System Administration Guide: Security Services
Previous Next

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

Configuring Devices (Task Map)

Configuring Device Policy (Task Map)

Configuring Device Policy

Managing Device Allocation (Task Map)

Managing Device Allocation

Allocating Devices (Task Map)

Allocating Devices

Device Protection (Reference)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Solaris Cryptographic Services

13.  Solaris Cryptographic Framework (Overview)

14.  Solaris Cryptographic Framework (Tasks)

15.  Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Solaris Auditing

28.  Solaris Auditing (Overview)

29.  Planning for Solaris Auditing

30.  Managing Solaris Auditing (Tasks)

31.  Solaris Auditing (Reference)

Glossary

Index

Allocating Devices

Device allocation reserves the use of a device to one user at a time. Devices that require a mount point must be mounted.

How to Allocate a Device

Before You Begin

Device allocation must be enabled, as described in How to Make a Device Allocatable. If authorization is required, the user must have the authorization.

  1. Allocate the device.

    Specify the device by device name.

    % allocate device-name
  2. Verify that the device is allocated.

    Run the identical command.

    % allocate device-name
allocate. Device already allocated.
Example 5-7 Allocating a Microphone

In this example, the user jdoe allocates a microphone, audio.

% whoami
jdoe
% allocate audio
Example 5-8 Allocating a Printer

In this example, a user allocates a printer. No one else can print to printer-1 until the user deallocates it, or until the printer is forcibly allocated to another user.

% allocate /dev/lp/printer-1

For an example of forcible deallocation, see Forcibly Deallocating a Device.

Example 5-9 Allocating a Tape Drive

In this example, the user jdoe allocates a tape drive, st0.

% whoami
jdoe
% allocate st0
Troubleshooting

If the allocate command cannot allocate the device, an error message is displayed in the console window. For a list of allocation error messages, see the allocate(1) man page.

How to Mount an Allocated Device

Before You Begin

The user or role has allocated the device. To mount a device, the user or role must have the privileges that are required for mounting the device. To give the required privileges, see How to Authorize Users to Allocate a Device.

  1. Assume a role that can allocate and mount a device.
    % su - role-name
Password: <Type role-name password>
$
  2. Create and protect a mount point in the role's home directory.

    You only need to do this step the first time you need a mount point.

    $ mkdir mount-point ; chmod 700 mount-point
  3. List the allocatable devices.
    $ list_devices -l
List of allocatable devices
  4. Allocate the device.

    Specify the device by device name.

    $ allocate device-name
  5. Mount the device.
    $ mount -o ro -F filesystem-type device-path mount-point

    where

    -o ro

    Indicates that the device is to be mounted read-only. Use-o rw to indicate that you should be able to write to the device.

    -F filesystem-type

    Indicates the file system format of the device. Typically, a CD-ROM is formatted with an HSFS file system. A diskette is typically formatted with a PCFS file system.

    device-path

    Indicates the path to the device. The output of the list_devices -l command includes the device-path.

    mount-point

    Indicates the mount point that you created in Step 2.

Example 5-10 Allocating a Diskette Drive

In this example, a user assumes a role that can allocate and mount a diskette drive, fd0. The diskette is formatted with a PCFS file system.

% roles
devicealloc
% su - devicealloc
Password: <Type devicealloc password>
$ mkdir /home/devicealloc/mymnt
$ chmod 700 /home/devicealloc/mymnt
$ list_devices -l
...
device: fd0 type: fd files: /dev/diskette /dev/rdiskette /dev/fd0a
...
$ allocate fd0
$ mount -o ro -F pcfs /dev/diskette /home/devicealloc/mymnt
$ ls /home/devicealloc/mymnt
List of the contents of diskette
Example 5-11 Allocating a CD-ROM Drive

In this example, a user assumes a role that can allocate and mount a CD-ROM drive, sr0. The drive is formatted as an HSFS file system.

% roles
devicealloc
% su - devicealloc
Password: <Type devicealloc password>
$ mkdir /home/devicealloc/mymnt
$ chmod 700 /home/devicealloc/mymnt
$ list_devices -l
...
device: sr0 type: sr files: /dev/sr0 /dev/rsr0 /dev/dsk/c0t2d0s0 ...
...
$ allocate sr0
$ mount -o ro -F hsfs /dev/sr0 /home/devicealloc/mymnt
$ cd /home/devicealloc/mymnt ; ls
List of the contents of CD-ROM
Troubleshooting

If the mount command cannot mount the device, an error message is displayed: mount: insufficient privileges. Check the following:

  • Make sure that you are executing the mount command in a profile shell. If you have assumed a role, the role has a profile shell. If you are a user who has been assigned a profile with the mount command, you must create a profile shell. The commands pfsh, pfksh, and pfcsh create a profile shell.

  • Make sure that you own the specified mount point. You should have read, write, and execute access to the mount point.

Contact your administrator if you still cannot mount the allocated device.

How to Deallocate a Device

Deallocation enables other users to allocate and use the device when you are finished.

Before You Begin

You must have allocated the device.

  1. If the device is mounted, unmount the device.
    $ cd $HOME
$ umount mount-point
  2. Deallocate the device.
    $ deallocate device-name
Example 5-12 Deallocating a Microphone

In this example, the user jdoe deallocates the microphone, audio.

% whoami
jdoe
% deallocate audio
Example 5-13 Deallocating a CD-ROM Drive

In this example, the Device Allocator role deallocates a CD-ROM drive. After the message is printed, the CD-ROM is ejected.

$ whoami
devicealloc
$ cd /home/devicealloc
$ umount /home/devicealloc/mymnt
$ ls /home/devicealloc/mymnt
$ 
$ deallocate sr0
/dev/sr0:      326o
/dev/rsr0:     326o
…
sr_clean: Media in sr0 is ready.  Please, label and store safely.
Previous Next