Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Wednesday, February 9, 2022



zlogin - enter a zone


zlogin [-dCETU] [-e 
c] [-l username] 
zlogin [-ESTU] [-e 
c] [-l username] 
zonename utility [argument]...


The zlogin utility is used to enter an operating system zone. Only a user operating in the global system zone can use this utility, and it must be executed with all privileges. In addition, the user must be authorized to use specific options described in the OPTIONS section.

zlogin checks for authorization strings which optionally include the specified zonename as a suffix, preceded by the slash character. When omitted, the authorization matches any zone.

zlogin operates in one of three modes:

Interactive Mode

If no utility argument is given and the stdin file descriptor for the zlogin process is a tty device, zlogin operates in interactive mode. In this mode, zlogin creates a new pseudo terminal for use within the login session. Programs requiring a tty device, for example, vi(1), work properly in this mode. In this mode, zlogin invokes login(1) to provide a suitable login session.

Non-Interactive Mode

If a utility is specified, zlogin operates in non-interactive mode. This mode can be useful for script authors since stdin, stdout, and stderr are preserved and the exit status of utility is returned upon termination. In this mode, zlogin invokes su(8) in order to set up the user's environment and invoke the user's shell. This mode invokes su without a dash (-) as its first argument.

The specified command is passed as a string and interpreted by a shell running in the non-global zone. See rsh(1).

Console Mode

If the –C option is specified, the user is connected to the zone console device and zlogin operates in console mode. The zone console is available once the zone is in the installed state. Connections to the console are persistent across reboot of the zone.

If zlogin is executed in console mode and its standard input is not a terminal, then it enables a non-interactive mode and prints the following message on the standard output:

[Connected read-only to zone '<zname>' console]


The following options are supported:


Connects to the zone console. Access to the zone console requires the authorization solaris.zone.console/zonename or solaris.zone.manage/zonename.


If the zone halts, disconnect from the console. This option can only be specified along with –C.

–e c

Specifies a different escape character, c, for the key sequence used to access extended functions and to disconnect from the login. The default escape character is the tilde (~).


Disables the ability to access extended functions or to disconnect from the login by using the escape sequence character.

–l username

Specifies a different username for the zone login. If you do not use this option, the zone username used is root. This option is invalid if the –C option is specified.

The username must be valid in the zone. For interactive logins the authorization solaris.zone.login/zonename is required, and password authentication takes place in the zone. For non-interactive logins, or to bypass password authentication, the authorization solaris.zone.manage/zonename is required.


Safe login mode. zlogin does minimal processing and does not invoke login(1) or su(8). The zone username is set to root. The –S option cannot be used if a username is specified through the –l option, and cannot be used with console logins. This mode should only be used to recover a damaged zone when other forms of login have become impossible.

Use of this option requires the authorization solaris.zone.manage/zonename.


Enters an immutable zone as a "Trusted Path Domain" member. This session can modify files which are normally immutable. Such processes cannot read unprotected files. The –T option cannot be used with console login.

Use of this option requires the authorization solaris.zone.manage/ zonename.


As –T but turns on "unsafe" mode.

Escape Sequences

Lines that you type that start with the tilde character (~) are “escape sequences”. The escape character can be changed using the –e option.


Disconnects from the zone. This is not the same as a logout, because the local host breaks the connection with no warning to the zone's end.


Once a process has been placed in a zone other than the global zone, the process cannot change zone again, nor can any of its children.


The following operands are supported:


The name of the zone to be entered.


The utility to be run in the specified zone.


Arguments passed to the utility.

Environment Variables


If the –S option has not been used, whichever of these environment variables are set in the environment from which zlogin is run will be set to the same value in the environment inside the zone.


If this environment variable is set in the environment from which zlogin is run, it will be set to the same value in the environment inside the zone.


This variable will be set to "/usr/sbin:/usr/bin" in the environment inside the zone.


If the –S option is used, this environment variable will be set to "/" in the environment inside the zone. Otherwise it will be left for login(1) or su(8) to set.


If the –S option is used, this environment variable will be set to "/sbin/sh" in the environment inside the zone. Otherwise it will be left for login(1) or su(8) to set.

Exit Status

In interactive and non-interactive modes, the zlogin utility exits when the command or shell in the non-global zone exits. In non-interactive mode, the exit status of the remote program is returned as the exit status of zlogin. In interactive mode and console login mode, the exit status is not returned. zlogin returns a 0 exit status as long as no connection-related error occurred.

In all modes, in the event that a connection to the zone cannot be established, the connection fails unexpectedly, or the user is lacking sufficient privilege to perform the requested operation, zlogin exits with status 1.

To summarize, the following exit values are returned:


Successful entry.


Permission denied, or failure to enter the zone.


Return code from utility, or from su(8) if operating in non-interactive mode.

In a solaris-kz brand zone, a non-console login is implemented by creating a new terminal driver instance, and starting a stub process called zvlogin which spawns the shell as needed. The zone must therefore be booted to a certain point (such that the svc:/system/sysevent:default service is running) for zlogin to work. In all other respects, the visible behavior is the same.


See attributes(7) for descriptions of the following attributes:

Interface Stability

See Also

attributes(7), login(1), rsh(1), su(8), tpd(7), vi(1), zoneadm(8), zonecfg(8), zones(7)


zlogin fails if its open files or any portion of its address space corresponds to an NFS file. This includes the executable itself or the shared libraries.

zlogin allows logins even if the usual environment is not yet available. For example, the multi-user milestone has not been reached during boot. As a result, some services such as mounted home directories may not be available when using zlogin in these circumstances.