Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2018
 
 

Administering an Immutable Zone by Using the Trusted Path Domain

Oracle Solaris provides four ways to enter an immutable zone to administer it. Two methods make the entire zone temporarily writable, as described in Methods for Administering Non-Global Immutable Zones. A safer mode uses the trusted path, in which only processes marked as part of the trusted path can be modified while the files and other zone processes remain immutable. Processes that run in the trusted path are described as being part of the Trusted Path Domain (TPD).

In immutable zones, certain core system processes are marked as part of the TPD. For example, a number of system daemons run in the TPD, including init, svc.configd, and svc.startd. When you are given administrative access to TPD processes, you can safely modify the configuration of an immutable zone because all non-TPD processes remain unwritable.

    You can administer an immutable zone by using the trusted path locally through the console or remotely through a trusted rad connection.

  • To enable local administration, you must ensure that the console is accessible through the ILOM, a serial connection, or through the graphical console. You enter the TPD by logging in on a console that is protected by the trusted path where you are also trusted.

    For the procedure, see How to Enable Administrative Access to an Immutable Zone From the Console.

  • To enable remote administration through the Remote Administration Daemon (RAD), you must protect the RAD process with the trusted path and you must also be trusted.

    For the procedure, see How to Enable Remote Administrative Access to an Immutable Zone by Using RAD.

How to Enable Administrative Access to an Immutable Zone From the Console

Perform this task to leave the zone immutable and enable the administrator to access processes and files in the TPD from the console.

  1. Assume the root role.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  2. Restrict access to the console by configuring the tpdlogin PAM module in the global zone.

    For instructions, see How to Restrict Access to the Trusted Path Domain in Managing Authentication in Oracle Solaris 11.4.

  3. Modify the console login SMF service to run in the TPD.
    # svccfg -s console-login:default
    svc:/system/console-login:default> setprop start/trusted_path = true
    svc:/system/console-login:default> refresh
    svc:/system/console-login:default> exit
  4. (Optional) Verify that the trusted_path attribute is set in the console.
    # svcprop -p start/trusted_path console-login:default
    true

    Caution

    Caution  -  When you set the trusted_path attribute in the console, you must restrict access to the console in the /etc/security/tpdusers file to prevent login by unauthorized users. You should have prevented unauthorized logins in Step 2.


  5. Restart the console login service.
    # svcadm restart console-login:default
  6. Log in to the immutable zone as one of the users in /etc/security/tpdusers.
    • Log in to the console and answer the Trusted Path login prompt.
    • On a physical console, invoke the Trusted Path login prompt by typing the secure attention key sequence:
      • Stop-A (SPARC)

      • F1-A (x86)

      After login, you can administer files and processes that are in the TPD. You can also assume a role and administer the immutable zone in that role.

How to Enable Remote Administrative Access to an Immutable Zone by Using RAD

Perform this task to enable access to the immutable zone by using the Remote Access Daemon (RAD). The rad:remote SMF service is enabled to perform TPD authentication over RAD connections.

  1. Assume the root role.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  2. Modify the rad:remote SMF service to run in the TPD.
    # svccfg -s rad:remote
    svc:/system/rad:remote> setprop method_context/trusted_path = true
    svc:/system/rad:remote> refresh
    svc:/system/rad:remote> exit
  3. Verify that the trusted_path attribute is set for the rad:remote service.
    # svcprop -p method_context/trusted_path rad:remote
    true
  4. Restart the remote RAD service.
    # svcadm restart rad:remote
  5. Enable one or more administrators to access the TPD over a RAD connection.
    $ usermod -K tpd=yes username

    These administrators can now log in to the immutable zone remotely over RAD.

See Also

For information about RAD access, see Chapter 3, Managing User Accounts Interactively in Managing User Accounts and User Environments in Oracle Solaris 11.4.

To add an SMF service to run in the TPD, see Example 40, Adding the Puppet Service to the Trusted Path.