Skip Navigation Links | |
Exit Print View | |
Oracle VM Server for SPARC 3.0 Administration Guide Oracle VM Server for SPARC |
Part I Oracle VM Server for SPARC 3.0 Software
1. Overview of the Oracle VM Server for SPARC Software
2. Installing and Enabling Software
3. Oracle VM Server for SPARC Security
Controlling Access to a Domain Console by Using RBAC
How to Control Access to All Domain Consoles by Using Roles
How to Control Access to All Domain Consoles by Using Rights Profiles
How to Control Access to a Single Console by Using Roles
How to Control Access to a Single Console by Using Rights Profiles
4. Setting Up Services and the Control Domain
11. Managing Domain Configurations
12. Performing Other Administration Tasks
Part II Optional Oracle VM Server for SPARC Software
13. Oracle VM Server for SPARC Physical-to-Virtual Conversion Tool
14. Oracle VM Server for SPARC Configuration Assistant (Oracle Solaris 10)
16. Using the Oracle VM Server for SPARC Management Information Base Software
17. Logical Domains Manager Discovery
18. Using the XML Interface With the Logical Domains Manager
The Logical Domains Manager package adds two predefined role-based access control (RBAC) rights profiles to the local RBAC configuration. By using these rights profiles, you can delegate the following administrative privileges to unprivileged users:
The LDoms Management profile permits a user to use all ldm subcommands.
The LDoms Review profile permits a user to use all list-related ldm subcommands.
These rights profiles can be assigned directly to users or to a role that is then assigned to users. When one of these profiles is assigned directly to a user, you must use the pfexec command or a profile shell, such as pfbash or pfksh, to successfully use the ldm command to manage your domains. Determine whether to use roles or rights profiles based on your RBAC configuration. See System Administration Guide: Security Services or Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris 11.1 Administration: Security Services.
Users, authorizations, rights profiles, and roles can be configured in the following ways:
Locally on the system by using files
Centrally in a naming service, such as LDAP
Installing the Logical Domains Manager adds the necessary rights profiles to the local files. To configure profiles and roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). All of the examples in this chapter assume that the RBAC configuration uses local files. For an overview of the authorizations and execution attributes delivered by the Logical Domains Manager package, see Logical Domains Manager Profile Contents.
Caution - Be careful when using the usermod and rolemod commands to add authorizations, rights profiles, or roles.
|
The following procedures show how to manage user rights profiles on the system by using local files. To manage user profiles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Users who have been directly assigned the LDoms Management profile must invoke a profile shell to run the ldm command with security attributes. For more information, see System Administration Guide: Security Services or Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris 11.1 Administration: Security Services.
For Oracle Solaris 10, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. For Oracle Solaris 11.1, see Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris 11.1 Administration: Security Services.
You can assign either the LDoms Review profile or the LDoms Management profile to a user account.
# usermod -P "profile-name" username
The following command assigns the LDoms Management profile to user sam:
# usermod -P "LDoms Management" sam
The following procedure shows how to create a role and assign it to a user by using local files. To manage roles in a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
The advantage of using this procedure is that only a user who has been assigned a specific role can assume that role. When assuming a role, a password is required if the role has been assigned a password. These two layers of security prevent a user who has not been assigned a role, yet has the password, from assuming that role.
For Oracle Solaris 10, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. For Oracle Solaris 11.1, see Part III, Roles, Rights Profiles, and Privileges, in Oracle Solaris 11.1 Administration: Security Services.
# roleadd -P "profile-name" role-name
You will be prompted to specify and then verify a new password.
# passwd role-name
# useradd -R role-name username
You will be prompted to specify and then verify a new password.
# passwd username
# su username
$ id uid=nn(username) gid=nn(group-name) $ roles role-name
$ su role-name
$ id uid=nn(role-name) gid=nn(group-name)
Example 3-1 Creating a Role and Assigning the Role to a User
This example shows how to create the ldm_read role, assign the role to the user_1 user, become the user_1 user, and assume the ldm_read role.
# roleadd -P "LDoms Review" ldm_read # passwd ldm_read New Password: ldm_read-password Re-enter new Password: ldm_read-password passwd: password successfully changed for ldm_read # useradd -R ldm_read user_1 # passwd user_1 New Password: user_1-password Re-enter new Password: user_1-password passwd: password successfully changed for user_1 # su user_1 Password: user_1-password $ id uid=95555(user_1) gid=10(staff) $ roles ldm_read $ su ldm_read Password: ldm_read-password $ id uid=99667(ldm_read) gid=14(sysadmin)
The Logical Domains Manager package adds the following RBAC profiles to the local /etc/security/prof_attr file:
LDoms Review:::Review LDoms configuration:profiles=auths=solaris.ldoms.read LDoms Management:::Manage LDoms domains:profiles=auths=solaris.ldoms.*
The Logical Domains Manager package also adds the following execution attribute that is associated with the LDoms Management profile to the local /etc/security/exec_attr file:
LDoms Management:suser:cmd:::/usr/sbin/ldm:privs=file_dac_read,file_dac_search
The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.
Table 3-1 The ldm Subcommands and User Authorizations
|
1Refers to all the resources you can add, list, remove, or set.