HP 3000 Manuals HP 3000 Manuals
Built-in Basic Security Features The account structure contains four important, built-in security features: passwords, lockwords, capabilities, and file access restrictions. Passwords and Lockwords The account structure provides for passwords at the account, group, and user level, and lockwords at the file level. If you name a password for an account or group when you create it, users must supply that password to log on to the account or group. Without a password, an account or group is open to access by anyone who knows its name. User passwords add an additional level of security to your system. When an account, group, or user does not have a password, it is said to have a blank password. Passwords must contain from five to eight alphanumeric characters, beginning with an alphabetic character. When assigning passwords, system managers should not assign names of friends or relatives. User passwords should be changed quarterly or when someone leaves the organization. All other MPE passwords should be changed every 3, 6, or 12 months depending on the data sensitivity on your system. For more security information, refer to "The Security Maintenance Checklist" in appendix B. Lockwords act as passwords for files. The creator of a file can assign a lockword. If a file has a lockword, you must supply it before you can access that file. If you are a system manager (with SM capability) or account manager (with AM capability), you can determine file lockwords with the LISTF command (documented in MPE XL Commands Reference Manual (32650-90003)). Figure 2-4 illustrates how lockwords and passwords work at different levels.Figure 2-4. Passwords Capabilities A variety of people use HP 3000 Computer Systems. They range from those who use the system only to run simple application programs to system programmers who modify MPE XL. The user who runs application programs, for example, needs only to be able to log on, run a particular program or set of programs, and log off. A system programmer, on the other hand, needs access to special system functions. Capabilities help you control who has access to what parts of the system. In order to create permanent files, for example, a user must have save files permanently (SF) capability. To begin a session on a terminal from within a session, a user must have programmatic sessions (PS) capability. Refer to Table 2-1 for a list of all capabilities and their standard abbreviations later in this chapter. Refer to appendix A for a complete description of each capability. Account, Group, and User Capabilities You assign capabilities at the account, group, and user level. Account capabilities are the capabilities available to account users and groups. Group capabilities are the subset of account capabilities available to users logged on to a group and to files within the group. Notice, in Table 2-1, that only a subset of the capabilities applies to groups. User capabilities are the subset of account capabilities available to a particular user. When a user issues an MPE command or an intrinsic call, the system checks the user's account, group, and user capabilities against those required for the command or intrinsic. Files also have capabilities, especially program files. For example, a user does not need privileged mode (PM) capability to run a privileged mode program, but the program itself must have PM capability and the group in which the program file resides must have PM capability. Listing Capabilities Three commands allow the system manager to list capabilities of accounts, groups, and users: LISTACCT, LISTGROUP, and LISTUSER. Listing Account Capabilities With the LISTACCT Command Use LISTACCT to check the capabilities of an account. To check the capabilities for the SMITH account, including the password, enter LISTACCT SMITH;PASS The following account information appears on the screen: ______________________________________________________________________ | | | | | *************** | | ACCOUNT: SMITH | | | | DISC SPACE: 754115 (SECTORS) PASSWORD: ACCTPASS | | CPU TIME: 33330 (SECONDS) LOC ATTR: $00000000 | | CONNECT TIME: 102 (MINUTES) SECURITY-- READ :ANY | | DISC LIMIT: UNLIMITED WRITE : AC | | CPU LIMIT: UNLIMITED APPEND :AC | | CONNECT TIME: UNLIMITED LOCK :ANY | | MAX PRI: 150 EXECUTE :ANY | | GROUP UFID: $0000001 $800001050 $00138A20 $00000008 $000001FA | | USER UFID : $0004001 $800001050 $00138C20 $00000008 $000001FB | | CAP: AM,AL,GL,DI,CV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM | | | ______________________________________________________________________ Refer to appendix A for definitions of the capabilities. Users with system manager (SM) capability can list any account on the system; all other users can list only their own accounts . Refer to the MPE XL Commands Reference Manual (32650-90003) for more information on the LISTACCT command. Listing Group Capabilities With the LISTGROUP Command Use LISTGROUP to display capabilities for one or more groups. For account managers (AM) and system managers (SM), the default is all (@) groups within the user's logon account; for general users, the default is the logon group. Use the wildcard characters to specify more than one group. To check group capabilities and the password of the group ENGR in the account you are logged on to, enter: LISTGROUP ENGR;PASS The screen displays: ______________________________________________________________________ | | | | | THE "PASS" OPTION REQUIRES AM OR SM CAPABILITIES (CIWARN 720) | | | | ****************** | | GROUP: ENGR.SMITH | | | | DISC SPACE: 5752 (SECTORS) PASSWORD: * * | | CPU TIME: 102(SECONDS) SECURITY-- READ : GU | | CONNECT TIME: 0(MINUTES) WRITE : GU | | DISC LIMIT: UNLIMITED APPEND : GU | | CPU LIMIT: UNLIMITED LOCK : GU | | CONNECT TIME: UNLIMITED EXECUTE : GU | | PRIV VOL : n/a SAVE : GU | | FILE UFID: $OOOD401 $80001050 $OOOFF620 $00000008 $OOOOOOOA | | MOUNT REF CNT: n/a | | HOME VOL SET : MPE_SYS_VOL_SET | | CAP: IA,BA | | | ______________________________________________________________________ Refer to appendix A for definitions of the capabilities. In this example, the user does not have AM or SM capability, so the password does not appear on the screen. Refer to the MPE XL Commands Reference Manual (32650-90003) for more information on the LISTGROUP command. Listing User Capabilities With the LISTUSER Command Use the LISTUSER command to check the capabilities of a user. The default is all (@) users and accounts within the user's capabilities (AM or SM). For example, to review the capabilities of the user BORIS in the JONES account, enter: LISTUSER BORIS;PASS The screen displays: _____________________________________________________________________ | | | | | ******************** | | USER: BORIS.JONES | | HOME GROUP: DEVELOP PASSWORD: MYPASS | | MAX PRI : 150 LOC ATTR: $00000000 | | CONNECT TIME: 0(MINUTES) WRITE : GU | | LOGON CNT : 1 | | CAP: AM,AL,GL,DI,DV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM | | | _____________________________________________________________________ Refer to appendix A for definitions of the capabilities. Users with system manager (SM) capability can list any user in the system. Users with account manager (AM) capability can list any user in their account. Other users can list only their logon user. For more information on the LISTUSER command, refer to the MPE XL Commands Reference Manual (32650-90003). Table 2-1. Capabilities ---------------------------------------------------------------------------------------------------- | | | | | | | Capability | Abbreviation | Account | Group | User | | | | | | | ---------------------------------------------------------------------------------------------------- | | | | | | | System manager | SM | X | | X | | | | | | | | System supervisor | OP | X | | X | | | | | | | | Account manager | AM | X | | X | | | | | | | | Account librarian | AL | X | | X | | | | | | | | Batch access | BA | X | X | X | | | | | | | | Use communications software | CS | X | | X | | | | | | | | Diagnostician attribute | DI | X | | X | | | | | | | | Extra data segments | DS | X | X | X | | | | | | | | Group librarian | GL | X | | X | | | | | | | | Interactive access | IA | X | X | X | | | | | | | | Multiple RIN | MR | X | X | X | | | | | | | | Network administrator | NA | X | | X | | | | | | | | Node manager | NM | X | | X | | | | | | | | Use nonshareable devices | ND | X | | X | | | | | | | | Use private disk volumes | UV | X | | X | | | | | | | | Privileged mode | PM | X | X | X | | | | | | | | Process handling | PH | X | X | X | | | | | | | | Programmatic sessions | PS | X | | X | | | | | | | | Save user files permanently | SF | X | | X | | | | | | | | Use user logging facility | LG | X | | X | | | | | | | | Create volume sets | CV | X | | X | | | | | | | ---------------------------------------------------------------------------------------------------- Restricting File Access Associated with each account, group, and individual file is a list of file access restrictions. Access restrictions apply to disk files only. Their restrictions are based on the following: * File access modes, such as reading, writing, saving, executing, locking, and appending. * User types, such as account librarians, group librarians, and account members for whom certain access modes are allowed. The access restrictions for any file describe who can access it and in what manner. Access Modes Table 2-2 lists file access modes, the codes used to reference them, and their meanings. Table 2-2. File Access Modes ----------------------------------------------------------------------------------------------- | | | | | Access Modes | Mnemonic Code | Meaning | | | | | ----------------------------------------------------------------------------------------------- | | | | | READ | R | Allows users to read files. | | | | | | LOCK | L | Permits a user to prevent concurrent access to a | | | | file. Specifically, it permits the use of the | | | | FLOCK and FUNLOCK intrinsics, and the | | | | exclusive-access option of the FOPEN intrinsic, all | | | | described in the MPE XL Intrinsics Reference Manual | | | | (32650- 90028)). | | | | | | APPEND | A | Allows users to add information and disk extents to | | | | files, but prohibits them from altering or deleting | | | | information already written. This access mode | | | | implicitly allows the LOCK (L) access modes | | | | described above. | | | | | | WRITE | W | Allows users general writing access, permitting | | | | them to add, delete, or change any information in | | | | files. This includes removing entire files from | | | | the system with the PURGE command. WRITE (C) | | | | access also implicitly allows the LOCK (L) and | | | | APPEND (A) access modes described previously. | | | | | | SAVE | S | Allows users to declare files within a group as | | | | permanent, and to rename such files. This includes | | | | the ability to create new permanent files with the | | | | BUILD command. | | | | | | EXECUTE | X | Allows users to run programs stated in files with | | | | the RUN command or the CREATE and CREATEPROCESS | | | | intrinsics. | | | | | ----------------------------------------------------------------------------------------------- User Types Table 2-3 lists user types, the codes used to reference them, and their complete descriptions. Table 2-3. User Types ----------------------------------------------------------------------------------------------- | | | | | User Type | Mnemonic Code | Meaning | | | | | ----------------------------------------------------------------------------------------------- | | | | | Any user | ANY | Any user defined in the system. This | | | | includes all categories defined below. | | | | | | Account librarian | AL | User with account librarian capability, who | | user | | can manage certain files within the account | | | | which may include more than one group. | | | | | | Group librarian user | GL | User with group librarian capability, who | | | | can manage certain files within a home | | | | group only. | | | | | | Creating user | CR | The user who created this file. | | | | | | Group user | GU | Any user allowed to access this group as | | | | the logon or home group, including all GL | | | | users applicable to this group. | | | | | | Account member | AC | Any user authorized access to the system | | | | under this account. This includes all AL, | | | | GU, and CR users under this account. | | | | | ----------------------------------------------------------------------------------------------- Users with system manager or account manager capability bypass the standard file access restrictions. A system manager has unlimited access to any file in the system, but can only save files in the manager's own account. An account manager has unlimited access to any file in the account, except one with a negative file code. The account manager must have privileged mode (PM) capability to access a file with a negative file code. A file's group and account as well as your capabilities determine whether you have access to the file. For example, group librarian capability gives you special access to files in your home group. You do not have special access to files in other groups. Specifying File Access Restrictions When a user tries to access a file, the system checks the account-level, group-level, and file-level file access restrictions. Those restrictions must give the user access rights at all three levels. If the user fails to pass the security check at any level, the system denies the user access to the file. You set account file access restrictions when you create an account. You set group file access restrictions when you create a group. As the creator of a file, you can change its file level access restrictions with the ALTSEC command. When you specify file access restrictions at a certain level, you list the file access modes available to each type of user. This listing has a special format. For example, at the account level, you might assign READ and EXECUTE access to any user and APPEND, WRITE, and LOCK access only to account users. These sample file security provisions have the following format: (R,X:ANY;A,W,L:AC) In this example, READ and EXECUTE access are permitted to any user. APPEND, WRITE, and LOCK access are permitted to account members only. Account-level File Security The system manager sets the access restrictions that apply to all files within a given account when creating the account. A system manager can change the initial restrictions at any time (with the ALTACCT command). For more information, refer to "System Manager Tasks" described later in this chapter. At the account level, the system recognizes two user types and five access modes. You can assign the access modes to the user types in any way you choose. The account-level user types are: * Any user (ANY) * Account member (AC) The five account level access modes are: * READ (R) * LOCK(L) * APPEND (A) * WRITE (W) * EXECUTE (X) Refer to Table 2-2 for access mode descriptions and to Table 2-3 for user type descriptions. If you do not explicitly state file access restrictions for an account, the system assigns the following default restrictions: * For the SYS account, READ and EXECUTE access are permitted to all users. APPEND, WRITE, and LOCK access are limited to account members. Symbolically, these access restrictions are expressed as follows: (R,X:ANY;A,W,L:AC). * For all other accounts, READ, APPEND, WRITE, LOCK, and EXECUTE access are limited to account members (R,A,W,L,X:AC). Group-level Security The account manager sets the file access restrictions that apply to all files within a group when creating the group. They can be equal to or more restrictive than the provisions specified at the account level. The group's file access restrictions can also be less restrictive than those of the account; such provisions effectively equate the group restrictions with the account restrictions, because a user who fails a security check at the account level is denied access at that point. The account manager can change initial group file access restrictions at any time. At the group level, the system recognizes five user types and six access modes. You can assign the access modes to the user types in any combination. The five group-level user types are: * Any user (ANY) * Account librarian(AL) * Group librarian (GL) * Group user (GU) * Account member (AC) The group level file access modes are: * READ (R) * LOCK(L) * APPEND (A) * WRITE (W) * SAVE(S) * EXECUTE (X) Refer to Table 2-2 for access mode descriptions and to Table 2-3 for user type descriptions. If you do not specify group file access restrictions, the following default restrictions apply: * For a public group (named PUB) whose files are normally accessible in some way by all users within the account, READ and EXECUTE access are permitted to any user; APPEND, WRITE, SAVE, and LOCK access are limited to account librarian users, and group users (including group librarians) (R,X:ANY;A,W,S,L:AL,GU). * For a public group (named PUB) of an account (named SYS), the following default restrictions apply: R,X,L:ANY;W,A,S:A,GU. * For all other groups in the account, READ, APPEND, WRITE, SAVE, LOCK, and EXECUTE access are limited to group users (R,A,W,S,L,X:GU). File-level Security When you create a file, it has the default file-level security provisions assigned by MPE and the provisions assigned by the account and the group to which it belongs. The creator of the file, and no one else, can change the file-level security provisions with the ALTSEC command. All access modes and all user types apply at the file level. Refer to Table 2-2 and Table 2-3 for their descriptions. If no security provisions are explicitly specified by the creating user, READ, APPEND, WRITE, LOCK, and EXECUTE access are permitted to all users (R,A,W,L,X:ANY), for all files, by default. Default File Access Restrictions Because the total security for a file always depends on security at all three levels, a file not explicitly protected from a certain access mode may benefit from the default protection at a higher level. For example, the default access restrictions at the file level allow the file to be read by any user, but the restrictions at the group level allow access only to group users. Thus, the file can be read only by a group user. In summary, the default file access restrictions at the account, group, and file levels combine to result in overall default file access restrictions as shown in Table 2-4. Table 2-4. Default File Access Restrictions --------------------------------------------------------------------------------------------------- | | | | | | | File | | Save Access | | File | Reference | Access Permitted | To Group | | | | | | --------------------------------------------------------------------------------------------------- | | | | | | Any file in public group | filename. PUB.SYS | (R,X:ANY; W:AL, GU) | AL, GU | | of system account. | | | | | | | | | | Any file in any group in | filename. groupname.SYS | (R,W,X:GU) | GU | | system account. | | | | | | | | | | Any file in public group | filename. PUB | (R, X:AC; W:AL, GU) | AL, GU | | of any account. | accountname | | | | | | | | | Any file in any group in | filename.groupname. | (R,W,X:GU) | GU | | any account. | accountname | | | | | | | | --------------------------------------------------------------------------------------------------- In other words, when the default security provisions are in force at all levels, the standard user, with default user attributes, has: * Unlimited access (in all modes) to all files in the logon group and the home group. * READ and EXECUTE access (only) to all files in the PUB group of the individual's account, and in the SYS account's PUB group. File Security Rules Here is a summary of some important file security rules: * General users can only create files in their own account. * Only the creator can modify a file's security or rename the file. * If a file has a lockword, that lockword is required to open the file. * An account manager has unlimited access to every file within an account. When accessing a protected file created by any other user of the account, the manager must supply the lockword, but can use the LISTFILE command to discover it. For example, the following command will list the lockword for a file called SECRET: LISTFILE SECRET * The system manager has unlimited access to any file in the system, if able to supply the lockword (which can be discovered with the LISTFILE command). However, the system manager can save files only in the logon account. * The RELEASE command allows unlimited file access, and the SECURE command secures a file that has been released. To release all security provisions on a file called FREEME, enter: RELEASE FREEME To restore security provisions that were previously in effect for FREEME, enter: SECURE FREEME * The ALTSEC command restricts access to specific files in a group to which access is normally not restricted. This command can only be used by the creator of the file. To allow WRITE access provision for yourself only to a file named ACCESS that you created, enter: ALTSEC ACCESS; (W:CR) Refer to the MPE XL Commands Reference Manual (32650-90003) for further information about the ALTSEC, LISTF, RELEASE, and SECURE commands.
![[]](../../pic3k/M010198/L270123c50.gif)