Go to main content

Oracle® VM Server for SPARC 3.6 Administration Guide

Exit Print View

Updated: September 2019
 
 

How to Control Access to a Single Console by Using Roles

  1. Restrict access to a domain console by enabling console authorization checking.
    primary# svccfg -s vntsd setprop vntsd/authorization = true
    primary# svcadm refresh vntsd
    primary# svcadm restart vntsd
  2. Add an authorization for a single domain to the authorization description database.

    The authorization name is derived from the name of the domain and has the form solaris.vntsd.console-domain-name. Use the auths command to add the authorization.

    # auths add -t "Access domain-name Console" solaris.vntsd.console-domain-name
  3. Create a role with the new authorization to permit access only to the console of the domain.
    primary# roleadd -A solaris.vntsd.console-domain-name role-name
    primary# passwd role-name
    New Password:
    Re-enter new Password:
    passwd: password successfully changed for role-name
  4. Assign the role-name role to a user.
    primary# usermod -R role-name username
Example 4  Accessing a Single Domain Console

This example shows how user terry assumes the ldg1cons role and accesses the ldg1 domain console.

First, add an authorization for a single domain, ldg1, to the authorization description database.

# auths add -t "Access ldg1 Console" solaris.vntsd.console-ldg1

Then, create a role with the new authorization to permit access only to the console of the domain.

primary# roleadd -A solaris.vntsd.console-ldg1 ldg1cons
primary# passwd ldg1cons
New Password:
Re-enter new Password:
passwd: password successfully changed for ldg1cons

Assign the ldg1cons role to user terry, assume the ldg1cons role, and access the domain console.

primary# usermod -R ldg1cons terry
primary# su terry
Password:
$ id
uid=700300(terry) gid=1(other)
$ su ldg1cons
Password:
$ id
uid=700303(ldg1cons) gid=1(other)
$ telnet localhost 5000
Trying 0.0.0.0...
Escape character is '^]'.

Connecting to console "ldg1" in group "ldg1" ....
Press ~? for control options ..

The following example shows that the user terry cannot access the ldg2 domain console:

$ telnet localhost 5001
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection to 0 closed by foreign host.