With CA ACF2 for VM, you can assign a virtual machine to a primary or default POSIX group. A user can change the current POSIX group to a supplemental group with the POSIX setgid( ) or setegid( ) function or with the shell newgrp command.
The CA ACF2 for VM method for employing POSIX group validation is significantly different from native VM. Specifically, CA ACF2 for VM POSIX group validation takes place through resource rules, GROUP logonid values, and GROUP and USER Profile values that replace the CP directory POSIXGROUP and POSIXINFO statements.
CA ACF2 for VM provides the following controls for POSIX support:
CA ACF2 for VM definitions that list POSIX GROUP names and the virtual machines that can use them. These rules work with GROUP logonid values to functionally replace the native VM implementation POSIXGROUP and POSIXINFO directory control statements provide.
An operand in the OPTS VMO record that specifies that CA ACF2 for VM provides POSIX database management.
An operand in the OPTS VMO record that specifies that CA ACF2 for VM does not provide POSIX database management. This is the default.
An operand in the OPTS VMO record that defines the maximum number of POSIX groups allowed for each user. The default is 32, which is also the minimum value. The maximum is 125.
An operand in the RESCLASS VMO record that defines the three‑character resource type code for POSIX supplemental group resource rule sets. PGR is the default.
An eight‑byte logonid field that holds the primary or default group for a virtual machine. The GROUP value works with POSIX Group resource rules and Group and User Profile records to functionally replace VM POSIX directory control statements.
These records define POSIX environment information to CA ACF2 for VM for each user that runs POSIX. The key to the record is the user's logonid name.
These records relate group names to POSIX GIDs (Group Identification numbers). The key to the record is the group name.
A user can belong to more than one group. The user's primarygroup is set in their LIDREC in the GROUP field. You can identify all other groups that a user can access (setgid()|setegid()) through resource rules.
Users are allowed to belong to multiple groups in the OpenExtensions VM environment. A user's primary or default group is defined in the GROUP field of his logonid.
You must define POSIX Supplemental Group resource rules in the resident resource rule cache. The resident resource cache can have several resource types in it.
You can maintain the OpenExtensions VM Database information in the VM directory or with an External Security Manager (ESM) such as CA ACF2 for VM. The POSIXDB option in the OPTS VMO record identifies whether CA ACF2 for VM activates OpenExtensions VM Database support.
Whenever you create, change, or delete a USER or GROUP Profile record, you must issue the appropriate ACFSERVE command to rebuild the directories for the Profile records so CA ACF2 for VM recognizes these changes.
CP allows users to inquire on the contents of the OpenExtensions VM Database through new CP diagnose calls. The new diagnose calls extract OpenExtensions VM Database and runtime information or issue setid() requests. See the Command and Diagnose Limiting Guide for more information on these diagnose calls.
See the “OpenExtensions VM Support” chapter for additional information on Open Edition VM support.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|