The root role has all administrative rights. By default, the global zone administrator (root) can administer all non-global zones.
For security, the root role should delegate rights that enable trusted users to administer zones with just the rights that are required. Rights in Oracle Solaris are privileged commands and authorizations, collected into rights profiles for specific areas of responsibility. For zones, Oracle Solaris provides several rights profiles.
The root role has another way to limit administrative rights in a zone. Each non-global zone has an admin resource. By specifying user names and required authorizations in the admin resource, root can limit access to the zone. When site security requires separation of duty, this method can prevent root from accessing the non-global zone.
The root role can assign a rights profile directly to a user or create an administrative role and assign the rights profile to that role. When users are assigned a role, they must assume it to administer zones.
For more information about Oracle Solaris rights and the admin resource for zones, review the following:
Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3
admin Resource for Zones in Oracle Solaris Zones Configuration Resources
For various reasons, the global zone administrator might want to distribute the rights to manage zones to selected users. Possible reasons include:
To enable root to concentrate on other administration operations
To assign a specialist to zone administration
To reduce the number of entry points for an attack
To enable separation of duty where root has limited powers
To implement site security requirements, such as PCI-DSS or HIPAA compliance
The rights that you in the root role can assign to delegate zone administration include the following:
For administrators who will create and configure zones.
The Zone Security rights profile includes the zonecfg or txzonemgr commands and every solaris.zone.* authorization. The assignee can delegate zone administration. For information about txzonemgr, see Creating Labeled Zones in Trusted Extensions Configuration and Administration.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to create, log in, and configure zones. The zone administrator must be named in the user property of the admin resource and be assigned the solaris.zone.* authorizations.
For administrators who will create and modify zones.
The Zone Configuration rights profile enables a zone administrator to configure a zone. For a migrated zone, the administrator must be granted this rights profile on the target system to complete the migration if a configuration for the zone does not already exist on the target system. The Zone Configuration rights profile includes the zonecfg command only.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to configure zones. The zone administrator must be named in the user property of the admin resource and be assigned the solaris.zone.config authorization. If login is restricted, the zone administrator must also be assigned the solaris.zone.login authorization.
For administrators who will manage existing zones.
The Zone Management rights profile includes the zlogin and zoneadm commands.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to manage zones. The zone administrator must be named in the user property of the admin resource and be assigned the solaris.zone.* authorizations to log in and manage the zone.
For administrators who will migrate any type of zone.
The Zone Migration rights profile enables a zone administrator to perform migration of an installed or running zone. A zone administrator who is assigned this profile can perform live or warm migrations. The Zone Migration rights profile includes the zoneadm and zonecfg commands.
If the auths property of the admin resource is configured in the managed zone, this rights profile is not sufficient to migrate zones. The zone administrator must be named as a user in the admin resource and be assigned the solaris.zone.migrate authorization. If login is restricted, the zone administrator must also be assigned the solaris.zone.login authorization.
Use the following commands to determine the contents of rights profiles and to assign them.
To list the contents of a rights profile, run the following command in a terminal window:
$ profiles -p "Rights Profile Name" info
To see the rights or privileges that are granted to the commands in a Zone rights profile, run the following command:
$ getent exec_attr | grep Zone
This command finds the privileged commands in the rights profiles that contain the word "Zone".
To assign a rights profile to a user, run a usermod command similar to the following:
# usermod -K profiles+="Zone Management" username
To assign administrative rights to an account for a particular zone, the role name or user name must exist in the global zone.
From a terminal in the global zone, specify who has administrative rights in the named zone:
# zonecfg -z zonename zonecfg:zonename> add admin zonecfg:zonename:admin> set user=account-name zonecfg:zonename:admin> set auths=login,manage zonecfg:zonename:admin> end zonecfg:zonename> commit
Verify that account-name has the required authorizations in the non-global zone.
global1# zonecfg -z zone info admin
admin:
user: account-name
auths: login,manage
The account-name account can now log in and manage the named zone.
For more examples, including how to assign authenticated rights profiles and how to create and assign roles, see Assigning Rights to Users in Securing Users and Processes in Oracle Solaris 11.3.