VMware GSX 3 User Manual

C H A P T E R 4 Managing Virtual Machines and the VMware GSX Server Host

119

If you want to limit access to the virtual machine, clear the Allow inheritable
permissions from parent to propagate to this object check box.

4. To specify that a user or group that should not have access to the configuration

file, either click Remove or check all permissions in the Deny column to deny all
permissions to that user or group.

5. To add more users or groups, click Add. The Select Users, Computers and Groups

dialog box appears. In the dialog box, select the groups or users that you want to
access the virtual machine, then click Add. After you finish adding the users or
groups, click OK. The users and groups are added with default Read and Write
permissions. In the Properties dialog box, change the type of access for the user
or group to the configuration file; choose either Read or Read & Execute and
Write. Click OK to set the permissions to the configuration file.

Authenticating Users and Running Virtual Machines on a GSX
Server for Linux Host

GSX Server for Linux uses Pluggable Authentication Modules (PAM) for user
authentication in the VMware Virtual Machine Console and the VMware Management
Interface. The default installation of GSX Server uses standard Linux /etc/passwd
authentication, but can be configured to use LDAP, NIS, Kerberos or another
distributed authentication mechanism.

Every time you connect to the GSX Server host with the VMware Virtual Machine
Console or VMware Management Interface, the inetd or xinetd process runs an
instance of the VMware authentication daemon (vmware-authd). The vmware-

authd

process requests a username and password, then hands them off to PAM,

which performs the authentication.

Once you are authenticated, the console starts or the management interface’s Status
Monitor page appears. What you can now do with the virtual machines is based on
your permissions. See

Understanding Permissions and Virtual Machines on page 114

.

The vmware-authd process starts a virtual machine process as the owner of the
configuration file, not as the user connecting to the virtual machine. However, the
user is still restricted by his or her permissions on the configuration file.

Note: Even if you have full permissions on a configuration file, but you do not have
execute permission to the directory in which the configuration file resides or any of its
parent directories, then you cannot connect to the virtual machine with a VMware
Virtual Machine Console or a VMware Scripting API. Furthermore, you cannot see the
virtual machine in the VMware Management Interface or in the VMware Virtual
Machine Console. Nor can you delete any files in the virtual machine’s directory.