Menu
▾
▴
RE: cloning and pre-freeze script question
|
From: James Ko <jim...@ho...> - 2011-02-10 08:18:37
|
I have a restricted shell which limits the user from the underlying linux apps and filesystem but authorization is using the usual mechanisms. VIX would allow access to the underlying filesystem bypassing the restricted shell. As for the logs, the user is showing guestUserName=hostd-quiescedsnap but VMAutomation_ReadGuestOperationPolicies fails. hostPolicyString is NULL VixAutomation_IsGuestOperationAllowed fails. No policy for this operation Is this the reason for the failure? What is the required policy and how does this need to be set? Jim > Date: Wed, 9 Feb 2011 11:32:38 -0800 > From: mv...@vm... > To: jim...@ho... > CC: ope...@li... > Subject: Re: cloning and pre-freeze script question > > On 02/09/2011 11:24 AM, James Ko wrote: > > Is VIX really required for quiescing? I would actually prefer to have VIX disabled as I see it as a potential > > security risk for the guest. > > VIX is needed for quiescing on Linux, yes; that's how the freeze / thaw scripts > are executed. There are a few other operations from the UI that also need VIX > support in the guest, although I don't remember more details. > > VIX requires guest authentication for most, if not all, of its operations. An > exception exists when the request comes from hostd, in which case VIX assumes > that hostd / VC are properly authenticating / authorizing the user to perform > that operation. So unless you have some concern regarding the latter, VIX > doesn't really add any security risks to the VM. > > -- > - Marcelo |
