as the user.
    $ telnet 0 5000

Example 3-3 Controlling Access to All Domain Consoles by Using Rights Profiles

The following examples show how to use rights profiles to control access to all domain consoles:

How to Control Access to a Single Console by Using Roles

  1. Add an authorization for a single domain to the /etc/security/auth_attr file.

    The authorization name is derived from the name of the domain and has the form solaris.vntsd.console-domain-name:

    solaris.vntsd.console-domain-name:::Access domain-name Console::
  2. Create a role with the new authorization to only permit access to the console of domain.
    primary# roleadd -A solaris.vntsd.console-domain-name role-name
    primary# passwd role-name
    New Password:
    Re-enter new Password:
    passwd: password successfully changed for role-name
  3. Assign the role-name role to a user.
    primary# usermod -R role-name username

Example 3-4 Accessing a Single Domain Console

This example shows how user terry assumes the ldg1cons role and accesses the ldg1 domain console.

First, add an authorization for a single domain, ldg1, to the /etc/security/auth_attr file:

solaris.vntsd.console-ldg1:::Access ldg1 Console::

Then, create a role with the new authorization to only permit access to the console of domain.

primary# roleadd -A solaris.vntsd.console-ldg1 ldg1cons
primary# passwd ldg1cons
New Password:
Re-enter new Password:
passwd: password successfully changed for ldg1cons

Assign the ldg1cons role to user terry, assume the ldg1cons role, and access the domain console:

primary# usermod -R ldg1cons terry
primary# su ldg1cons
Password:
$ id
uid=700303(ldg1cons) gid=1(other)
$ telnet 0 5000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.

Connecting to console "ldg1" in group "ldg1" ....
Press ~? for control options ..

The following shows that the user terry cannot access the ldg2 domain console:

$ telnet 0 5001
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection to 0 closed by foreign host.

How to Control Access to a Single Console by Using Rights Profiles

  1. Add an authorization for a single domain to the /etc/security/auth_attr file.

    The following example entry adds the authorization for a domain console:

    solaris.vntsd.console-domain-name:::Access domain-name Console::
  2. Create a rights profile with an authorization to access a specific domain console.
    • For the Oracle Solaris 10 OS, edit the /etc/security/prof_attr file.
      domain-name Console:::Access domain-name
      Console:auths=solaris.vntsd.console-domain-name

      This entry must be on a single line.

    • For the Oracle Solaris 11 OS, use the profiles command to create a new profile.
      primary# profiles -p "domain-name Console" \ 'set desc="Access domain-name Console"; set auths=solaris.vntsd.console-domain-name'
  3. Assign the rights profile to a user.

    The following commands assign the profile to a user:

    • For the Oracle Solaris 10 OS, assign the rights profile.
      primary# usermod -P "All,Basic Solaris User,domain-name Console" username

      Note that the All and Basic Solaris User profiles are required.

    • For the Oracle Solaris 11 OS, assign the rights profile.
      primary# usermod -P +"domain-name Console" username