Endpoint Administration Guide for UNIX › Protecting Files and Programs › Synchronization with Native UNIX Security
Synchronization with Native UNIX Security
Although CA ControlMinder permissions are more complex than native UNIX permissions, you can synchronize your native UNIX permissions to your CA ControlMinder permissions. That is, you can make the permissions coincide. However, the synchronization is subject to some limitations:
- Synchronization is not retroactive. Once it is in effect, it can govern all newly issued CA ControlMinder authorization commands, but it does not govern pre‑existing access rules.
- Permissions that you grant in CA ControlMinder can be passed to UNIX, but permissions granted in UNIX are not passed to CA ControlMinder.
- Because of limitations in its own system of permissions, UNIX may be unable to adopt more than a simplified form of the CA ControlMinder permissions. Even UNIX versions that feature access control lists (ACLs) may be unable to reflect all the complexity of the CA ControlMinder ACLs.
UNIX platforms with ACLs that can be synchronized to CA ControlMinder are Sun Solaris, HP-UX, and Tru64.
Without such ACLs, you can still synchronize the traditional UNIX rwx permissions to the CA ControlMinder permissions, to the extent possible.
Synchronization is controlled by the combination of the authorize command's UNIX option and the seos.ini file's SyncUnixFilePerms token:
- By including the UNIX option, the authorize command calls for implementation in UNIX as well as in CA ControlMinder. The command can even grant UNIX permission where permission did not exist before.
(When the UNIX option is not used, selang commands have no effect on UNIX security. Moreover, where UNIX retains a prohibition, a CA ControlMinder permission is not effective. So the only way that selang can overcome a UNIX prohibition is with the UNIX option of the authorize command.)
- In the authorize command, the UNIX option works only when the SyncUnixFilePerms token is appropriately set in the [seos] section of the seos.ini file. The token has several permitted values:
- no specifies not to synchronize ACL permissions. This is the default value.
- warn specifies not to synchronize ACL permissions, but to issue a warning if the CA ControlMinder and native UNIX permissions conflict.
- traditional specifies to adjust the rwx permissions for the group according to the CA ControlMinder ACL (and permissions for individual users are not copied to UNIX).
- acl specifies to adjust the UNIX ACL according to the CA ControlMinder ACL.
- force specifies to adjust the UNIX world access attribute according to the CA ControlMinder defaccess permissions.
Any change in the SyncUnixFilePerms token value takes effect only after you restart the seosd daemon.
More information:
HP-UX Limitations
Sun Solaris Limitations
Copyright © 2013 CA Technologies.
All rights reserved.
|
|