I propose that zlogin be split into two different programs, one for console access and one for running programs and/or shell. A simple way to do this (and would be backward compatible) would be to create a hard link to zlogin, say 'zconsole' that when it is executed the program can test arg0 and automatically apply the -C functionality if it is called zconsole. This would allow better separation of duties and allow two different profiles in exec_attr to differentiate what zone administrators can do.
There have been some discussion of using SMF authorizations with zones to provide this level of control. One CR of interest is 4963290 RFE: implement flexible zone administration that doesn't require uid=0 dsc _______________________________________________ zones-discuss mailing list email@example.com