Logical Domains 1.3 Administration Guide

Configuring RBAC for Guest Console Access

The vntsd daemon provides an SMF property named vntsd/authorization. This property can be configured to enable the authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.

By default, an authorization to access all guest consoles is added to the auth_attr database, when the vntsd service is enabled.

solaris.vntsd.consoles:::Access All LDoms Guest Consoles::

Superuser can use the usermod command to assign the required authorizations to other users or roles. This permits only the user or role who has the required authorizations to access a given domain console or console groups.

The following example gives user terry the authorization to access all domain consoles:

# usermod -A "solaris.vntsd.consoles" terry

The following example adds a new authorization for a specific domain console with the name ldg1 and assigns that authorization to a user sam:

  1. Add the new authorization entry to the auth_attr file for domain ldg1.

    solaris.vntsd.console-ldg1:::Access Specific LDoms Guest Console::
  2. Assign this authorization to user sam:

    # usermod -A "solaris.vntsd.console-ldg1" sam

For more information about authorizations and RBAC, see System Administration Guide: Security Services.