|
|
Accessing Files Programmer's Guide: HP 3000 MPE/iX Computer Systems > Chapter 13 Maintaining File SecurityTraditional Mechanism for File Security |
|
The traditional security mechanism (file access matrix and lockwords) associates with each account, group, and individual files a set of security provisions that specifies any restrictions on access to the files in that account or group, or to that particular file.
These restrictions are based on two factors:
The security provisions for any file describe what modes of access are permitted to which users of that file. When a program opens or creates a file, it can define the way that the file can be accessed by specifying a particular access mode (such as Read-only, Write-only, Update, and so forth) for the file. These specifications apply to files on any device and can be changed or overridden only by yourself, as the creator of the file. They are discussed in the following paragraphs. In addition, for files on disk, a program can also restrict access so that only one access attempt (HPFOPEN/FOPEN call) or process (running program) can open it at one time, or can allow it to be shared among several accessors. The access types that can be specified by a program are listed in Table 13-10 “Traditional File Access Mode Types”. When specifying the access mode for a file, it is important to realize where the current end-of-file is before and after the file is opened, and where the logical record pointer indicates that the next operation will begin. These factors depend upon the access mode that you select. Because they are best explained by example, the effects of each access mode upon these factors are summarized in Table 13-11 “Effects of Access Modes” for a sample file. This file contains 10 logical records of data (numbered 0 through 9). The table shows that the current end-of-file (EOF) lies at Record 10 before the file is opened, indicating that if another record were appended to the file, that would be the eleventh record. When you open the file in the Write-only mode, however, all records presently in the file are deleted and the logical record pointer and current EOF move to record 0. Now when you write a record to the file, this will be the first record in that file. Suppose that you are running a program that opens a magnetic tape file for Write-only access, but you wish to append records to that file rather than to delete existing records. You can override the programmatic specifications by using the FILE command to request Append access to the file, as follows:
Table 13-10 Traditional File Access Mode Types
Suppose that you run a program that opens a disk file for write-only access, copies records into it, and closes it as a permanent file. Under the standard file system security provisions, the access mode is automatically altered so that the file permits the read, write, and append access modes (among others). Now, suppose that you run the program a second time, but wish to correct some of the data in the file rather than delete it. You could use the FILE command to override the programmatic specification, opening the file for update access:
Table 13-11 Effects of Access Modes
Consider a program that reads input from a terminal (file name INDEV) directs output to a line printer (OUTDEV). You can redirect the output so that it is transmitted to the terminal by entering:
Restrictions on who can access a file are established when the file is created according to the default prescribed for the group and account where the file resides. The capabilities of the user who accesses a file may determine the security restrictions that apply to him. The types of users recognized by the MPE/iX security system, the mnemonic codes used to reference them, and their complete definitions are listed in Table 13-12 “User Type Definitions (Traditional Security)”. Table 13-12 User Type Definitions (Traditional Security)
Users with system manager or account manager capability bypass the standard security mechanism. A system manager has unlimited file access to any file in the system (R,A,W,L,X:ANY), but can save files only in his own account (S:AC); an account manager user has unlimited access to any file within the account (R,A,W,L,X,S:ANY). One exception is that in order to access a file with a negative file code (a privileged file), the account manager must also have the privileged mode (PM) capability. The user-type categories that a user satisfies depend on the file he is trying to access. For example, a user accessing a file that is not in his home group is not considered a group librarian for this access even if he has the group librarian user attribute.
The security provisions for the account and group levels are managed only by users with the system manager and the account manager capabilities respectively, and can only be changed by those individuals. The security provisions that broadly apply to all files within an account are set by a system manager user when creating the account. The initial provisions can be changed at any time, but only by that user. At the account level, five access modes are recognized:
Also at the account level, two user types are recognized:
If no security provisions are explicitly specified for the account, the following provisions are assigned by default:
The security provisions that apply to all files within a group are initially set by an account manager user when creating the group. they can be equal to or more restrictive than the provisions specified at the account level. (The group's security provisions also can be less restrictive than those of the account-but this effectively results in equating the group restrictions with the account restrictions, since a user failing security checking at the account level is denied access at that point and is not checked at the group level.) The initial group provisions can be changed at any time, but only by an account-managing user for that group's account. At the group level, six access modes are recognized:
Also at the group level, five user types are recognized:
If no security provisions are explicitly specified, the following provisions apply by default:
When a file is created, the security provisions that apply to it are the default provisions assigned by MPE/iX at the file level, coupled with the user-specified or default provisions assigned to the account and group to which the file belongs. At any time, however, the creator of the file (and only this individual) can change the file-level security provisions, as described in the following pages; thus, the total security provisions for any file depend upon specifications made at all three levels, the account, group, and file levels. A user must pass tests at all three levels-account, group, and file security, in that order-to successfully access a file in the requested mode. If no security provisions are explicitly specified by the user, the following provisions are assigned at the file level by default:
Because the total security for a file always depends on security at all three levels, a file not explicitly protected from a certain access mode at the file level may benefit from the default protection at the group level. For example, the default provisions at the file level allow the file to be read by any user-but the default provisions at the group level allow access only to group users; thus, the file can be read only by a group user. In summary, the default security provisions at the account, group, and file levels combine to result in overall default security provisions as listed in Table 13-13 “Default Security Provisions (Traditional)”. Stated another way, when the default security provisions are in force at all levels, the standard user (without any other user attributes) has:
The important file security rules may be defined as follows:
Table 13-13 Default Security Provisions (Traditional)
The security provisions for both the account and group levels are managed only by users with the system manager capability, while group level security is managed by users with account manager capability. Even if you have only standard capabilities (IA, BA, SF), you can change the security provisions for any disk file that you have created. You do this by using the ALTSEC command, which permanently deletes all previous provisions specified for this file at the file level, and replaces them with those defined as the command parameters. This command does not, however, affect any account-level or group-level provisions that may cover the file. Furthermore, it does not affect the security provided by the lockword (if one exists). For example, suppose that you want to alter the security provisions for the file FILEX to permit the ability to read, execute, and append information to the file only to the creating user and the logon or home group users. You can do this with the following ALTSEC command:
Any parameters not included in the ALTSEC command are cleared. To restore the default security provisions to this file, you would enter:
Suppose that you have created a file named FILEZ for which you have allowed yourself program-execute access only. You now wish to change this file's security provisions so that any group user can execute the program stored within it, but only the group librarian can read and write on it. Even though you do not have Read or Write access to the file, you can still alter its security provisions by entering:
You always retain the ability to change the security provisions of a file that you have created, even when you are not allowed to access the file in any mode; thus, you can even change the provisions to allow yourself access. You may temporarily suspend the suspending and restoring security:files| security restrictions on any disk file that you create. This allows the file to be accessed in any mode by any user; in other words, it offers unlimited access to the file. You suspend the security provisions by entering the RELEASE command. (File lockword protection, however, is not removed by this command.) The RELEASE command does not modify the file security settings recorded in the system; it bypasses them temporarily. The RELEASE command remains in effect until you enter the SECURE command in this or a later job or session. To release the security provisions for the file named FILESEC in your logon group, enter:
If the file has a lockword and that you wish to remove that as well as all account-level, group-level, and file-level security provisions, you must use the RENAME command, as well as the RELEASE command:
To restore the security provisions of a file, use the SECURE command. For example:
The original security restrictions for the file will be in effect. |
|