Authorizations for Zone Console access - Part 1
When you wanted to access the zone console on Solaris system as a normal user in the past, you needed an authorization. You may remember from a very old c0t0d0s0.org entry that authorizations are a mechanism that is based on adding them to a user, so an application can just check internally if a user should be allowed to use a part of an application. Let’s say the binary can check if you are allowed to use view a configuration but not change configuration. or you can use them with SMF to allow a user to restart a service, but not to enable or disable it.With the normal mechanism of UNIX user and group executable rights for a binary you could only do this for the application in its entirety.
The problem was that you needed the authorization solaris.zone.manage to use the console of a zone. By general principle this is a good thing as not everyone should be able to access the console on a system. The issue with this authorization was that you could also do more persistently potentially harmful things with this authorization like uninstalling it.
Starting with a 11.4 SRU there is a lot more granularity in this. There is now a rights profile called “Zone Console”. A user with this profile can get a zone console with zlogin -C. Okay, let’s add this profile to the user intern
root@solaris:~# usermod -P "Zone Console" internOkay, let’s try it.
intern@solaris:~$ zlogin -C playground
zlogin: You lack sufficient privilege to run this command (all privs required)Well, as we are working with rights profiles, you have to use a profile aware shell. You can use the pfksh,pfbash or one of the other profile aware shells. However the easiest way is simply to use pfexec. Okay, let’s try it again.
intern@solaris:~$ pfexec zlogin -C playground
zlogin: intern is not authorized for console access to playground zone.You are still not allowed to access the zone console. This has a simple reason, allowing you to do so would give you per default the rights to access all zone consoles. But this is not exactly least privileges.
In order to allow you to use a zone console you need both the rights profile and the authorization. It’s the already mentioned solaris.zone.console authorization. It has to be appended by the name of the zone in order to limit the user access to this single zone. A user can can have multiple authorizations of solaris.zone.console with different zonenames appended.
Let’s assume you have two zones, one called testzone and one called playground. The user senior should have access to both, the user junior just to the zone playground. You configure this with the following commands.
# usermod -A +solaris.zone.console/playground junior
# usermod -A +solaris.zone.console/testzone senior
# usermod -A +solaris.zone.console/playground seniorLet’s check this again. At first for user junior
junior@solaris:~$ pfexec zlogin -C testzone
zlogin: junior is not authorized for console access to testzone zone.
junior@solaris:~$ pfexec zlogin -C playground
[Connected to zone 'playground' console]
playground console login:Now for user senior:
senior@solaris:~$ pfexec zlogin -C testzone
[Connected to zone 'testzone' console]
testzone console login:
senior@solaris:~$ pfexec zlogin -C playground
[Connected to zone 'playground' console]
playground console login:In order to remove the access to the zone console you simply have to remove the authorization.
root@solaris:~# usermod -A -solaris.zone.console/playground junior
root@solaris:~# su - junior
junior@solaris:~$ pfexec zlogin -C playground
zlogin: junior is not authorized for console access to playground zone.In the next part of this blog entry i will show you an alternate way to yield the same behaviour.