Authorizations for Zone Console access - Part 1
When you wanted to access the zone console on Solaris system as a normal user in the past, you needed an authorization. You may remember from a very old c0t0d0s0.org entry that authorizations are a mechanism that is based on adding them to a user, so an application can just check internally if a user should be allowed to use a part of an application. Let’s say the binary can check if you are allowed to use view a configuration but not change configuration. or you can use them with SMF to allow a user to restart a service, but not to enable or disable it.With the normal mechanism of UNIX user and group executable rights for a binary you could only do this for the application in its entirety.
The problem was that you needed the authorization
solaris.zone.manage to use the console of a zone. By general principle this is a good thing as not everyone should be able to access the console on a system. The issue with this authorization was that you could also do more persistently potentially harmful things with this authorization like uninstalling it.
Starting with a 11.4 SRU there is a lot more granularity in this. There is now a rights profile called “Zone Console”. A user with this profile can get a zone console with
zlogin -C. Okay, let’s add this profile to the user
Okay, let’s try it.
Well, as we are working with rights profiles, you have to use a profile aware shell. You can use the
pfbash or one of the other profile aware shells. However the easiest way is simply to use
pfexec. Okay, let’s try it again.
You are still not allowed to access the zone console. This has a simple reason, allowing you to do so would give you per default the rights to access all zone consoles. But this is not exactly least privileges.
In order to allow you to use a zone console you need both the rights profile and the authorization. It’s the already mentioned
solaris.zone.console authorization. It has to be appended by the name of the zone in order to limit the user access to this single zone. A user can can have multiple authorizations of
solaris.zone.console with different zonenames appended.
Let’s assume you have two zones, one called
testzone and one called
playground. The user
senior should have access to both, the user
junior just to the zone
playground. You configure this with the following commands.
Let’s check this again. At first for user
Now for user
In order to remove the access to the zone console you simply have to remove the authorization.
In the next part of this blog entry i will show you an alternate way to yield the same behaviour.