# sccsid = "@(#)16 1.7 src/rsct/rmc/mcdaemon/ctrmc.acls, mcdaemon, rsct_rady, rady2035a 11/12/15 16:31:56" # IBM_PROLOG_BEGIN_TAG # This is an automatically generated prolog. # # # # Licensed Materials - Property of IBM # # (C) COPYRIGHT International Business Machines Corp. 2001,2019 # All Rights Reserved # # US Government Users Restricted Rights - Use, duplication or # disclosure restricted by GSA ADP Schedule Contract with IBM Corp. # # IBM_PROLOG_END_TAG # This file /opt/rsct/cfg/ctrmc.acls is the default Access Control List # file for the Resource Monitoring and Control subsystem. It is used if the file # /var/ct/cfg/ctrmc.acls does not exist. To change ACL entries modify the file # /var/ct/cfg/ctrmc.acls or, if the file does not exist, copy this file to # /var/ct/cfg/ctrmc.acls and then make the modifications. Once the # modifications are complete execute the command # # refresh -s ctrmc # The ACL file consists of one or more stanzas. A stanza consists of a # stanza name beginning in column 1, followed by zero or more stanza lines. # A stanza line must begin with one or more blanks or tabs and consists of # a user identifier, an object type and optional permissions. Blank lines # and lines where the first non-whitespace character is '#' are ignored. # Any portion of a line that begins with // is ignored. # # A stanza name is the name of a Resource Class to which the stanza lines # apply. A user identifier has one of the following four forms: # # UserName@HostName # HostName # * # UNAUTHENT # # A HostName is a fully qualified host domain name or the keyword # LOCALHOST. The first form specifies an authenticated user executing a # RMC application on the named host. If the host name is the keyword # LOCALHOST then the application is executing on the same machine as the # RMC subsystem. The second form specifies any authenticated user executing # a RMC application on the named host. The third form specifies any # authenticated user executing a RMC application on any host. The fourth # form, using the keyword UNAUTHENT, specifies any unauthenticated user. # # The object type is one of the characters 'C', 'R' or '*'. 'C' indicates # that the line specifies permissions to access a resource class. 'R' # indicates that the line specifies permissions to access all resource # instances of the class. '*' indicates that the line specifies permissions # to access the resource class and all resource instances of the class. # # Permissions consist of the characters 'r' and/or 'w', where 'r' specifies # read permission and 'w' specifies write permission. If a line contains # no permissions then the specified user has no permission to access the # specified object type. # IBM.FileSystem // ACLs for class IBM.FileSystem # user1@host1 * rw # user2@host1 C # user2@host1 R r # root@LOCALHOST * rw # LOCALHOST * r # UNAUTHENT * # In the preceding example, user1 on host1 has read/write permissions to # access the resource class IBM.FileSystem and all resource instances of # the class. user2 on host1 has no permission to access the resource class # but does have permission to read all instances of the resource class. # root on this machine has permission to read/write the resource class and # all of its resource instances. Any other user on this machine has only # permission to read the resource class and all of its resource instances. # Any unauthenticated user has no permission to access the resource nor any # of its resource instances # Note that ACL entries are examined in order. The first entry that matches # the user executing the RMC application for the object type that is # being accessed is used. # The following stanza will enable anyone to read the information in the # IBM.HostPublic class which provides public information about the node, # mainly its public key. IBM.HostPublic * * r UNAUTHENT * r # The following stanza contains default ACL entries. These entries are appended # to each ACL defined for a resource class and are examined after any entries # explicitly defined for a resource class by the stanzas in this file, # including the OTHER stanza. DEFAULT root@LOCALHOST * rw LOCALHOST * r # In the following sample stanza the class name of OTHER indicates that the # stanza applies to all resource classes not otherwise specified in the # ACL file. # # OTHER # user1@host1 * rw # user2@host1 C # As described above, a stanza need not contain any stanza lines. This is # useful if the OTHER stanza is specified but the entries in the OTHER # stanza should not apply to a specific resource class. For example, if # the following three stanzas are specified in the ACL file # # IBM.FileSystem # # OTHER # user1@host1 * rw # user2@host1 C # # DEFAULT # root@LOCALHOST * rw # LOCALHOST * r # # then the only entries examined for IBM.FileSystem are those specified in the # DEFAULT stanza. For all other resource classes the entries examined are, # first, those specified in the OTHER stanza, and second, those specified in # the DEFAULT stanza. # # In the preceding example, if the DEFAULT stanza also contains no entries, # then access to the IBM.FileSystem class is denied for all users.