Solaris: is possible to permit root login on some terms?

Question

I have a server with some serial ports. One is /dev/console, another is /dev/term/b(the ttyS1 under linux and the COM2 under dos). I want root to login under /dev/term/b but..

myserver termb login: root
Password: 
Not on system console

myserver termb login:

An easy solution is to edit /etc/default/login and comment the line CONSOLE but with this solution root login is allowed on ALL ports, I want to permit access root on /dev/console, /dev/term/b but not on /dev/term/a or /dev/pts/* for example. On some good old unix and unix-like(Sco,BSD,Slackware) we have to edit /etc/securetty and enable the line where we want grant root access..and on Solaris? Solaris version is 11.4 and root is normal user and not role.

Do you believe that login.c from OpenSolaris is OK for you? – schily Dec 29 '19 at 13:04 — schily, Dec 29 '19 at 13:04
Then you seem to have a problem that you cannot solve. – schily Dec 29 '19 at 19:14 — schily, Dec 29 '19 at 19:14

Stefan Skoglund · Accepted Answer · 2020-01-02T11:49:52.977

3

This is in Solaris 11 managed thru smf.

So: that is the values in the svc:/system/security/account-policy:default ?

What do

svcprop -p login_policy/root_login_device svc:/system/security/account-policy:default

say ?

The interesting property/attribute seems to be login_policy/root_login_device so could that accept something like: /dev/console,/dev/term/b ie a list of values.

svccfg -s svc:/system/security/account-policy:default setprop login_policy/root_login_device="/dev/console,/dev/term/b"

Is an example of how i think you could modify this property.

svccfg -s svc:/system/security/account-policy:default setprop login_policy/root_login_device="/dev/term/b"

Is another idea, in this case root should only be allowed on term/b.

I don't have access to a (Open)Solaris system now so... i could install something like Indiana or Nexenta.

account-policy:default well it is possible in SMF to define nodes which inherits its properties from a super class.

You really needs to read up on SMF but it exists a number of blog posts and other stuff except the man-pages and the system administration books which explains SMF.

See also : http://www.unixrock.com/2014/07/how-to-allow-root-direct-login-in.html [smf]

edited Jan 02 '20 at 11:49

answered Jan 01 '20 at 03:34

Stefan Skoglund

443
3
5

Good answer, works fine. Only the "path" were different, instead of `svc:/system/security/account-policy:default` Solaris now use `vc:/system/account-policy:default` – elbarna Jan 02 '20 at 03:02
I mean `svc:/system/account-policy:default` – elbarna Jan 02 '20 at 04:48
One problem about the system admin pages is that it doesn't really explain (i haven't found it yet) instead it is (usually) examples of modifications on a running system. Less how to correctly design a manifest, this could be covered in the development documents. – Stefan Skoglund Jan 02 '20 at 11:41
How can i add a tag like solaris/solarissmf ? – Stefan Skoglund Jan 02 '20 at 11:41
i found out how to add a tag... – Stefan Skoglund Jan 02 '20 at 12:10
I have added the tag smf – elbarna Jan 02 '20 at 21:14

Solaris: is possible to permit root login on some terms?

1 Answers1