Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
Configuring Devices (Task Map)
Configuring Device Policy (Task Map)
How to Change the Device Policy on an Existing Device
How to Audit Changes in Device Policy
How to Retrieve IP MIB-II Information From a /dev/* Device
Managing Device Allocation (Task Map)
How to Enable Device Allocation
How to Authorize Users to Allocate a Device
How to View Allocation Information About a Device
Forcibly Deallocating a Device
How to Change Which Devices Can Be Allocated
How to Audit Device Allocation
Components of Device Allocation
Device Allocation Rights Profiles
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
Device allocation reserves the use of a device to one user at a time. Devices that require a mount point must be mounted.
Device allocation must be enabled, as described in How to Enable Device Allocation. If authorization is required, the user must have the authorization.
Specify the device by device name.
% allocate device-name
Run the identical command.
% allocate device-name allocate. Device already allocated.
Example 5-7 Allocating a Microphone
In this example, the user jdoe allocates a microphone, audio.
% whoami jdoe % allocate audio
Example 5-8 Allocating a Printer
In this example, a user allocates a printer. No one else can print to printer-1 until the user deallocates it, or until the printer is forcibly allocated to another user.
% allocate /dev/lp/printer-1
For an example of forcible deallocation, see Forcibly Deallocating a Device.
Example 5-9 Allocating a Tape Drive
In this example, the user jdoe allocates a tape drive, st0.
% whoami jdoe % allocate st0
If the allocate command cannot allocate the device, an error message is displayed in the console window. For a list of allocation error messages, see the allocate(1) man page.
The user or role has allocated the device. To mount a device, the user or role must have the privileges that are required for mounting the device. To give the required privileges, see How to Authorize Users to Allocate a Device.
% su - role-name Password: <Type role-name password> $
You only need to do this step the first time that you need a mount point.
$ mkdir mount-point ; chmod 700 mount-point
$ list_devices -l List of allocatable devices
Specify the device by device name.
$ allocate device-name
$ mount -o ro -F filesystem-type device-path mount-point
where
Indicates that the device is to be mounted read-only. Use-o rw to indicate that you should be able to write to the device.
Indicates the file system format of the device. Typically, a CD-ROM is formatted with an HSFS file system. A diskette is typically formatted with a PCFS file system.
Indicates the path to the device. The output of the list_devices -l command includes the device-path.
Indicates the mount point that you created in Step 2.
Example 5-10 Allocating a Diskette Drive
In this example, a user assumes a role that can allocate and mount a diskette drive, fd0. The diskette is formatted with a PCFS file system.
% roles devicealloc % su - devicealloc Password: <Type devicealloc password> $ mkdir /home/devicealloc/mymnt $ chmod 700 /home/devicealloc/mymnt $ list_devices -l ... device: fd0 type: fd files: /dev/diskette /dev/rdiskette /dev/fd0a ... $ allocate fd0 $ mount -o ro -F pcfs /dev/diskette /home/devicealloc/mymnt $ ls /home/devicealloc/mymnt List of the contents of diskette
Example 5-11 Allocating a CD-ROM Drive
In this example, a user assumes a role that can allocate and mount a CD-ROM drive, sr0. The drive is formatted as an HSFS file system.
% roles devicealloc % su - devicealloc Password: <Type devicealloc password> $ mkdir /home/devicealloc/mymnt $ chmod 700 /home/devicealloc/mymnt $ list_devices -l ... device: sr0 type: sr files: /dev/sr0 /dev/rsr0 /dev/dsk/c0t2d0s0 ... ... $ allocate sr0 $ mount -o ro -F hsfs /dev/sr0 /home/devicealloc/mymnt $ cd /home/devicealloc/mymnt ; ls List of the contents of CD-ROM
If the mount command cannot mount the device, an error message is displayed: mount: insufficient privileges. Check the following:
Make sure that you are executing the mount command in a profile shell. If you have assumed a role, the role has a profile shell. If you are a user who has been assigned a profile with the mount command, you must create a profile shell. For the list of available profile shells, see the pfexec(1).
Make sure that you own the specified mount point. You must have read, write, and execute access to the mount point.
Contact your administrator if you still cannot mount the allocated device.
Deallocation enables other users to allocate and use the device when you are finished.
You must have allocated the device.
$ cd $HOME $ umount mount-point
$ deallocate device-name
Example 5-12 Deallocating a Microphone
In this example, the user jdoe deallocates the microphone, audio.
% whoami jdoe % deallocate audio0
Example 5-13 Deallocating a CD-ROM Drive
In this example, the Device Allocator role deallocates a CD-ROM drive. After the message is printed, the CD-ROM is ejected.
$ whoami devicealloc $ cd /home/devicealloc $ umount /home/devicealloc/mymnt $ ls /home/devicealloc/mymnt $ $ deallocate sr0 /dev/sr0: 326o /dev/rsr0: 326o … sr_clean: Media in sr0 is ready. Please, label and store safely.