version 1.1.2.2, 2007/01/12 18:20:29
|
version 1.1.2.3, 2007/01/13 00:05:53
|
|
|
######################################################################## |
################################################################################ |
## ## |
|
## CIM Server Policy Configuration File ## |
|
## ## |
|
######################################################################## |
|
|
|
######################################################################## |
|
# # | # # |
# This file is only applicable to Pegasus releases that were built # |
## CIM Server Policy Configuration File |
# with privilege separation support. This file contains policy rules # |
## ==================================== |
# that restrict the set of out-of-process provider modules that may be # |
|
# loaded by the server. The general form of an rule is: # |
|
# # | # # |
# <modulename>:<username> # |
## This file defines policy rules that restrict the execution of out-of-process |
|
## provider modules (only applicable when the privilege separation feature is |
|
## enabled). Each line defines a single rule and has the following format. |
# # | # # |
# The modulename field is the name of the provider module used when # |
## MODULENAME:USERNAME |
# registering the provider. # |
|
# # | # # |
# The username field names a system user that the provider module is # |
## MODULENAME is the name of a provider module (derived from the |
# permitted to run as. # |
## PG_ProviderModule.Name property of some instance). |
# # | # # |
# The server permits a module to run as a given user if it finds ANY # |
## USERNAME is one of the following. |
# matching rule. # |
|
# # | # # |
# Either the modulename or the username field may contain an asterisk, # |
## 1. The name of a valid system user, indicating that the provider module |
# indicating that there is no restriction on that field. # |
## may run as that user. This field is derived from the |
|
## PG_ProviderModule.DesignatedUserContext of some instance. |
# # | # # |
# The most permissive policy configuration file would contain the # |
## 2. The string "${requestorUser}", indicating that the provider module |
# following rule: # |
## may run as the requesting client. |
# # | # # |
# *:* # |
## 3. The string "${privilegedUser}", indicating that the provider module |
|
## may run as the privileged system user ("root" on Unix and Linux). |
# # | # # |
# This rule permits ANY provider module to run as ANY user. # |
## 4. The string "${cimserverUser}", indicating that the provider module |
|
## may run as the same user as the CIM server. |
# # | # # |
# For obvious reasons, this file should only be writable by the # |
## The value of USERNAME is determined by two properties set during provider |
# administrator. # |
## registration. |
# # | # # |
######################################################################## |
## PG_ProviderModule.UserContext |
*:${requestor} |
## PG_ProviderModule.DesignatedUserContext |
|
## |
|
## The table below shows how the policy rules (column 3) are derived from |
|
## these two fields (columns 1 and 2). These examples assume a provider |
|
# module named "Fan" and a user named "jwilliams". |
|
## |
|
## +----------------+-----------------------+-----------------------+ |
|
## | UserContext | DesignatedUserContext | MODULENAME:USERNAME | |
|
## +----------------+-----------------------+-----------------------+ |
|
## | 2 (DESIGNATED) | jwilliams | Fan:jwilliams | |
|
## +----------------+-----------------------+-----------------------+ |
|
## | 3 (REQUESTOR) | NULL | Fan:${requestorUser} | |
|
## +----------------+-----------------------+-----------------------+ |
|
## | 4 (PRIVILEGED) | NULL | Fan:${privilegedUser} | |
|
## +----------------+-----------------------+-----------------------+ |
|
## | 5 (CIMSERVER) | NULL | Fan:${cimserverUser} | |
|
## +----------------+-----------------------+-----------------------+ |
|
## |
|
## Either the modulename or the username field may contain an asterisk, |
|
## indicating that there is no restriction on that field. |
|
## |
|
## The most permissive policy configuration file would contain the |
|
## following rule: |
|
## |
|
## *:* |
|
## |
|
## This rule permits ANY provider module to run as ANY user. |
|
## |
|
## For obvious reasons, this file should only be writable by the |
|
## administrator. |
|
## |
|
################################################################################ |
|
*:* |