Enhancements to MPE/iX File System Security Features

Object ownership

In past releases, MPE/iX has used the creator name, a user name in the form username, to track file ownership. The creator name for the root directory, MPE groups, and accounts was not recorded. Only files were assigned creator names. For example, if a user JOE in his logon account FINANCE created a file named MYFILE, the creator name associated with that file was JOE. Of course, if there was another user JOE in another account PAYROLL, any files he created also had the creator name JOE associated with them. This did not cause security problems because neither JOE could create files outside their own logon account.

Beginning with MPE/iX Release 4.5, files and hierarchical directories can be created outside the logon account. For example, if given the proper access rights, JOE.FINANCE can create a file in the same directory that JOE.PAYROLL can. Using only the creator name to determine ownership, MPE/iX cannot determine which JOE is the creator of this file. For this reason, unqualified user names are no longer sufficient for indicating object ownership across the whole system.

Beginning with MPE/iX release 4.5, file ownership for all newly created, copied, or renamed files is indicated by a fully qualified user name in the form username.accountname. This fully qualified user name is referred to as the file owner and is associated with a user ID (UID).

The file creator was a static value for the lifetime of a file. However, the file owner can be changed during the lifetime of a file.

File owners are assigned to all newly created files and directories. The file owner of the root directory is MANAGER.SYS. MPE account and MPE group directories created before installation of the new FOS release lack file owners since older releases of MPE/iX did not initialize ownership information.

Directories with uninitialized file ownership information appear to have a file owner of "0" when displayed by LISTFILE. The system reserves the zero UID value for use by MPE/iX. Zero UID values cannot be assigned to users, files, or directories.

Object ownership for MPE groups, accounts, and the root directory are new concepts. The existing access control policy for these directory types is based solely upon appropriate privilege. Account managers did not retain any additional access to MPE groups they had created if their AM capability was removed by their system manager.

Starting with MPE/iX Release 4.5, the ability to create or delete entries in the root directory, MPE groups, and MPE accounts is no longer based solely on appropriate privilege. Directory file owners are granted all access to the directories they own.

Sharing objects

Prior to MPE/iX Release 4.5, MPE accounts provided the basis for file sharing. All file user types other than the ANY file user type were members of the logon account. Beginning with MPE/iX Release 4.5, files created under the root directory or below some combination of hierarchical directories below the root directory are not within an MPE account. File sharing on MPE/iX has been enhanced using the concept of the file group ID (GID).

When files and directories are created, they are assigned their parent directory's file group ID (GID). MPE accounts are assigned a unique GID when they are created. The HPGID database records this association of MPE account and file GID.

Uninitialized file group information appears as a file GID of "0" when displayed by ``LISTFILE. The GID database interfaces reserve zero GID values for use by MPE/iX. Users, files, and directories cannot be assigned zero GID values.