 |
HP OpenVMS DCL Dictionary
HP OpenVMS DCL Dictionary
SET SECURITY
Modifies the security profile of an object.
Format
SET SECURITY object-name
Parameter
object-name
Specifies the name of an object, such as a file or device, whose
security profile is to be modified. An object is identified by an
object name and a class name. The default class name is FILE.
An object name of the FILE class (explicitly or implicitly specified)
can include an asterisk (*) or a percent sign (%) wildcard character,
but wildcard characters are not allowed in any class other than FILE.
SET SECURITY does not operate on remote files and devices, alias
directory entries, or directory names in UIC format (for example,
[14,5]).
Description
The SET SECURITY command modifies the security profile of an object.
Such a profile contains the following elements:
- An access control list editor (ACL editor)
- A protection code, which defines access to objects based on the
categories of system, owner, group, and world.
- An owner. The system uses the owner element to interpret the
protection code.
There are three different ways to use the command:
- You can provide new values explicitly with the qualifiers /ACL,
/PROTECTION, and /OWNER. (For extensive ACL work, use /EDIT to invoke
the ACL editor.)
- You can copy from another object's profile with the /LIKE qualifier.
- If the object is of the FILE class, you can reset its profile to
the default setting with the /DEFAULT qualifier.
To modify a security profile, you need control access to the object. An
ACL grants control access explicitly whereas a protection code grants
it implicitly to anyone belonging to the owner or system categories. If
an object profile is modified while the object is being accessed, the
existing access is unaffected.
The following table identifies object classes and the access types they
support:
| |
Object Class |
Access Types |
|
|
CAPABILITY (VAX only)
|
Use, Control
|
|
|
COMMON_EVENT_FLAG_CLUSTER
|
Associate, Delete, Control
|
|
|
DEVICE
|
Read, Write, Physical, Logical, Control
|
|
|
FILE (including directory file)
|
Read, Write, Execute, Delete, Control
|
|
|
GROUP_GLOBAL_SECTION
|
Read, Write, Execute, Control
|
|
|
ICC_ASSOCIATION
1
|
Open, Access, Control
|
|
|
LOGICAL_NAME_TABLE
|
Read, Write, Create, Delete, Control
|
|
|
QUEUE
|
Read, Submit, Manage, Delete, Control
|
|
|
RESOURCE_DOMAIN
|
Read, Write, Lock, Control
|
|
|
SECURITY_CLASS
|
Read, Write, Control, Logical I/O, Physical I/O
|
|
|
SYSTEM_GLOBAL_SECTION
|
Read, Write, Execute, Control
|
|
|
VOLUME
|
Read, Write, Create, Delete, Control
|
1The class ICC_ASSOCIATION has special semantics: there are
both permanent and temporary objects for this class. Permanent objects
are created using the command procedure
SYS$MANAGER:ICC$CREATE_SECURITY_OBJECT.COM. The SET SECURITY command
applies to both permanent and temporary ICC_ASSOCIATION security
objects.
The HP OpenVMS Guide to System Security provides a full explanation of protected objects and
how to modify them.
Table DCLII-20 shows the qualifier categories for the SET SECURITY
command. The explanations for the qualifiers following Table DCLII-20
occur in alphabetical order.
Table DCLII-20 SET SECURITY Qualifier Categories
General
Qualifiers |
ACL-Modifying Qualifiers |
Security Class Qualifier |
File-Specific Qualifiers |
Transfer
Qualifiers |
/ACL
/CLASS
/LOG
/OWNER
/PROTECTION
|
/AFTER
/DELETE
/EDIT
/REPLACE
|
/PROFILE
|
/BACKUP
/BEFORE
/BY_OWNER
/CONFIRM
/CREATED
/DEFAULT
/EXCLUDE
/EXPIRED
/MODIFIED
/SINCE
/STYLE
|
/COPY_ATTRIBUTE
/LIKE
|
Qualifiers
/ACL[=(ace[,...])]
Identifies one or more access control list entries (ACEs) to add,
replace, or delete. Enclose each ACE in parentheses and separate
multiple ACEs by commas (,). The most common type of entry, the
Identifier ACE, has the format (IDENTIFIER=identifier,
ACCESS=access-type(+...)). By default, SET SECURITY adds an ACE to the
top of the ACL. This behavior changes when you include one of the
positional qualifiers: /AFTER, /DELETE, or /REPLACE. Refer to the
discussion of ACL ordering in the HP OpenVMS Guide to System Security.
/AFTER=ace
Positions all ACEs specified with the /ACL qualifier after the ACE
named with the /AFTER qualifier.
/BACKUP
Modifies the time value provided with the /BEFORE or the /SINCE
qualifier. The /BACKUP qualifier selects files according to the date of
their most recent backup (rather than by the creation, expiration, or
modification date). By default, SET SECURITY selects files according to
their creation date.
/BEFORE[=time]
Selects only those files dated prior to the specified time. You can
specify time as absolute time, as a combination of absolute and delta
times, or as one of the following keywords: BOOT, LOGIN, TODAY
(default), TOMORROW, or YESTERDAY. Specify the /CREATED or the
/MODIFIED qualifier to indicate the time attribute to be used as the
basis for selection. The /CREATED qualifier is the default.
For complete information on specifying time values, refer to the
OpenVMS User's Manual or the online help topic DCL_Tips (subtopic Date_Time).
/BY_OWNER[=uic]
Selects files whose owner's UIC matches the UIC specified. The default
UIC is that of the current process.
/CLASS=class-name
Specifies the class of the object whose profile is to be modified. By
default, the command assumes the object class is FILE.
/CONFIRM
Controls whether SET SECURITY prompts for verification before
performing the operation. Valid responses are YES, NO, TRUE, and FALSE.
Answers are not case sensitive and can be abbreviated to one letter. To
stop processing the command at any point, type QUIT or press Ctrl/Z. To
cancel the verification procedure but to proceed with the command, type
ALL.
/COPY_ATTRIBUTE=(keyword[,...])
Specifies a subset of security elements to transfer from a source
object to a target object. Valid keywords include the following:
| Keyword |
Description |
|
ALL (default)
|
Copy all security elements
|
|
ACL
|
Copy the access control list
|
|
OWNER
|
Copy the owner
|
|
PROTECTION
|
Copy the protection code
|
Use the /COPY_ATTRIBUTE qualifier with the /LIKE qualifier. For
example, you can create an ACL for an object and then copy its ACL to
new objects.
/CREATED
Modifies the time value specified with the /BEFORE or the /SINCE
qualifier. The /CREATED qualifier selects files according to the date
they were created (rather than by the backup, expiration, or
modification date). By default, SET SECURITY selects files according to
their creation date.
/DELETE[=ALL]
Deletes ACEs according to the following rules:
- The expression /ACL=aces/DELETE deletes the named ACEs.
- The expression /ACL/DELETE deletes all unprotected ACEs.
- The expression /ACL/DELETE=ALL deletes all ACEs including protected
ACEs.
- The expression /ACL=aces/DELETE=ALL deletes the existing ACL (if
any) and create a new ACL with the ACEs specifies on the /ACL qualifier.
/DEFAULT
Regenerates the security profile of a file. The default qualifier
changes the protection code, the ACL, and the owner elements of a file
to what it would be if the file had just been created. The profile is
recreated according to the following rules:
- The protection code is propagated from the default protection ACE
on the directory (if one exists), or else it is propagated from the
process default.
- The ACL is propagated from the parent directory for those ACEs that
have the default option.
- The owner is set to the owner of the parent directory.
With subdirectory files, SET SECURITY assigns the owner, protection,
and ACL elements of the parent directory.
SET SECURITY does not copy any ACE on the source object if the ACE
holds the nopropagate attribute nor does it change any ACE on the
target object if the ACE holds the protected attribute. To apply new
elements to all versions of the file, specify ;* in the object name.
Refer to the HP OpenVMS Guide to System Security for more information on propagation rules.
/EDIT
Invokes the access control list editor (ACL editor) and allows you to
modify an ACL interactively. The ACL editor does not allow the asterisk
(*) and the percent sign (%) wildcard characters in an object name. You
must specify the object whose ACL you are editing.
The /EDIT qualifier must be the first qualifier on the command line;
other qualifiers can include /CLASS and, if the class is
SECURITY_CLASS, you can include the /PROFILE qualifier. Whenever an
object does not belong to the FILE class, you also need to specify
/CLASS.
Refer to the ACL editor in the HP OpenVMS System Management Utilities Reference Manual for more information.
/EXCLUDE=(filespec[,...])
Excludes the specified files from the SET SECURITY operation. You can
include a directory, but not a device, in the file specification. You
cannot use relative version numbers to exclude a specific version.
/EXPIRED
Modifies the time specified with the /BEFORE or the /SINCE qualifier.
The /EXPIRED qualifier selects files according to their expiration
dates rather than by the backup, creation, or modification date. (The
expiration date is set with the SET FILE/EXPIRATION_DATE command.) By
default, files are selected according to their creation date.
/LIKE=(NAME=source-object-name
[,CLASS=source-object-class]
[,PROFILE=TEMPLATE=template-name])
Identifies the object from which SET SECURITY should copy security
elements. The /LIKE qualifier replaces an object's existing elements
with those of the source object. Nopropagate ACEs are not transferred
and protected ACEs on the target object are not deleted. Use the
/COPY_ATTRIBUTE qualifier with the /LIKE qualifier to copy an object's
elements. Refer to the HP OpenVMS Guide to System Security for information about the special
handling of protected and nopropagate ACEs.
The object class of the source object defaults to the class of the
target object. When the /CLASS qualifier is omitted, the CLASS keyword
defaults to FILE.
The PROFILE keyword applies to security class objects. It identifies
which template of the security class you want to copy and modify. See
/PROFILE for more information.
/LOG
Controls whether the SET SECURITY command displays the name of the
object that has been modified by the command. The qualifier is invalid
with the /EDIT qualifier.
/MODIFIED
Modifies the time value specified with the /BEFORE or the /SINCE
qualifier. The /MODIFIED qualifier selects files according to the dates
on which they were last modified, rather than by the backup, creation,
or expiration date. By default, files are selected according to their
creation date.
/OWNER=identifier
Requires GRPPRV (group privilege) to set the owner to another
member of the same group. Requires SYSPRV (system privilege) to set the
owner to any user identification code (UIC) outside your group.
Modifies the owner element of an object. Specify the user
identification code (UIC) or general identifier in the standard format.
Modifying the owner element of a file usually requires privileges.
Refer to the HP OpenVMS Guide to System Security for more information.
/PROFILE=TEMPLATE[=template-name]
Identifies which template profile of a security class object you want
to modify. All object classes except FILE have at least one template
profile. These template profiles define the basis of the profile of new
objects. Use the DCL command SHOW SECURITY/CLASS=SECURITY_CLASS to
display template names. When no value is given for
template-name, SET SECURITY uses the template named DEFAULT.
Include the /CLASS=SECURITY_CLASS qualifier to identify which profile
you want to modify.
/PROTECTION=(ownership[:access][,...])
Cannot be used to change the protection on a file by using
DECnet software.
Modifies the protection code of an object. The protection code defines
the type of access allowed to users, based on their relationship to the
object's owner.
Specify the ownership parameter as system (S), owner (O),
group (G), or world (W).
Access types are class specific and are shown in the Description
section. For access, use the first letter of the access name.
The Examples section provides you with models of protection codes.
/REPLACE=(ace[,...])
Eliminates entries listed with the /ACL qualifier and adds entries
listed with the /REPLACE qualifier. SET SECURITY inserts the entries
listed with /REPLACE in the position of the last deleted ACE.
/SECRECY
Reserved for use by HP.
/SINCE[=time]
Selects only those files dated on or after the specified time. You can
specify time as absolute time, as a combination of absolute and delta
times, or as one of the following keywords: BOOT, LOGIN, TODAY
(default), TOMORROW, or YESTERDAY. Specify the /CREATED or the
/MODIFIED qualifier to indicate the time attribute to be used as the
basis for selection. The /CREATED qualifier is the default.
For complete information on specifying time values, refer to the
OpenVMS User's Manual or the online help topic DCL_Tips (subtopic Date_Time).
/STYLE=keyword
Specifies the file name format for display purposes.
The valid keywords for this qualifier are CONDENSED and EXPANDED.
Descriptions are as follows:
| Keyword |
Explanation |
|
CONDENSED (default)
|
Displays the file name representation of what is generated to fit into
a 255-length character string. This file name may contain a DID or FID
abbreviation in the file specification.
|
|
EXPANDED
|
Displays the file name representation of what is stored on disk. This
file name does not contain any DID or FID abbreviations.
|
The keywords CONDENSED and EXPANDED are mutually exclusive. This
qualifier specifies which file name format is displayed in the output
message, along with the confirmation if requested.
File errors are displayed with the CONDENSED file specification unless
the EXPANDED keyword is specified.
Refer to the HP OpenVMS System Manager's Manual, Volume 1: Essentials for more information.
Examples
| #1 |
$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM]
Protection: (System: RWCD, Owner: R, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,VARANESE],ACCESS=CONTROL)
$ SET SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE -
_$ /ACL=((IDENTIFIER=CHEKOV,ACCESS=CONTROL), -
_$ (IDENTIFIER=WU,ACCESS=READ+WRITE)) -
_$ /DELETE=ALL -
_$ /PROTECTION=(S:RWCD, O:RWCD, G:R, W:R)
$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM]
Protection: (System: RWCD, Owner: RWCD, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,CHEKOV],ACCESS=CONTROL)
(IDENTIFIER=[USER,WU],ACCESS=READ+WRITE)
|
This example shows how to make a straightforward change to the security
elements of an object. The first SHOW SECURITY command displays the
current settings of the LNM$GROUP logical name table. The SET SECURITY
command resets the ACL to allow control access for user Chekov, and to
allow read and write access for user Wu. Note that without the
/DELETE=ALL qualifier, these ACEs would have been added to the existing
ACL rather than superseding it. The protection is also changed to allow
read, write, create, and delete access for the owner. The last command
displays the results of the changes.
| #2 |
$ SHOW SECURITY LNM$GROUP /CLASS=LOGICAL_NAME_TABLE
LNM$GROUP object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM]
Protection: (System: RWCD, Owner: R, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,FERNANDEZ],ACCESS=CONTROL)
$ SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE
LNM$JOB object of class LOGICAL_NAME_TABLE
Owner: [USER,WEISS]
Protection: (System: RWCD, Owner: RWCD, Group, World)
Access Control List: <empty>
$ SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
_$ /LIKE=(NAME=LNM$GROUP, CLASS=LOGICAL_NAME_TABLE) -
_$ /COPY_ATTRIBUTES=PROTECTION
$ SET SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE -
_$ /ACL=(IDENTIFIER=FERNANDEZ, ACCESS=READ)
$ SHOW SECURITY LNM$JOB /CLASS=LOGICAL_NAME_TABLE
LNM$JOB object of class LOGICAL_NAME_TABLE
Owner: [USER,WEISS]
Protection: (System: RWCD, Owner: R, Group: R, World: R)
Access Control List:
(IDENTIFIER=[USER,FERNANDEZ],ACCESS=READ)
|
This example shows how to copy security access information from one
object to another and, at the same time, set some elements explicitly.
The first SHOW SECURITY commands display the current settings for the
LNM$GROUP and LNM$JOB logical name tables. The SET SECURITY command
copies the protection code from the LNM$GROUP logical name table to the
LNM$JOB logical name table and adds an ACE to allow read access to
another user. The final SHOW SECURITY command shows the effect of the
changes.
| #3 |
$ SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS
SECURITY_CLASS object of class SECURITY_CLASS
Owner: [SYSTEM]
Protection: (System: RWED, Owner: RWED, Group: R, World: R)
Access Control List: <empty>
Template: DEFAULT
Owner: [SYSTEM]
Protection: (System: RWED, Owner: RWED, Group, World: RE)
Access Control List: <empty>
$ SET SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS -
_$ /PROFILE=TEMPLATE=DEFAULT -
_$ /PROTECTION=(S:RWE, O:RWE, G:RE)
$ SHOW SECURITY SECURITY_CLASS /CLASS=SECURITY_CLASS
SECURITY_CLASS object of class SECURITY_CLASS
Owner: [SYSTEM]
Protection: (System: RWED, Owner: RWED, Group: R, World: R)
Access Control List: <empty>
Template: DEFAULT
Owner: [SYSTEM]
Protection: (System: RWE, Owner: RWE, Group: RE, World: RE)
Access Control List: <empty>
|
This example demonstrates how to change the security elements for the
template of a security class object. The first command shows the
current settings for the SECURITY_CLASS object. The second command
changes the DEFAULT template of the SECURITY_CLASS object such that the
protection is (S:RWE, O:RWE, G:RE). The change is shown in the display
of the last command. The world protection of RE remains unchanged.
| #4 |
$ DIRECTORY/SECURITY
Directory DKA200:[DATA]
FILE001.DAT;1 [SYSTEM] (RWED,RWED,RE,)
Total of 1 file.
$ SET SECURITY/CLASS=FILE/PROTECTION=(WORLD:RE)/LOG FILE001.DAT
%SET-I-MODIFIED, DKA200:[DATA]FILE001.DAT;1 modified
$ DIRECTORY/SECURITY
Directory DKA200:[DATA]
FILE001.DAT;1 [SYSTEM] (RWED,RWED,RE,RE)
Total of 1 file.
$
|
This example shows how to set UIC-based protection codes on an object.
The first DIRECTORY command displays the current security settings on
the file FILE001.DAT. The SET SECURITY command changes the protection
codes on the file to allow read and execute access for all users. The
last command displays the results of the change.
SET SERVER
Controls the ACME, Registry, and Security servers.
Requires SYSPRV privilege. ACME commands also require SETPRV
privilege.
Format
SET SERVER server-name
Parameter
server-name
Valid values are: ACME_SERVER, REGISTRY_SERVER, and SECURITY_SERVER.
Description
The SET SERVER command provides a system manager with the ability to
control the ACME, Registry, and security servers.
ACME Server
The SET SERVER ACME command is used to manage the Authentication and
Credential Management Extension (ACME) server process, ACME_SERVER.
Specifying this command allows you to start, stop, and restart the ACME
server.
The ACME_SERVER process is a detached, kernel-threaded server process
that services user authentication requests. These requests are received
from client processes that use the SYS$ACM system service. One or more
ACME agents assist in processing these requests. An ACME agent is a
shareable image that is dynamically activated within the ACME_SERVER
process.
The ACME_SERVER process is created automatically at system startup with
the VMS ACME agent configured and enabled.
By default, the ACME_SERVER process runs under the SYSTEM account
profile ([1,4]) with the following privileges: DETACH, SYSNAM, PSWAPM,
SHARE, TMPMBX, EXQUOTA, AUDIT, CMKRNL, WORLD, and SETPRV.
The ACME_SERVER process is created with the following quotas:
ASTLM = 200
BIOLM = 200
BYTLM = 100000
DIOLM = 200
ENQLM = 1000
FILLM = 64
JTQUOTA = 4096
PGFLQUOTA = 100000
PRCLM = 4
TQELM = 64
WSQUOTA = 2048
WSDEFAULT = 1024
WSEXTENT = 4096
|
Default UIC, privileges, and quotas can be overridden when the server
is started.
In the event of an abnormal process termination, the server will
automatically restart and replay all commands directed to it since the
previous startup. When the server is running normally, all
configuration commands are saved to a staging file,
SYS$MANAGER:ACME$SERVER_CONFIG.TMP. Prior to restart, the server
creates a restart file located in SYS$MANAGER:ACME$SERVER_RESTART.DAT
using selected contents of the staging file. The contents of this file
are used to replay configuration commands when the new process is
started.
The ACME_SERVER process directs SYS$ERROR output to the
SYS$MANAGER:ACME_SERVER_ERROR.LOG file. This file exists only if
unexpected errors are encountered during operation.
Log file entries generated by the server and ACME agents are written to
the SYS$MANAGER:ACME$SERVER.LOG file.
The SET SERVER ACME commands are used to perform these operations:
- Start and stop the ACME_SERVER process.
- Configure (dynamically activate) ACME agents.
- Enable and disable ACME agents (after they are configured).
- Suspend and resume requests processing. (ACME agents reenter
"initial" state for system management reasons, for example, system
backup operations.)
- Control logging and tracing.
The SHOW SERVER ACME commands are used to display server and agent
information.
The following sequence of commands is used to create the server and
enable request processing:
- SET SERVER ACME/START
This command creates the server process.
- SET SERVER ACME/CONFIGURE
This command configures one or more
ACME agents.
- SET SERVER ACME/ENABLE
This command enables ACME agent request
processing.
For additional information, see the SHOW SERVER ACME command and refer
to the Guide to VMS System Security.
For information about the SYS$ACM system service, refer to the
HP OpenVMS System Services Reference Manual.
Registry Server
Specifying this parameter allows you to start, stop, and restart the
Registry server. The Registry server maintains information stored in
the Registry database.
The Registry database is used by COM, Advanced Server for OpenVMS, and
other applications.
For more information about the Registry database and the $REGISTRY
system service, refer to the HP OpenVMS System Services Reference Manual. See also the SHOW SERVER
command.
Security Server
Specifying this parameter allows you to start, stop, and restart the
security server. The security server maintains information stored in
the system intrusion and proxy databases.
The system intrusion database is used by LOGINOUT, DECnet-Plus,
DECwindows, SHOW INTRUSION, DELETE INTRUSION, and other applications.
For more information about the system intrusion database and
$DELETE_INTRUSION, $SCAN_INTRUSION, and $SHOW_INTRUSION system
services, refer to the HP OpenVMS System Services Reference Manual. For further information, refer to
the HP OpenVMS Guide to System Security.
The system proxy database is used by AUTHORIZE, DECnet-Plus, DFS, and
other applications to access information stored in the nework proxy
database. Additional information can be found in the HP OpenVMS System Management Utilities Reference Manual. See
also the $ADD_PROXY, $DELETE_PROXY, $DISPLAY_PROXY, $VERIFY_PROXY
system services in the HP OpenVMS System Services Reference Manual.
Qualifiers
/ABORT
The /ABORT qualifier is supported by the ACME and Registry servers.
ACME Server
Forces the ACME_SERVER process to terminate without graceful shutdown
of ACME agents. Pending requests are cancelled.
This command can be used if a malfunctioning ACME agent prevents a
graceful shutdown.
Registry Server
Aborts the Registry server on the specified node or nodes in the
cluster.
Cannot be used with the /EXIT, /RESTART, or /START qualifiers.
/CANCEL
The /CANCEL qualifier is supported by the ACME server.
ACME Server
Cancels pending dialogue requests. Pending dialogue requests are
outstanding requests to SYS$ACM callers to supply dialogue response
data. Active requests being serviced by the ACME_SERVER process are
allowed to complete normally.
Can only be used with /EXIT and /DISABLE qualifiers.
/CLUSTER
The /CLUSTER qualifier is supported by the ACME and Registry servers.
ACME Server
Issues the SET command to each ACME server in the cluster.
Registry Server
Issues the SET command to each Registry server in the cluster, setting
the Registry master server last.
Cannot be used with the /MASTER or /NODE qualifiers.
/CONFIGURE ((NAME=name,
[CREDENTIALS=credentials,] [FACILITY=facility,]
[FILE=file,] [THREAD_MAX=n)][,...])
The /CONFIGURE qualifier is supported by the ACME server.
|
