Skip Navigation Links | |
Exit Print View | |
Oracle VM Server for SPARC 3.0 Administration Guide Oracle VM Server for SPARC |
Part I Oracle VM Server for SPARC 3.0 Software
1. Overview of the Oracle VM Server for SPARC Software
2. Installing and Enabling Software
3. Oracle VM Server for SPARC Security
Delegating the Management of Logical Domains by Using RBAC
Using Rights Profiles and Roles
Logical Domains Manager Profile Contents
Controlling Access to a Domain Console by Using RBAC
How to Control Access to All Domain Consoles by Using Roles
How to Control Access to All Domain Consoles by Using Rights Profiles
How to Control Access to a Single Console by Using Roles
How to Control Access to a Single Console by Using Rights Profiles
4. Setting Up Services and the Control Domain
11. Managing Domain Configurations
12. Performing Other Administration Tasks
Part II Optional Oracle VM Server for SPARC Software
13. Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool
14. Oracle VM Server for SPARC Configuration Assistant (Oracle Solaris 10)
16. Using the Oracle VM Server for SPARC Management Information Base Software
17. Logical Domains Manager Discovery
18. Using the XML Interface With the Logical Domains Manager
By default, any user can access all domain consoles. To control access to a domain console, configure the vntsd daemon to perform authorization checking. The vntsd daemon provides a Service Management Facility (SMF) property named vntsd/authorization. This property can be configured to enable authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.
Caution - Do not configure the vntsd service to use a host other than localhost. If you specify a host other than localhost, you are no longer restricted from connecting to guest domain consoles from the control domain. If you use the telnet command to remotely connect to a guest domain, the login credentials are passed as clear text over the network. |
By default, an authorization to access all guest consoles is present in the local auth_attr database.
solaris.vntsd.consoles:::Access All LDoms Guest Consoles::
Use the usermod command to assign the required authorizations to users or roles in local files. This command permits only the user or role who has the required authorizations to access a given domain console or console group. To assign authorizations to users or roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
You can control the access to all domain consoles or to a single domain console.
To control the access to all domain consoles, see How to Control Access to All Domain Consoles by Using Roles and How to Control Access to All Domain Consoles by Using Rights Profiles.
To control access to a single domain console, see How to Control Access to a Single Console by Using Roles and How to Control Access to a Single Console by Using Rights Profiles.
primary# svccfg -s vntsd setprop vntsd/authorization = true primary# svcadm refresh vntsd primary# svcadm restart vntsd
primary# roleadd -A solaris.vntsd.consoles role-name primary# passwd all_cons
primary# usermod -R role-name username
Example 3-2 Controlling Access to All Domain Consoles by Using Roles
First, you enable console authorization checking to restrict access to a domain console.
primary# svccfg -s vntsd setprop vntsd/authorization = true primary# svcadm refresh vntsd primary# svcadm restart vntsd primary# ldm ls NAME STATE FLAGS CONS VCPU MEMORY UTIL UPTIME primary active -n-cv- UART 8 16G 0.2% 47m ldg1 active -n--v- 5000 2 1G 0.1% 17h 50m ldg2 active -t---- 5001 4 2G 25% 11s
The following example shows how to create the all_cons role with the solaris.vntsd.consoles authorization, which permits access to all domain consoles.
primary# roleadd -A solaris.vntsd.consoles all_cons primary# passwd all_cons New Password: Re-enter new Password: passwd: password successfully changed for all_cons
This command assigns the all_cons role to the sam user.
primary# usermod -R all_cons sam
User sam assumes the all_cons role and can access any console. For example:
$ id uid=700299(sam) gid=1(other) $ su all_cons Password: $ telnet 0 5000 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connecting to console "ldg1" in group "ldg1" .... Press ~? for control options .. $ telnet 0 5001 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connecting to console "ldg2" in group "ldg2" .... Press ~? for control options ..
This example shows what happens when an unauthorized user, dana, attempts to access a domain console:
$ id uid=702048(dana) gid=1(other) $ telnet 0 5000 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connection to 0 closed by foreign host.
primary# svccfg -s vntsd setprop vntsd/authorization = true primary# svcadm refresh vntsd primary# svcadm restart vntsd
Include the following entry:
LDoms Consoles:::Access LDoms Consoles:auths=solaris.vntsd.consoles
primary# profiles -p "LDoms Consoles" \ 'set desc="Access LDoms Consoles"; set auths=solaris.vntsd.consoles'
primary# usermod -P "All,Basic Solaris User,LDoms Consoles" username
Be careful to specify any pre-existing profiles when adding the LDoms Consoles profile. The previous command shows that the user already had the All and Basic Solaris User profiles.
primary# usermod -P +"LDoms Consoles" username
$ telnet 0 5000
Example 3-3 Controlling Access to All Domain Consoles by Using Rights Profiles
The following examples show how to use rights profiles to control access to all domain consoles:
Oracle Solaris 10: Create a rights profile with the solaris.vntsd.consoles authorization by adding the following entry to the /etc/security/prof_attr file:
LDoms Consoles:::Access LDoms Consoles:auths=solaris.vntsd.consoles
Assign the rights profile to username.
primary# usermod -P "All,Basic Solaris User,LDoms Consoles" username
The following commands show how to verify that the user is sam and that the All, Basic Solaris User, and LDoms Consoles rights profiles are in effect. The telnet command shows how to access the ldg1 domain console.
$ id uid=702048(sam) gid=1(other) $ profiles All Basic Solaris User LDoms Consoles $ telnet 0 5000 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connecting to console "ldg1" in group "ldg1" .... Press ~? for control options ..
Oracle Solaris 11: Use the profiles command to create a rights profile with the solaris.vntsd.consoles authorization in the /etc/security/prof_attr file.
primary# profiles -p "LDoms Consoles" \ 'set desc="Access LDoms Consoles"; set auths=solaris.vntsd.consoles'
Assign the rights profile to a user.
primary# usermod -P +"LDoms Consoles" sam
The following commands show how to verify that the user is sam and that the All, Basic Solaris User, and LDoms Consoles rights profiles are in effect. The telnet command shows how to access the ldg1 domain console.
$ id uid=702048(sam) gid=1(other) $ profiles All Basic Solaris User LDoms Consoles $ telnet 0 5000 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connecting to console "ldg1" in group "ldg1" .... Press ~? for control options ..
primary# svccfg -s vntsd setprop vntsd/authorization = true primary# svcadm refresh vntsd primary# svcadm restart vntsd
The authorization name is derived from the name of the domain and has the form solaris.vntsd.console-domain-name:
solaris.vntsd.console-domain-name:::Access domain-name Console::
primary# roleadd -A solaris.vntsd.console-domain-name role-name primary# passwd role-name New Password: Re-enter new Password: passwd: password successfully changed for role-name
primary# usermod -R role-name username
Example 3-4 Accessing a Single Domain Console
This example shows how user terry assumes the ldg1cons role and accesses the ldg1 domain console.
First, add an authorization for a single domain, ldg1, to the /etc/security/auth_attr file.
solaris.vntsd.console-ldg1:::Access ldg1 Console::
Then, create a role with the new authorization to only permit access to the console of domain.
primary# roleadd -A solaris.vntsd.console-ldg1 ldg1cons primary# passwd ldg1cons New Password: Re-enter new Password: passwd: password successfully changed for ldg1cons
Assign the ldg1cons role to user terry, assume the ldg1cons role, and access the domain console.
primary# usermod -R ldg1cons terry primary# su terry Password: $ id uid=700300(terry) gid=1(other) $ su ldg1cons Password: $ id uid=700303(ldg1cons) gid=1(other) $ telnet 0 5000 Trying 0.0.0.0... Escape character is '^]'. Connecting to console "ldg1" in group "ldg1" .... Press ~? for control options ..
The following shows that the user terry cannot access the ldg2 domain console:
$ telnet 0 5001 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Connection to 0 closed by foreign host.
primary# svccfg -s vntsd setprop vntsd/authorization = true primary# svcadm refresh vntsd primary# svcadm restart vntsd
The following example entry adds the authorization for a domain console:
solaris.vntsd.console-domain-name:::Access domain-name Console::
domain-name Console:::Access domain-name Console:auths=solaris.vntsd.console-domain-name
This entry must be on a single line.
primary# profiles -p "domain-name Console" \ 'set desc="Access domain-name Console"; set auths=solaris.vntsd.console-domain-name'
The following commands assign the profile to a user:
primary# usermod -P "All,Basic Solaris User,domain-name Console" username
Note that the All and Basic Solaris User profiles are required.
primary# usermod -P +"domain-name Console" username