RE: cloning and pre-freeze script question

Thu, 10 Feb 2011 00:19:06 -0800 

I have a restricted shell which limits the user from the underlying linux apps 
and filesystem
but authorization is using the usual mechanisms.  VIX would allow access to the 
underlying
filesystem bypassing the restricted shell.

As for the logs, the user is showing guestUserName=hostd-quiescedsnap but
VMAutomation_ReadGuestOperationPolicies fails. hostPolicyString is NULL
VixAutomation_IsGuestOperationAllowed fails. No policy for this operation

Is this the reason for the failure?
What is the required policy and how does this need to be set?

Jim


> Date: Wed, 9 Feb 2011 11:32:38 -0800
> From: mvan...@vmware.com
> To: jim.l...@hotmail.com
> CC: open-vm-tools-devel@lists.sourceforge.net
> Subject: Re: cloning and pre-freeze script question
> 
> On 02/09/2011 11:24 AM, James Ko wrote:
> > Is VIX really required for quiescing?   I would actually prefer to have VIX 
> > disabled as I see it as a potential
> > security risk for the guest.
> 
> VIX is needed for quiescing on Linux, yes; that's how the freeze / thaw 
> scripts
> are executed. There are a few other operations from the UI that also need VIX
> support in the guest, although I don't remember more details.
> 
> VIX requires guest authentication for most, if not all, of its operations. An
> exception exists when the request comes from hostd, in which case VIX assumes
> that hostd / VC are properly authenticating / authorizing the user to perform
> that operation. So unless you have some concern regarding the latter, VIX
> doesn't really add any security risks to the VM.
> 
> -- 
> - Marcelo
                                          
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
open-vm-tools-devel mailing list
open-vm-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/open-vm-tools-devel

Reply via email to