|
|
|
CA Access Control protects Solaris 10 zones in the same way it protects any computer. Each zone is protected in isolation from any other zones, with each rule you define in CA Access Control applying only to users working in that zone. Rules you apply in the global zone, even those that cover resources that are visible in a non-global zone, only apply to users who access them from the global zone.
Note: Make sure you protect non-global zone resources in both the non-global and the global zone as necessary.
Example: Global Zone Rules and Non-Global Zone Rules
In the following example, we define rules to protect a non-global zone (myZone1) file. All system files are always visible from the global zone.
The file we want to protect is /myZone1/root/bin/kill (path from global zone). To protect this file, we define the following CA Access Control rules:
nu admin_pers owner(nobody) nr FILE /myZone1/root/bin/kill defaccess(none) owner(nobody) authorize FILE /myZone1/root/bin/kill uid(admin_pers) access(all)
nu admin_pers owner(nobody) nr FILE /bin/kill defaccess(none) owner(nobody) authorize FILE /bin/kill uid(admin_pers) access(all)
Using these rules in both the global and non-global zones, we defined a user (admin_pers), defined our file as resource to be protected, and authorized our user to access the file. Without doing this in both zones, we would leave the resource exposed.
| Copyright © 2012 CA. All rights reserved. | Tell Technical Publications how we can improve this information |