File Security and Access Control Definitions (ACDs)

MPE/iX file system access is controlled by using access control definitions (ACDs) or the file access matrix. This section briefly introduces ACDs because of their relevance to controlling access to files and directories created outside of MPE groups.

Because ACDs are now required in some cases, it becomes increasingly important that you understand the MPE/iX ACD facility.




	NOTE: ACDs are the main method of controlling access to files, hierarchical directories, and devices. ACDs are automatically assigned to hierarchical directories and to files existing outside of MPE groups.

What is an ACD?

ACDs allow or prevent access to files and directories and exist as ordered lists of pairs. The pairs are made up of access permissions and user specifications that control access to objects. Objects are passive entities that contain or receive information, such as files, directories, and devices. Each entry in the ACD specifies object access permissions granted to a specific user or group of users. In addition to being granted access to an object protected by an ACD, users can also be granted access to read the ACD itself.

ACDs can be applied to any MPE/iX files or directories using the ALTSEC command. If a file has an ACD, this method of specifying access to the file takes precedence over other security features, such as lockwords and the file access matrix. ACDs cannot be placed on root, account, group, or directories.

Access modes

ACD pairs control the ability to access and change hierarchical directories and the files within them. MPE/iX has enhanced the ALTSEC command to support access to directories. The available ACD access modes are as follows:

∅
R
Read a file.
W
Write to a file.
L
Lock a file.
A
Append to a file.
X
Execute a file.
CD
Create directory entries.
DD
Delete directory entries.
RD
Read directory entries.
TD
Traverse directory entries.
RACD
Copy or read the ACD associated with the object.
NONE
Deny access.

You use the ALTSEC command to alter access modes for files, hierarchical directories, logical devices, or device classes. For more information about ACD access modes, refer to the ALTSEC command in the Commands Reference - HP 3000 Series 9X8LX (B3813-90011).

Following is an example of an ACD that could be assigned to a text file:

   NONE:JIM.DOE,@.ACCT;R,W,X,L:@.PAYROLL;R:@.@

The ACD pairs in this example set up the following access controls on the text file:

Deny JIM.DOE and all users in the ACCT account access to the file.
Allow read, write, execute, and lock access to users in the PAYROLL account.
Allow read access to everyone else.

Notice that in cases of contradictions, the most specific ACD pair is assigned. So even though all users are assigned read access (R:@.@), JIM.DOE cannot access the file because he is specifically assigned no access (NONE:JIM.DOE).

Listing ACDs for files and directories

Because ACDs supersede other security mechanisms, it is useful to be able to determine whether or not a directory or file has an ACD assigned to it and, if so, what it is. Any directories or files residing outside of traditional MPE groups are automatically assigned ACDs when they are created. You can list ACDs by using the LISTFILE command with the -2 (also called ACD) option.

The following example shows how to list the ACD associated with the directory called letters. Notice that the user named JONES in the OFFICE account has RD (read directory entries) access to the letters directory. All other users on the system have both RD and TD (traverse directory entries) access to letters.



LISTFILE /dir0/letters,-2

 PATH=/dir0/



 ------------ACD ENTRIES-------------- FILENAME



     JONES.OFFICE       : RD           letters/

     @.@                : RD,TD

In the next example, the directory GRP is assigned the default ACD. All users can read the ACD assigned to the directory. Only the creator and the system manager can change it. Also, note that -2 is replaced with the textual equivalent ACD.

   LISTFILE /OFFICE/GRP,ACD

    PATH=/OFFICE/



    ------------ACD ENTRIES-------------- FILENAME



    @.@                : RACD             GRP/

In the next example, the file assets has an ACD assigned to it. The ACD pairs are listed from the most specific (such as a particular user in a particular account) to the least specific (all other users in all other accounts). User ZONIS in the OFFICE account has R (read) access to the file assets. Other users in the OFFICE account have both R and W (write) access to the file. And all other users in other accounts have R, W, and X (execute) access to the file.

   LISTFILE /OFFICE/GRP/assets,-2

    PATH=/OFFICE/GRP/



    ------------ACD ENTRIES-------------- FILENAME



    ZONIS.OFFICE         : R              assets

    @.OFFICE             : R,W

    @.@                  : R,W,X

The next example shows how you can list the ACDs for all of the files in the GRP directory. It shows the ACDs on the file assets as in the previous example and lists the ACDs on the other two files in the directory.

   LISTFILE /OFFICE/GRP/@,-2

    PATH=/OFFICE/GRP/



   ------------ACD ENTRIES------------ FILENAME



   ZONIS.OFFICE      : R               assets

   @.OFFICE          : R,W

   @.@               : R,W,X

   ZONIS.OFFICE      : R               bills

   WILKE.OFFICE      : R,W

   @.@               : R,W,X

   SMITH.OFFICE      : R               goods

   @.OFFICE          : R,W,X

Changing access to files and directories

Because access to MPE/iX files and hierarchical directories is controlled by ACDs, system users may want to change the defaults assigned when files or directories are created.

For the purpose of selectively restricting access to files with ACDs, users can be classified into three groups:

Individual users
Specific groups of users
All other users

Assigning ACDs

For example, you may want to assign ACD permissions to restrict access to a sensitive file so that only you and your manager can read it. You may also want to restrict access to a sensitive directory so that only certain members of a group can create files in it.

Use the ALTSEC command to change access permissions to a file or hierarchical directory. System managers can assign ACDs on any file or directory in the system. They must supply the lockword for any lockword-protected files before they can assign an ACD, however. Once the file has an ACD, the ACD supersedes the lockword.

You can use the ADDPAIR option with the ALTSEC command to add ACD pairs to an object that already has an ACD. (You must use the NEWACD option to assign ACDs to files having no ACDs.)

For example, to assign a new ACD that gives all users on the system total access to the file NUMBERS:

   :ALTSEC NUMBERS;NEWACD=(R,W,L,A,X,RACD:@.@)

The file SUMMARY has an ACD (RACD:@.@). You want to grant read and write access to users in your account:

   :ALTSEC SUMMARY;ADDPAIR=(W,R:@.ACCT)

Replacing ACDs

You can replace the current ACD by using the REPACD option with the ALTSEC command.

All users in the MKTG account currently have RD and TD access to the directory van. The users can only move through van and read the names of files in it. Instead, you want to grant all users in MKTG greater access to the contents of the directory. You want them to be able to create directory entire, delete directory entries, read directory entries, traverse directory entries, and to be able to read the ACD.

For example,

   :ALTSEC ./van;REPACD=(CD,DD,RD,TD,RACD:@.MKTG)

This option is useful when you want to change the default ACDs assigned to HFS directories and to files outside of MPE groups.

Deleting ACDs

You can only delete optional ACDs on files in MPE groups that can be protected by the file access matrix.

Users in the ACCT account have read access to the file /ACCT/PUB/dir1/summary and all other users have read ACD access to the file (R:@.ACCT;RACD:@.@). If you decide that the users in ACCT should no longer have read access to the file, you can delete previously assigned ACD pairs (but you cannot delete the entire ACD):

   :ALTSEC /ACCT/PUB/dir1/summary;DELPAIR=(@.ACCT)

The above example deletes read access to file summary for all users in ACCT but still allows all users (including those in ACCT) RACD access to the file.

You try to specify the following command to delete the ACD pair that matches @.@, which is the only ACD pair left on the file:

   :ALTSEC /ACCT/PUB/dir1/summary;DELPAIR=(@.@)

Because this file is located in an HFS directory, it is required to have ACDs and cannot be protected by the file access matrix. You receive an error message and the ACD will not be deleted:

   Cannot delete ACDs from objects where file matrix security

   does not apply. (CIERR 7330)

If the file REPORT is a file in an MPE group, its GID matches the GID of its parent group, and its ACD is not required, you can use the following command to delete all ACD pairs:

   :ALTSEC REPORT;DELACD

Copying ACDs

You can copy ACD pairs from one file to another or from one directory to another. This is particularly useful if you assign a complex set of ACDs to one file or directory and you want to assign the same set to another file or directory.




	NOTE: You can only copy an ACD from one file to another or from one directory to another. You can't copy an ACD from a directory to a file or vice versa.

For example, you can copy the ACD from directory dir1 to another directory dir2:

   :ALTSEC ./dir2;COPYACD=./dir1

You can also copy ACDs between devices. The following example copies the ACD associated with ldev 5 to all devices in the device class TERM:

   :ALTSEC TERM,DEVCLASS;COPYACD=5,LDEV

To remove a file's security

Users outside your group cannot access files that you have created. To remove the security on a file so that it can be copied or transferred by someone other than the file's creator, use the RELEASE command.

   :RELEASE filename Return

In the following example, the security on the file MYFILE has been released.

   :RELEASE MYFILE Return

Once a file's security has been released, any user of the system has unlimited access to it. Use the LISTFILE command with the SECURITY parameter to display the file's security level:

   :LISTFILE MYFILE,SECURITY Return

To reinstate a file's security

After a file has been released and copied, you should reinstate its security with the SECURE command. You must be the creator of the file in order to perform the following task.

   :SECURE filename Return

In the following example, the security to the file MYFILE is reinstated.

   :SECURE MYFILE Return

To copy a file to tape

Make sure that a write-protected tape has been loaded into the DDS tape drive. To copy a file to tape, use the STORE command. As part of this task, use the FILE command to create a file equation to specify a tape device. Then use the SHOW option of the STORE command to list the name of each file as it is copied to the tape.

The following example copies the file MYFILE to a tape drive designated in the file equation as TAPE1. As the file is copied to the tape device onto a cassette tape, its name is listed on the screen.

To copy a single file to tape:

   :FILE TAPE1;DEV=TAPE Return

   :STORE MYFILE;*TAPE1;SHOW Return

To copy more than one file to tape:

   :FILE TAPE1;DEV=TAPE Return

   :STORE filename, filename, filename;*TAPE;SHOW Return

To copy all files in a group to tape:

   :FILE TAPE1;DEV=TAPE Return

   :STORE @.groupname;*TAPE1;SHOW Return

To copy all files in all groups of an account (requires account manager capabilities):
:FILE TAPE1;DEV=TAPE Return :STORE @.@.acctname;*TAPE1;SHOW Return
To copy a file from tape back onto the system, refer to the "To restore files" section of this chapter.