|
HP OpenVMS System Manager's Manual, Volume 1:... |
Security Considerations |
|
|
| |
Understanding Ways to Protect Objects
The second protection mechanism uses access control lists (ACLs) , which employ a more refined level of protection than that available with UIC-based protection. ACLs can be used to grant or deny access to individual users or groups of users.
Interpreting a User Identification Code
Your user identification code (UIC) tells what group you belong
to and what your unique identification is within that group.
The Authorize utility assigns each user process in the system a unique UIC in the user authorization file (UAF). Each object on the system is also associated with a UIC (typically the UIC of its creator).
A UIC consists of two parts, group and member, specified in the following format:[group,member]
A UIC can be either numeric or alphanumeric. A numeric UIC consists of a group number in the range 0 through 37776 (octal) and a member number in the range 0 through 177776 (octal). HP reserves group 1 and groups 300-377.
Understanding Protection Codes
A protection code controls the type of access allowed (or
denied) to a particular user or group of users. It has the following
format:[user category: list of access allowed (, user category:
list of access allowed,...)]
User categories include system (S), owner (O), group (G), and world (W). Each category can be abbreviated to its first character. Categories have the following definitions:
 | Users with low group numbers, usually from 1 to 10 (octal). These group numbers are generally for system managers, security administrators, and system programmers. (The exact range of system group numbers is determined by the security administrator in the setting of the system parameter MAXSYSGROUP. It can range as high as 37776 (octal).) |
| Users with the SYSPRV privilege. |
| Users with the GRPPRV privilege whose UIC group matches the UIC group of the object's owner. |
| In access requests to files on a disk volume, users whose UIC matches the UIC of the volume's owner. |
When specifying more than one user category, separate the categories with commas, and enclose the entire code in parentheses. You can specify user categories and access types in any order.
A null access specification means no access, so when you omit an access type for a user category, that category of user is denied that type of access. To deny all access to a user category, specify the user category without any access types. Omit the colon after the user category when you are denying access to a category of users.
When you omit a user category from a protection code, the current access allowed that category of user remains unchanged.
Access types are object-dependent and are described in the OpenVMS Guide to System Security . For files, the access types include read (R), write (W), execute (E), and delete (D). The access type is assigned to each user category and is separated from its user category by a colon (:).
The protection code in the following example allows system users full access to an object, the owner full access except delete, and group and world users no access:
How to Change the Default Protection$SET SECURITY/PROTECTION=(S:RWED,O:RWE,G,W) [JONES]MY_FILE.TXT
The operating system provides each process with a default UIC-based protection of (S:RWED,O:RWED,G:RE,W). To change the default protection, enter the SET PROTECTION/DEFAULT command, as shown in the following example:
$SET PROTECTION=(S:RWED,O:RWED,G:RE,W:RE)/DEFAULT
|
|
