HP 3000 Manuals HP 3000 Manuals
ALTSEC
Changes the access permissions of an object by altering the access
control definition (ACD).
ACDs are the main method of controlling access to files, hierarchical
directories, and devices. ACDs are automatically assigned to
hierarchical directories and to files existing in hierarchical
directories.
You can change access permissions for any of the following:
* files
* hierarchical directories
* devices
* device classes
You can also change file access masks with this command (only files have
access masks). The file status change time stamp is updated by ALTSEC.
You cannot use the ALTSEC command to change access permissions for MPE
groups, accounts, or the root directory.
Syntax
[ {FILENAME}]
ALTSEC objectname [,{LDEV }]
[ {DEVCLASS}]
[;[ACCESS=](fileaccess[;[fileaccess][;...]])]
[{;NEWACD= } ]
[{;REPACD= } {(acdpair [;acdpair] [;...] )}]
[{;ADDPAIR=} {^filereference }]
[{;REPPAIR=} ]
[;DELPAIR= {(userspec [;userspec] [;...])}]
[ {^filereference }]
[;COPYACD= objectname {,FILENAME}] [;DELACD] [;MASK]
[ {,LDEV }]
Parameters
objectname Specifies the actual file designator, directory
name, logical device number, or device class whose
security provisions you want to alter.
Either MPE or hierarchical file system (HFS) file
name syntax may be used for the actual file
designator of the file or directory whose access
permissions are to be altered.
You can only use wildcard characters with MPE
syntax files that reside in a group.
A logical device number must be a numeric value
configured on the system, or an @ sign, that
indicates all devices on the system. A device
class name must be configured on the system.
File equations are ignored during resolution of the
object name to avoid having accidental file
equation references cause unintentional changes to
an object's access permissions.
MPE Syntax
You can include MPE file name syntax but not RFA
information. If the object is an MPE syntax file,
its format is:
filename[/lockword][.groupname[.acctname]]
You may specify file lockwords for files protected
by active lockwords unless the objects are also
protected by a current ACD. In a batch job, if a
lockword exists on a file, you must specify it. In
a session, if a lockword exists and is omitted,
MPE/iX will prompt you for it.
HFS Syntax
You must begin file designators using HFS file name
syntax with either a dot (.) or a slash (/). The
maximum length is 255 characters (including the
"./" or "/").
The objectname parameter is followed by one of the
three type identifiers listed below.
FILENAME Indicates that objectname
refers to either a file or
directory. This is the
default if a type identifier
is not specified.
LDEV Indicates that objectname
refers to a logical device
number.
DEVCLASS Indicates that objectname
refers to a device class.
ACCESS Optional keyword that indicates a fileaccess
specification follows. This option affects
security at the file level only. If the file is
protected by an ACD, the ACD overrides the file
access mask.
fileaccess File access mask specifications, entered as
follows:
{R} {ANY}
{L} {AC }
{A} [,...]: {GU } [,...]
{W} {AL }
{X} {GL }
{CR }
The R, L, A, W, and X specify modes of access by
types of users (ANY, AC, GU, AL, GL, CR) as
follows:
R = READ
L = LOCK
A = APPEND
W = WRITE
X = EXECUTE
LOCK allows opening the file with dynamic locking
option. APPEND implicitly specifies LOCK. WRITE
implicitly specifies APPEND and LOCK. You may
specify two or more modes if you separate them by
commas.
The user types are specified as follows:
ANY = Any user
AC = Member of this account only
GU = Member of this group only
AL = Account librarian user only
GL = Group librarian user only
CR = Creator
You may specify two or more user types if you
separate them by commas. The default is
R,L,W,A,X:ANY. The colon (:) separating one or
more modes from one or more user types is required
punctuation in the specification of fileaccess.
NEWACD Creates a new ACD for the specified object. NEWACD
is used when an ACD does not currently exist. It
must be followed by valid ACD pair(s) as described
below.
REPACD Creates a new ACD or replace an entire existing ACD
for the specified object. It must be followed by
valid ACD pair(s) as described below.
ADDPAIR Adds a new ACD pair to an existing ACD. It must be
followed by valid ACD pair(s) as described below.
REPPAIR Replaces an existing ACD pair in an existing ACD.
You must follow this with a valid ACD pair(s) as
described below. A new ACD pair will replace an
existing ACD pair if it has the same user and
account name.
acdpair An access control definition pair. Like the
fileaccess parameter this consists of a modes part
and a userspec part. The modes part is separated
from the userspec part by a colon (:). Acceptable
modes for files are:
R : read file access
W : write file access
L : lock file access
A : append file access
X : execute file access
NONE : no access
RACD : copy or read the ACD permission
Acceptable modes for directories are:
CD : create directory entries access
DD : delete directory entries access
RD : read directory entries access
TD : traverse directory entries access
NONE : no access
RACD : copy or read the ACD permission
File ACD pairs may contain R, W, L, A, X, NONE, and
RACD. Directory ACD pairs may contain CD, DD, RD,
TD, NONE, and RACD.
The userspec part consists of
* a fully qualified user name
(username.accountname)
* the file owner represented as $OWNER
* the file group represented as $GROUP
* the file group mask represented as
$GROUP_MASK
* @.accountname, which represents all users in
the account accountname
* @.@, which represents all users in the
system
You cannot use wildcards in any other manner
within a user specification.
A typical ACD consisting of three ACD pairs might
look like this:
(R,W:ENGR.MFG;R,W,RACD:@.MRKT;R:@.@)
This ACD would allow Read and Write access to the
ENGR user of the MFG account; Read and Write access
to any user of the MRKT account along with the
ability to read or copy the ACD; and Read access to
any user in any account.
^ filereference A file containing one or more ACD pairs. ACD pairs
must be separated by semi-colons and may be placed
on separate lines. A single ACD pair may not span
more than one line. The file name must be preceded
by the ^ sign (caret symbol) to indicate that the
designated file contains the ACD definition. This
is known as an indirect file.
The ALTSEC command fails if the indirect file does
not contain a syntactically correct ACD. ACD pairs
may be on separate lines, but a pair may not span
lines. Parentheses are optional when defining an
acdpair within an indirect file.
The file reference may be specified using MPE or
HFS file name syntax. For example:
filename[/lockword][.group[.account]]
If the file has an active lockword, you must be
specify it. ACDs override lockwords. Lockwords
can only be specified in file references using MPE
name syntax. Unqualified file names are relative
to the current working directory.
DELPAIR (Indicates "delete pair"). Use to delete one or
more ACD pairs in an existing ACD). DELPAIR must be
followed by a valid userspec.
userspec Username and accountname, the same as the userspec
described above in acdpair. A wildcard (@) may be
used for the username or both the username and
accountname together. A wildcard may not be
specified for the accountname unless it is also
specified for the username.
COPYACD (Indicates "copy ACD"). Use COPYACD to copy an ACD
from an existing objectname to the specified
objectname. ACDs can be copied only between like
objects. You must specify FILENAME or LDEV.
FILENAME is the default. You cannot copy an ACD
from a device class (DEVCLASS), although you may
copy to all devices on the system by specifying the
@ sign as the target device.
DELACD (Indicates "delete ACD"). Use DELACD to delete all
ACD pairs from the specified objectname. ACDs may
be removed only from devices and files in MPE
groups. The file access matrix controls access to
a file when an ACD is deleted.
MASK (Indicates "recalculate MASK"). Use MASK to
recalculate the ACD file group class mask
($GROUP_MASK) access permissions.
Operation Notes
You use the ALTSEC command to alter security provisions for files,
hierarchical directories, devices, and device classes by manipulating an
object's access control definition (ACD) or its access mask. All of
these objects may have ACDs, but only files have access masks which can
be changed using this command. An object's ACD may be altered using this
command with the ACD keywords NEWACD, REPACD, COPYACD, ADDPAIR, REPPAIR,
DELPAIR, DELACD, and MASK.
A file's access mask may be altered using either the ACCESS keyword or an
access specification without a keyword. Using the ACCESS keyword is a
recommended practice to help distinguish between file access mask and ACD
operations. Only the owner of a file can use the ALTSEC command to
change a file's access mask. Object owners and users with appropriate
privilege can use this command to manipulate an object's ACD. Files and
hierarchical directories have their owner's identity and a file group ID
(GID) stored in their file labels. System managers have the appropriate
privilege to manipulate the ACDs for all objects. Account managers for
the account matching an object's GID have appropriate privilege. Devices
are owned by system managers. The ability to manipulate an ACD or file
mask is not affected by the object access currently granted to a user.
File ACDs override file lockwords and the file access matrix. ACDs
permit more precise access control than the file access matrix by
allowing access permissions to specific users. MPE/iX allows you to
specify a maximum of 40 ACD pairs for a particular object. Since a large
number of ACD pair specifications overflows the command line buffer, you
must enter large numbers of ACD specifications may be entered through an
indirect file.
The ALTSEC command fails if you attempt to alter the access permissions
for a permanent disk file whose group's home volume set is not mounted.
Release 5.0 requires ACDs on the following files:
* All hierarchical directories
* All files under hierarchical directories
* All files directly under MPE/iX groups where the file GID does not
match the GID of the accound and group in which the file is
located. One way this occurs would be if you rename a file from
an MPE group outside the account to another MPE group.
Required ACDs cannot be removed with the ALTSEC command even by users
with SM or AM capability.
File Access Matrix Examples
To view the file access matrix, use LISTFILE,4.
You have created a file named FDATA, and want to change its file access
matrix access permissions to grant write access to only yourself. Enter:
ALTSEC FDATA;ACCESS=(W:CR)
To change file access permissions for the FPROG program file to allow all
group users to execute programs, but only account and group librarian
users to read or write to the file, enter:
ALTSEC FPROG;ACCESS=(X:GU;R,W:AL,GL)
ACD Examples
To view ACD information, use the LISTFILE,-2 command. This form of the
LISTFILE command displays only ACD information.
You have created a file named FDATA, and want to assign a new ACD to
FDATA, granting write access to a user named FRIEND.ACCT. Enter:
ALTSEC FDATA;NEWACD=(W:FRIEND.ACCT)
As the creator of a file, you can access the file by default, so you
don't need to grant yourself access through an ACD. Users with
appropriate privileges are always permitted to access files protected by
ACDs.
To extend the ACD for the FDATA file so that all users on the system can
read it, and all users within your account ACCT can also write to it,
enter:
ALTSEC FDATA;ADDPAIR=(R:@.@;W,R:@.ACCT)
If you decide that users outside your account ACCT should not have read
access to the file FDATA any longer, enter:
ALTSEC FDATA;DELPAIR=(@.@)
This does not delete all ACD pairs, only the ACD pair matching @.@. To
delete the entire ACD, enter:
ALTSEC FDATA;DELACD
To replace the entire ACD, enter:
ALTSEC FDATA;REPACD=(W:FRIEND.ACCT)
You want to copy the ACD associated with LDEV 5 to all devices in device
class TERM:
ALTSEC TERM,DEVCLASS;COPYACD=5,LDEV
ACDs may be copied only between objects of the same type.
You want to grant users in account ACCT all access to directory Mydir1:
ALTSEC ./Mydir1;ADDPAIR=(CD,DD,RD,TD,RACD:@.ACCT)
You want to grant read and write access to yourself and read access for
other members of your group to an HFS syntax file named a_file_of_Mine:
ALTSEC ./a_file_of_Mine;REPPAIR=(RACD,R,W:$OWNER;
RACD,R:$GROUP,$GROUP_MASK;NONE:@.@)
To add a new ACD to file PROGNAME allowing all users on the system to
execute it, but only users in account ACCT to write to it enter:
ALTSEC PROGNAME;NEWACD=(X:@.@;W,X:@.ACCT)
To add a new ACD pair to an ACD which already exists for file PROGNAME
which will allow the user ENGR of the LAB account to read, write, lock,
append, execute and read the ACD information enter:
ALTSEC PROGNAME;ADDPAIR=(R,W,X,RACD:ENGR.LAB)
Note that L and A (lock and append) need not be specified because they
are implied with W (write).
To add an ACD that prevents any user except OPERATOR.SYS (and any user
with SM capability) from accessing LDEV 7 (a tape drive), enter:
ALTSEC 7,LDEV;NEWACD=(R,W:OPERATOR.SYS)
Note in the last example that X is not used because it makes no sense to
execute a tape drive. It also makes no sense to lock or append a tape
drive but W tacitly provides L and A anyway.
To eliminate any ACD that may be in effect for device class LP, and to
prevent any user except MGR.FINANCE from writing to a printer in device
class LP, enter:
ALTSEC LP,DEVCLASS;DELACD
ALTSEC LP,DEVCLASS;NEWACD=(W:MGR.FINANCE)
Related Information
Commands LISTF, LISTFILE, RELEASE, SECURE, SHOWDEV, and the
fileaccess parameter for the ALTACCT, ALTGROUP, NEWACCT and
NEWGROUP commands.
Manuals None