Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019
 
 

Using Rights Profiles to Install and Manage Zones

Oracle Solaris implements role-based access control (RBAC) to control system access. To perform specific tasks and run privileged commands on the system, a user must have the profiles that provide that user the proper authorization. RBAC also applies when working with zones. This section describes how to authorize sample user jdoe to work with zones.

    Provided that you have the solaris.delegate.* authorization, you can assign one or all of the following zone-related profiles to jdoe.

  • Zone Configuration enables jdoe to configure Oracle Solaris zones on a client system, including zones that are migrated into the system but remain unconfigured.

  • Zone Management enables jdoe to manage existing zones, including running zoneadm commands as well as logging in to the zones.

  • Zone Migration enables jdoe to perform live, warm, and cold zone migrations.

  • Zone Cold Migration enables jdoe to perform cold and warm migrations, but not live migrations.

  • Zone Security extends jdoe's zone administrative privileges to include zones that are configured with Trusted Extensions. For example, the user with this profile can issue txzonemgr commands. For information about txzonemgr, see Creating Labeled Zones in Trusted Extensions Configuration and Administration

A zone administrator that has any of these profiles must be in a profile shell to execute privileged zone commands. The shell can be created by issuing the pfshell command, for example, pfbash. Outside a profile shell, the administrator would need to specify pfexec when issuing a privileged command, for example, pfexec zoneadm.

As an alternative to directly assigning profiles, you can create a role that would contain a combination of required profiles to perform a range of tasks, and then assign the role to the designated zone administrator.

For example, you create a special role zoneadmin with authorization to perform a variety of zone related tasks. User jdoe then issues the su command to assume the zoneadmin role to manage the zones. All roles automatically get pfbash as the default shell.

For more information about rights profiles, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Later, a zone administrator can implement RBAC inside the running zone to manage users, rights, profiles, and roles to secure the zone. See examples in Delegating Zone Administrative Rights in man pages section 8: System Administration Commands and Authorizing Non-Root Users to Perform Non-Global Zone Migrations.