JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Oracle Solaris Resource Management

1.  Introduction to Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

Part II Oracle Solaris Zones

15.  Introduction to Oracle Solaris Zones

16.  Non-Global Zone Configuration (Overview)

17.  Planning and Configuring Non-Global Zones (Tasks)

18.  About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)

19.  Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

20.  Non-Global Zone Login (Overview)

21.  Logging In to Non-Global Zones (Tasks)

22.  About Zone Migrations and the zonep2vchk Tool

23.  Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)

24.  About Automatic Installation and Packages on an Oracle Solaris 11.1 System With Zones Installed

25.  Oracle Solaris Zones Administration (Overview)

Global Zone Visibility and Access

Process ID Visibility in Zones

System Observability in Zones

Reporting Active Zone Statistics with the zonestat Utility

Monitoring Non-Global Zones Using the fsstat Utility

Non-Global Zone Node Name

Running an NFS Server in a Zone

File Systems and Non-Global Zones

The -o nosuid Option

Mounting File Systems in Zones

Unmounting File Systems in Zones

Security Restrictions and File System Behavior

Non-Global Zones as NFS Clients

Use of mknod Prohibited in a Zone

Traversing File Systems

Restriction on Accessing A Non-Global Zone From the Global Zone

Networking in Shared-IP Non-Global Zones

Shared-IP Zone Partitioning

Shared-IP Network Interfaces

IP Traffic Between Shared-IP Zones on the Same Machine

Oracle Solaris IP Filter in Shared-IP Zones

IP Network Multipathing in Shared-IP Zones

Networking in Exclusive-IP Non-Global Zones

Exclusive-IP Zone Partitioning

Exclusive-IP Data-Link Interfaces

IP Traffic Between Exclusive-IP Zones on the Same Machine

Oracle Solaris IP Filter in Exclusive-IP Zones

IP Network Multipathing in Exclusive-IP Zones

Device Use in Non-Global Zones

/dev and the /devices Namespace

Exclusive-Use Devices

Device Driver Administration

Utilities That Do Not Work or Are Modified in Non-Global Zones

Utilities That Do Not Work in Non-Global Zones

SPARC: Utility Modified for Use in a Non-Global Zone

Allowed Utilities With Security Implications

Running Applications in Non-Global Zones

Resource Controls Used in Non-Global Zones

Fair Share Scheduler on a System With Zones Installed

FSS Share Division in a Global or Non-Global Zone

Share Balance Between Zones

Extended Accounting on a System With Zones Installed

Privileges in a Non-Global Zone

Using IP Security Architecture in Zones

IP Security Architecture in Shared-IP Zones

IP Security Architecture in Exclusive-IP Zones

Using Oracle Solaris Auditing in Zones

Core Files in Zones

Running DTrace in a Non-Global Zone

About Backing Up an Oracle Solaris System With Zones Installed

Backing Up Loopback File System Directories

Backing Up Your System From the Global Zone

Backing Up Individual Non-Global Zones on Your System

Creating Oracle Solaris ZFS Backups

Determining What to Back Up in Non-Global Zones

Backing Up Application Data Only

General Database Backup Operations

Tape Backups

About Restoring Non-Global Zones

Commands Used on a System With Zones Installed

26.  Administering Oracle Solaris Zones (Tasks)

27.  Configuring and Administering Immutable Zones

28.  Troubleshooting Miscellaneous Oracle Solaris Zones Problems

Part III Oracle Solaris 10 Zones

29.  Introduction to Oracle Solaris 10 Zones

30.  Assessing an Oracle Solaris 10 System and Creating an Archive

31.  (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone

32.  Configuring the solaris10 Branded Zone

33.  Installing the solaris10 Branded Zone

34.  Booting a Zone, Logging in, and Zone Migration

Glossary

Index

Privileges in a Non-Global Zone

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.

The following table lists all of the Oracle Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

Table 25-1 Status of Privileges in Zones

Privilege
Status
Notes
cpc_cpu
Optional
Access to certain cpc(3CPC) counters
dtrace_proc
Optional
fasttrap and pid providers; plockstat(1M)
dtrace_user
Optional
profile and syscall providers
graphics_access
Optional
ioctl(2) access to agpgart_io(7I)
graphics_map
Optional
mmap(2) access to agpgart_io(7I)
net_rawaccess
Optional in shared-IP zones.

Default in exclusive-IP zones.

Raw PF_INET/PF_INET6 packet access
proc_clock_highres
Optional
Use of high resolution timers
proc_priocntl
Optional
Scheduling control; priocntl(1)
sys_ipc_config
Optional
Increase IPC message queue buffer size
sys_time
Optional
System time manipulation; xntp(1M)
dtrace_kernel
Prohibited
Currently unsupported
proc_zone
Prohibited
Currently unsupported
sys_config
Prohibited
Currently unsupported
sys_devices
Prohibited
Currently unsupported
sys_dl_config
Prohibited
Currently unsupported
sys_linkdir
Prohibited
Currently unsupported
sys_net_config
Prohibited
Currently unsupported
sys_res_config
Prohibited
Currently unsupported
sys_smb
Prohibited
Currently unsupported
sys_suser_compat
Prohibited
Currently unsupported
proc_exec
Required, Default
Used to start init(1M)
proc_fork
Required, Default
Used to start init(1M)
sys_mount
Required, Default
Needed to mount required file systems
sys_flow_config
Required, Default in exclusive-IP zones

Prohibited in shared-IP zones

Needed to configure flows
sys_ip_config
Required, Default in exclusive-IP zones

Prohibited in shared-IP zones

Required to boot zone and initialize IP networking in exclusive-IP zone
sys_iptun_config
Required, Default in exclusive-IP zones

Prohibited in shared-IP zones

Configure IP tunnel links
contract_event
Default
Used by contract file system
contract_identity
Default
Set service FMRI value of a process contract template
contract_observer
Default
Contract observation regardless of UID
file_chown
Default
File ownership changes
file_chown_self
Default
Owner/group changes for own files
file_dac_execute
Default
Execute access regardless of mode/ACL
file_dac_read
Default
Read access regardless of mode/ACL
file_dac_search
Default
Search access regardless of mode/ACL
file_dac_write
Default
Write access regardless of mode/ACL
file_link_any
Default
Link access regardless of owner
file_owner
Default
Other access regardless of owner
file_setid
Default
Permission changes for setid, setgid, setuid files
ipc_dac_read
Default
IPC read access regardless of mode
ipc_dac_owner
Default
IPC write access regardless of mode
ipc_owner
Default
IPC other access regardless of mode
net_icmpaccess
Default
ICMP packet access: ping(1M)
net_privaddr
Default
Binding to privileged ports
proc_audit
Default
Generation of audit records
proc_chroot
Default
Changing of root directory
proc_info
Default
Process examination
proc_lock_memory
Default
Locking memory; shmctl(2)and mlock(3C)

If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory.

proc_owner
Default
Process control regardless of owner
proc_session
Default
Process control regardless of session
proc_setid
Default
Setting of user/group IDs at will
proc_taskid
Default
Assigning of task IDs to caller
sys_acct
Default
Management of accounting
sys_admin
Default
Simple system administration tasks
sys_audit
Default
Management of auditing
sys_nfs
Default
NFS client support
sys_ppp_config
Default in exclusive—IP zones

Prohibited in shared—IP zones

Create and destroy PPP (sppp) interfaces, configure PPP tunnels (sppptun)
sys_resource
Default
Resource limit manipulation
sys_share
Default
Allows sharefs system call needed to share file systems. Privilege can be prohibited in the zone configuration to prevent NFS sharing within a zone.

The following table lists all of the Oracle Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.


Note - Oracle Trusted Solaris privileges are interpreted only if the system is configured with Oracle Trusted Extensions.


Table 25-2 Status of Oracle Solaris Trusted Extensions Privileges in Zones

Oracle Solaris Trusted Extensions Privilege
Status
Notes
file_downgrade_sl
Optional
Set the sensitivity label of file or directory to a sensitivity label that does not dominate the existing sensitivity label
file_upgrade_sl
Optional
Set the sensitivity label of file or directory to a sensitivity label that dominates the existing sensitivity label
sys_trans_label
Optional
Translate labels not dominated by sensitivity label
win_colormap
Optional
Colormap restrictions override
win_config
Optional
Configure or destroy resources that are permanently retained by the X server
win_dac_read
Optional
Read from window resource not owned by client's user ID
win_dac_write
Optional
Write to or create window resource not owned by client's user ID
win_devices
Optional
Perform operations on input devices.
win_dga
Optional
Use direct graphics access X protocol extensions; frame buffer privileges needed
win_downgrade_sl
Optional
Change sensitivity label of window resource to new label dominated by existing label
win_fontpath
Optional
Add an additional font path
win_mac_read
Optional
Read from window resource with a label that dominates the client's label
win_mac_write
Optional
Write to window resource with a label not equal to the client's label
win_selection
Optional
Request data moves without confirmer intervention
win_upgrade_sl
Optional
Change sensitivity label of window resource to a new label not dominated by existing label
net_bindmlp
Default
Allows binding to a multilevel port (MLP)
net_mac_aware
Default
Allows reading down through NFS

To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone

To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.