Oracle® VM Server for SPARC 3.2 Administration Guide

Exit Print View

Updated: May 2015
 
 

How to Control Access to All Domain Consoles by Using Rights Profiles

  1. Restrict access to a domain console by enabling console authorization checking.
    primary# svccfg -s vntsd setprop vntsd/authorization = true
    primary# svcadm refresh vntsd
    primary# svcadm restart vntsd
  2. Create a rights profile with the solaris.vntsd.consoles authorization.
    • Oracle Solaris 10 OS: Edit the /etc/security/prof_attr file.

      Include the following entry:

      LDoms Consoles:::Access LDoms Consoles:auths=solaris.vntsd.consoles
    • Oracle Solaris 11 OS: Use the profiles command to create a new profile.
      primary# profiles -p "LDoms Consoles" \
      'set desc="Access LDoms Consoles"; set auths=solaris.vntsd.consoles'
  3. Assign the rights profile to a user.
    • Oracle Solaris 10 OS: Assign the rights profile to a user.
      primary# usermod -P "All,Basic Solaris User,LDoms Consoles" username

      Be careful to specify any pre-existing profiles when adding the LDoms Consoles profile. The previous command shows that the user already had the All and Basic Solaris User profiles.

    • Oracle Solaris 11 OS: Assign the rights profile to a user.
      primary# usermod -P +"LDoms Consoles" username
  4. Connect to the domain console as the user.
    $ telnet localhost 5000
Example 2-3  Controlling Access to All Domain Consoles by Using Rights Profiles

    The following examples show how to use rights profiles to control access to all domain consoles:

  • Oracle Solaris 10: Create a rights profile with the solaris.vntsd.consoles authorization by adding the following entry to the /etc/security/prof_attr file:

    LDoms Consoles:::Access LDoms Consoles:auths=solaris.vntsd.consoles

    Assign the rights profile to username.

    primary# usermod -P "All,Basic Solaris User,LDoms Consoles" username

    The following commands show how to verify that the user is sam and that the All, Basic Solaris User, and LDoms Consoles rights profiles are in effect. The telnet command shows how to access the ldg1 domain console.

    $ id
    uid=702048(sam) gid=1(other)
    $ profiles
    All
    Basic Solaris User
    LDoms Consoles
    $ telnet localhost 5000
    Trying 0.0.0.0...
    Connected to 0.
    Escape character is '^]'.
    
    Connecting to console "ldg1" in group "ldg1" ....
    Press ~? for control options ..
  • Oracle Solaris 11: Use the profiles command to create a rights profile with the solaris.vntsd.consoles authorization in the rights profile description database.

    primary# profiles -p "LDoms Consoles" \
    'set desc="Access LDoms Consoles"; set auths=solaris.vntsd.consoles'

    Assign the rights profile to a user.

    primary# usermod -P +"LDoms Consoles" sam

    The following commands show how to verify that the user is sam and that the All, Basic Solaris User, and LDoms Consoles rights profiles are in effect. The telnet command shows how to access the ldg1 domain console.

    $ id
    uid=702048(sam) gid=1(other)
    $ profiles
    All
    Basic Solaris User
    LDoms Consoles
    $ telnet localhost 5000
    Trying 0.0.0.0...
    Connected to 0.
    Escape character is '^]'.
    
    Connecting to console "ldg1" in group "ldg1" ....
    Press ~? for control options ..