Previous Topic: Viewing Default Access AuthorityNext Topic: Using Negative Access Control Lists


Using Conditional Access Control Lists

You can make access to a file conditional on the program used to access the file. To make file access conditional in this way is called program pathing.

Note: If the program specified to access the file is a shell script, the shell script must have #!/bin/sh as its first line. Because the shell script treats #!/bin/sh line as a comment and will not process it, do not execute the shell script following # . /home/test/test.sh or # sh /home/test/test.sh.

The following code is an example, allowing any process to update the file /etc/passwd under the control of the password change program /bin/passwd. All access attempts to the /etc/passwd file that do not originate from /bin/passwd are blocked.

newres FILE /etc/passwd owner(nobody) defaccess(R)
authorize FILE /etc/passwd gid(users) access(U) via(pgm(/bin/passwd))

The newres command defines the file /etc/passwd to CA ControlMinder and allows any user, including the file's owner, to read the file. The authorize command allows all users to access the file when the access is made under the program /bin/passwd. Once the password file is protected in this manner, any Trojan horse that inserts entries into the /etc/passwd file or any update to the password file by a user of the group “users” is blocked if the user is not using the /bin/passwd program.

Conditional access lists are also useful for controlling access to the files of a database management system (DBMS). Usually, you should permit users to access such files only through the programs and utilities supplied by the database vendor. Consider the following commands:

authorize FILE /usr/dbms/xyz uid(*) via(pgm(/usr/dbms/bin/pgm1)) access(U)
authorize FILE /usr/dbms/xyz uid(*) via(pgm(/usr/dbms/bin/pgm2)) access(U)

This set of authorize commands allows all CA ControlMinder users to access the file xyz of the DBMS system provided the access is made by either program pgm1 or program pgm2, which belong to the DBMS binaries directory. Note the use of the asterisk in the user operand. The asterisk specifies all users who are defined to CA ControlMinder. The use of the asterisk is similar in concept to the default access, except that default access also applies to users who are not defined to CA ControlMinder. Note that you can use the _undefined group for users not defined in the CA ControlMinder database.

You can also use the Unicenter TNG calendar ACL property to permit or deny access to specific users and groups for the current resource according to the Unicenter TNG calendar status. There are two types of ACL properties for Unicenter TNG calendars: regular and restrictive.

For example, the following command adds a user named george to a conditional access control list for a regular calendar named basecalendar:

auth file file1 uid(george) calendar(basecalendar) access(rw)

And the following command removes a user named george from the Unicenter TNG calendar:

auth- file file2 uid(george) calendar(basecalendar)