How to Enable Administrative Access to an Immutable Zone From the Console

Perform this task to leave the zone immutable and enable the administrator to access processes and files in the TPD from the console.

1. Assume the root role.

   For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

2. Restrict access to the console by configuring the tpdlogin PAM module in the global zone.

   For instructions, see How to Restrict Access to the Trusted Path Domain in Managing Authentication in Oracle Solaris 11.4.

3. Modify the console login SMF service to run in the TPD.

   # svccfg -s console-login:default
   svc:/system/console-login:default> setprop start/trusted_path = true
   svc:/system/console-login:default> refresh
   svc:/system/console-login:default> exit

4. (Optional) Verify that the trusted_path attribute is set in the console.

   # svcprop -p start/trusted_path console-login:default
   true

   Caution:

   When you set the trusted_path attribute in the console, you must restrict access to the console in the /etc/security/tpdusers file to prevent login by unauthorized users. You should have prevented unauthorized logins in Step 2.
5. Restart the console login service.

   # svcadm restart console-login:default

6. Log in to the immutable zone as one of the users in /etc/security/tpdusers.

   • Log in to the console and answer the Trusted Path login prompt.

   • On a physical console, invoke the Trusted Path login prompt by typing the secure attention key sequence:

     • Stop-A (SPARC)

     • F1-A (x86)

     After login, you can administer files and processes that are in the TPD. You can also assume a role and administer the immutable zone in that role.