CA ControlMinder does not treat all attempts to change the user ID of a process as login events. Usually a program attempts to change its user ID with a setuid system call. The SURROGATE class controls these events, which are not necessarily considered login events, and do not necessarily change the user identity from the point of view of CA ControlMinder.
CA ControlMinder always preserves the original user identity-the identity with which the user logged in initially. Ordinary setuid system calls do not cause CA ControlMinder to register a change in user identity.
For CA ControlMinder to recognize the identity change, it must recognize this event as a login event. It recognizes login events using the following rules:
When you begin an administration session (in selang or CA ControlMinder Endpoint Management), CA ControlMinder performs a dummy login event. This is not a true login; rather, CA ControlMinder performs certain internal checks, which are similar to login checks.
Note: For more information, see the SEQUENCE property for the LOGINAPPL class in the selang Reference Guide.
At the start of an administration session, the user name is checked in the machine to be administered. You get access to this machine for administration only if you have WRITE access for the terminal from which you perform the session.
For example, if you are logged in to host Minerva and would like to administer CA ControlMinder on host Artemis, two conditions are necessary:
These conditions are checked prior to any other user authority check. Note that you also need administrative authority in the database.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|