VMware GSX Server 2.5.2Features | Documentation | Knowledge Base | Discussion Forums GSX Server for Linux uses Pluggable Authentication Modules (PAM) for user authentication in the VMware Remote Console and the VMware Management Interface. The default installation of GSX Server uses standard Linux /etc/passwd authentication, but can be configured to use LDAP, NIS, Kerberos or another distributed authentication mechanism. Every time a connection is made to the server running GSX Server, the inetd or xinetd process runs an instance of the VMware authentication daemon (vmware-authd). The vmware-authd process requests a username and password, then hands them off to PAM, which performs the authentication. Once a user is authenticated, vmware-authd accepts a pathname to a virtual machine configuration file. The vmware-authd process starts a virtual machine process as the owner of the configuration file, not as the user connecting to the virtual machine. However, the user is still restricted by his or her permissions on the configuration file. Access to the configuration file is restricted in the following ways:
Note: Even if you have full permissions on a configuration file, but you do not have execute permission to the directory in which the configuration file resides or any of its parent directories, then you cannot connect to the virtual machine with a VMware Remote Console or a VMware Scripting API. Further, you cannot see the virtual machine in the VMware Management Interface or in the Connect to VMware Virtual Machine dialog box when you connect to the GSX Server host with a VMware Remote Console. Nor can you delete any files in the virtual machine's directory. If a vmware process is not running for this configuration file, vmware-authd checks to see if you registered this virtual machine. If the virtual machine is registered, vmware-authd becomes the owner of the configuration file (not necessarily the user that is currently authenticated) and starts GSX Server with this configuration file as an argument (for example, vmware /<path_to_config>/<configfile>.cfg). The vmware-authd process exits as soon as a connection is established to a vmware process and at least one used has connected. Each vmware process shuts down automatically after the last user disconnects. When you create a virtual machine with GSX Server, its configuration file is registered with the following default permissions, based on the user accessing it:
When you first install your GSX Server software and run the configuration program (vmware-config.pl), you can set these permissions for any existing configuration files for registered virtual machines. If you plan to use a virtual machine and its configuration file you created in other VMware products with GSX Server, you must register the configuration file in order to connect to the virtual machine from a console or the VMware Management Interface, then set the default permissions as above. For more information about registering configuration files, see Registering the Configuration Files for Virtual Machines. |
