|
version 1.1.2.2, 2007/01/12 18:20:29
|
version 1.1.2.3, 2007/01/13 00:05:53
|
|
|
|
| ######################################################################## |
################################################################################ |
| ## ## |
|
| ## CIM Server Policy Configuration File ## |
|
| ## ## |
|
| ######################################################################## |
|
| |
|
| ######################################################################## |
|
| # # | # # |
| # This file is only applicable to Pegasus releases that were built # |
## CIM Server Policy Configuration File |
| # with privilege separation support. This file contains policy rules # |
## ==================================== |
| # that restrict the set of out-of-process provider modules that may be # |
|
| # loaded by the server. The general form of an rule is: # |
|
| # # | # # |
| # <modulename>:<username> # |
## This file defines policy rules that restrict the execution of out-of-process |
| |
## provider modules (only applicable when the privilege separation feature is |
| |
## enabled). Each line defines a single rule and has the following format. |
| # # | # # |
| # The modulename field is the name of the provider module used when # |
## MODULENAME:USERNAME |
| # registering the provider. # |
|
| # # | # # |
| # The username field names a system user that the provider module is # |
## MODULENAME is the name of a provider module (derived from the |
| # permitted to run as. # |
## PG_ProviderModule.Name property of some instance). |
| # # | # # |
| # The server permits a module to run as a given user if it finds ANY # |
## USERNAME is one of the following. |
| # matching rule. # |
|
| # # | # # |
| # Either the modulename or the username field may contain an asterisk, # |
## 1. The name of a valid system user, indicating that the provider module |
| # indicating that there is no restriction on that field. # |
## may run as that user. This field is derived from the |
| |
## PG_ProviderModule.DesignatedUserContext of some instance. |
| # # | # # |
| # The most permissive policy configuration file would contain the # |
## 2. The string "${requestorUser}", indicating that the provider module |
| # following rule: # |
## may run as the requesting client. |
| # # | # # |
| # *:* # |
## 3. The string "${privilegedUser}", indicating that the provider module |
| |
## may run as the privileged system user ("root" on Unix and Linux). |
| # # | # # |
| # This rule permits ANY provider module to run as ANY user. # |
## 4. The string "${cimserverUser}", indicating that the provider module |
| |
## may run as the same user as the CIM server. |
| # # | # # |
| # For obvious reasons, this file should only be writable by the # |
## The value of USERNAME is determined by two properties set during provider |
| # administrator. # |
## registration. |
| # # | # # |
| ######################################################################## |
## PG_ProviderModule.UserContext |
| *:${requestor} |
## PG_ProviderModule.DesignatedUserContext |
| |
## |
| |
## The table below shows how the policy rules (column 3) are derived from |
| |
## these two fields (columns 1 and 2). These examples assume a provider |
| |
# module named "Fan" and a user named "jwilliams". |
| |
## |
| |
## +----------------+-----------------------+-----------------------+ |
| |
## | UserContext | DesignatedUserContext | MODULENAME:USERNAME | |
| |
## +----------------+-----------------------+-----------------------+ |
| |
## | 2 (DESIGNATED) | jwilliams | Fan:jwilliams | |
| |
## +----------------+-----------------------+-----------------------+ |
| |
## | 3 (REQUESTOR) | NULL | Fan:${requestorUser} | |
| |
## +----------------+-----------------------+-----------------------+ |
| |
## | 4 (PRIVILEGED) | NULL | Fan:${privilegedUser} | |
| |
## +----------------+-----------------------+-----------------------+ |
| |
## | 5 (CIMSERVER) | NULL | Fan:${cimserverUser} | |
| |
## +----------------+-----------------------+-----------------------+ |
| |
## |
| |
## Either the modulename or the username field may contain an asterisk, |
| |
## indicating that there is no restriction on that field. |
| |
## |
| |
## The most permissive policy configuration file would contain the |
| |
## following rule: |
| |
## |
| |
## *:* |
| |
## |
| |
## This rule permits ANY provider module to run as ANY user. |
| |
## |
| |
## For obvious reasons, this file should only be writable by the |
| |
## administrator. |
| |
## |
| |
################################################################################ |
| |
*:* |
Return to
cimserver_policy.conf
CVS log
Up to [Pegasus] / pegasus / src / Server / Attic