HPlogo User's Guide to MPE/iX Security: HP 3000 MPE/iX Computer Systems > Chapter 4 Protecting Your Files with Capabilities, File Access Restrictions and Lockwords

File System Security Features
» 

Technical documentation

Complete book in PDF
» Feedback

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The account structure contains three important, standard file system security features: capabilities, file access restrictions, and lockwords.

The recommended file system security feature, "Access Control Definitions," is described in a previous chapter.

Capabilities

A variety of people use HP 3000 Computer Systems. They range from those who use the system only to run simple application programs to system programmers who modify MPE/iX. The user who runs application programs, for example, needs only to be able to log on, run a particular program or set of programs, and log off. A system programmer, on the other hand, needs access to special system functions.

Capabilities are used to control access to parts of the system. In order to create permanent files, for example, a user must have Save Files Permanently (SF) capability. To create a session on another terminal from within a session, a user must have Programmatic Sessions (PS) capability. Refer to Table 4-1 “Capability Assignments” for a list of all capabilities and their standard abbreviations, later in this chapter. Refer to appendix A for a complete description of each capability.

Account, Group, and User Capabilities

Account capabilities are the capabilities available to account users and groups. Group capabilities are the subset of account capabilities available to users logged on to a group and to files within the group. Notice, in Table 4-1 “Capability Assignments”, that only a subset of the capabilities applies to groups. User capabilities are the subset of account capabilities available to a particular user. When a user issues an MPE command or an intrinsic call, the system checks the user's account, group, and user capabilities against those required for the command or intrinsic.

Files also have capabilities, especially program files. For example, a user does not need privileged mode (PM) capability to run a privileged mode program, but the program itself must have PM capability and the group in which the program file resides must have PM capability.

Listing Capabilities

NOTE: If the password is encrypted, the commands LISTUSER, LISTGROUP, and LISTACCT will only display the password as "*ENCRYPTED*", making a password truly private to its owner.

Listing Account Capabilities

Use the LISTACCT command to check the capabilities of an account. To check the capabilities for the SMITH account enter:

   LISTACCT SMITH

The following account information appears on the screen:

   ***************

   ACCOUNT: SMITH



   DISC SPACE:   754115 (SECTORS)   PASSWORD: *ENCRYPTED*

   CPU TIME:     33330 (SECONDS)    LOC ATTR: $00000000

   CONNECT TIME:    102 (MINUTES)   SECURITY-- READ    :ANY

   DISC LIMIT:   UNLIMITED                     WRITE  : AC

   CPU LIMIT:   UNLIMITED                      APPEND   :AC

   CONNECT TIME:    UNLIMITED                  LOCK     :ANY

   MAX PRI: 150                                EXECUTE  :ANY

   GROUP UFID: $0000001 $800001050 $00138A20 $00000008 $000001FA

   USER UFID : $0004001 $800001050 $00138C20 $00000008 $000001FB

   CAP: AM,AL,GL,DI,CV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM

Refer to appendix A for definitions of the capabilities.

The System Manager can list any account on the system; all other users can list only their own accounts.

Refer to the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364) for more information on the LISTACCT command.

Listing Group Capabilities

Use the LISTGROUP command to display capabilities for one or more groups. For account managers (AM), the default is all (@) groups within the user's logon account; for general users, the default is the logon group. Use wildcard characters to specify more than one group.

To check group capabilities of the group ENGR in the account to which you are logged on, enter:

   LISTGROUP ENGR

The screen displays:

   ******************

   GROUP: ENGR.SMITH



   DISC SPACE:   5752 (SECTORS)       PASSWORD:   * *

   CPU TIME:   102(SECONDS)           SECURITY-- READ     : GU

   CONNECT TIME: 0(MINUTES)                      WRITE    : GU

   DISC LIMIT:   UNLIMITED                       APPEND   : GU

   CPU LIMIT:   UNLIMITED                        LOCK     : GU

   CONNECT TIME:    UNLIMITED                    EXECUTE  : GU

   PRIV VOL : n/a                                SAVE     : GU

   FILE UFID: $OOOD401 $80001050 $OOOFF620 $00000008 $OOOOOOOA

   MOUNT REF CNT: n/a

   HOME VOL SET : MPE_SYS_VOL_SET

   CAP: IA,BA

Refer to appendix A for definitions of the capabilities.

Refer to the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364) for more information on the LISTGROUP command.

Listing User Capabilities

Use the LISTUSER command to check the capabilities of a user. For example, to review the capabilities of the user BORIS in the JONES account, enter:

   LISTUSER BORIS

The screen displays:

   ********************

   USER: BORIS.JONES

   HOME GROUP:   DEVELOP             PASSWORD:    *ENCRYPTED*

   MAX PRI   :   150                 LOC ATTR:    $00000000

   CONNECT TIME:   0(MINUTES)        WRITE   : GU

   LOGON CNT : 1

   CAP: AM,AL,GL,DI,DV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM

Refer to appendix A for definitions of the capabilities.

Users with account manager (AM) capability can list any user in their account. Other users can list only their logon user.

For more information on the LISTUSER command, refer to the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364).



Chapter 4 Protecting Your Files with Capabilities, File Access Restrictions and Lockwords
  		 


Capabilities Table  
Feedback to webmaster