900 Series HP 3000 Computer Systems HP Security Monitor/iX User's Guide ABCDE HP Part No. 32650-90454 Printed in U.S.A.
The information contained in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability or tness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for direct, indirect, special, incidental or consequential damages in connection with the furnishing or use of this material.
Printing History The following table lists the printings of this document, together with the respective release dates for each edition. The software version indicates the version of the software product at the time this document was issued. Many product releases do not require changes to the document. Therefore, do not expect a one-to-one correspondence between product releases and document editions. Edition Date Software Version First Edition April 1994 C.50.
iv
Preface MPE/iX, Multiprogramming Executive with Integrated POSIX, is the latest in a series of forward-compatible operating systems for the HP 3000 line of computers. In HP documentation and in talking with HP 3000 users, you will encounter references to MPE XL, the direct predecessor of MPE/iX. MPE/iX is a superset of MPE XL. All programs written for MPE XL will run without change under MPE/iX.
vi
Conventions UPPERCASE In a syntax statement, commands and keywords are shown in uppercase characters. The characters must be entered in the order shown; however, you can enter the characters in either uppercase or lowercase.
Conventions (continued) [ ... ] In a syntax statement, horizontal ellipses enclosed in brackets indicate that you can repeatedly select the element(s) that appear within the immediately preceding pair of brackets or braces. In the example below, you can select parameter zero or more times. Each instance of parameter must be preceded by a comma: [,parameter][...
Contents 1. Introduction The HP Security Monitor/iX User's Guide Physical Security . . . . . . . . . . . Procedural Security . . . . . . . . . . System Security . . . . . . . . . . . Identi cation . . . . . . . . . . . Authentication . . . . . . . . . . . Authorization . . . . . . . . . . . De ning User Roles . . . . . . . . . The System Manager . . . . . . . . The System Supervisor . . . . . . . The System Operator . . . . . . . . The Account Manager . . . . . . . General Users . . . . . . . . . . .
Terminating Sessions on Initial UDC Failure . . . Limiting the Number of Logon Attempts . . . . Providing Minimal Logon Assistance . . . . . . Dealing with Embedded Passwords in Remote Logons Passwords in Batch Submissions . . . . . . . . . Embedded Passwords in Job Files . . . . . . . Restricting Job Cross Streaming . . . . . . . . . The Cross Streaming Authorization Option . . . Eliminating Password Exposure with the Stream Privilege Option . . . . . . . . . . . . . . . Stream Privilege Option Features .
4. Protecting Your Files with Capabilities, File Access Restrictions and Lockwords File System Security Features . . . . . . . . . Capabilities . . . . . . . . . . . . . . . . Account, Group, and User Capabilities . . . . Listing Capabilities . . . . . . . . . . . . . Listing Account Capabilities . . . . . . . . Listing Group Capabilities . . . . . . . . . . Listing User Capabilities . . . . . . . . . Capabilities Table . . . . . . . . . . . . . . Account Librarian (AL) . . . . . . . . . . .
Figures 1-1. 1-2. 1-3. 1-4. 4-1. Account Relationships . . . An Individual Account . . . Groups, Users, and Files . . MPE/iX File System Example Lockwords and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 1-7 1-8 1-11 4-16 Tables 1-1. Where Accounts, Groups, Directories, and Files Can Be Located . . . . . . . . . . . . . . . . 1-2. Maximum Lengths of Account, Group, Directory, and File Names . . . . . . . . . . . . . . . . 1-3.
1 Introduction The HP Security Monitor/iX User's Guide Physical Security The Hewlett-Packard Security Monitor/iX User's Guide is written for general users of HP 3000 systems. It contains an explanation of the basic security features and a discussion of security policy and concerns. For more information on the security in place on your system, see your security administrator.
Procedural Security Procedural security deals with the establishment and enforcement of security procedures. Some of these procedures may be independent of the type or types of computers involved. Others may not. For example, perimeter security controls are usually similar for all type of systems. Desktop computers may require forms of antitheft protection not required by mainframes.
(lowest level of capability). Other commands are available only to System Managers (SM capability), or System Operators (OP capability). Each time a user issues a command, the system checks the user's capabilities to make sure he or she is allowed to use that command. Programs also have capabilities, which are assigned by the programmer at the time the program is created. The capabilities assigned to a program allow it to access particular functions.
Creating and managing Access Control De nitions for les and devices. Supervising other System Administrators. The System Manager automatically has all capabilities. A System Manager can perform all System Supervisor, System Operator, Account Manager, and general user tasks. The System Supervisor The System Supervisor (OP capability) exercises day-to-day control of the system. OP capability permits you to: Store and restore les. Manage system scheduling subqueues. Alter the system con guration.
Storing and restoring account les (some les may also require SM, OP, or PM capability). General Users Security Policy Components of the Account Structure General users are those who are not System Managers, System Supervisors, System Operators, or Account Managers. General users' responsibilities with respect to account structure and security include: Managing and maintaining the security of the les they create. Protecting their own user passwords. Establishing and maintaining their own UDCs.
Figure 1-1 illustrates the relationship between accounts, groups, and users. Accounts (TECHNLGY, MARKTING, SYS, for example) are shown horizontally, across the top of the diagram. Groups (RESEARCH, SALES, RECORDS, for example) are stacked vertically under their accounts. Users (KEVIN, CHARLES, DIANE, for example) appear under their home groups. The solid black lines in Figure 1-1 indicate rm, primary relationships.
The Individual Account Figure 1-2 shows the structure of an individual account. Not all accounts look like the one in Figure 1-2, but most are similar. Every account has a name, a PUB (PUBLIC) group, and an account manager. When you rst create an account, the account manager has the PUB group as a home group. Figure 1-2. An Individual Account The account manager is responsible for establishing the groups and users within the account.
Files When you do almost any kind of work with a computer, you work with les. Reports, spreadsheets, program listings, letters, management tools, and more all exist within the system in the form of les. The les belong to the groups in an account as shown in Figure 1-3. Figure 1-3. Groups, Users, and Files The system stores the les necessary for operating the computer.
Creating Naming Conventions Notice that each account, group, and user in Figure 1-3 has a name. Files also have names. An account, group, user, or le name must be eight characters or fewer in length. It must begin with an alphabetic character. Subsequent characters can be alphabetic or numeric. Account names must be unique, but notice that each account has a group named PUB. Group names must only be unique, within an account.
Hierarchical file system (HFS) As of Release 4.5, the MPE/iX le system is hierarchical (tree structured) and can contain les at many di erent levels. This organization provides a special kind of le called a directory. Instead of holding data, directories contain lists of les and pointers to those les. A directory can also contain other directories. This organization is similar to the le systems on UNIX R or MS-DOS R systems. The new le organization still includes the familiar accounts, groups, and users.
shows how you can organize les, accounts, groups, and directories in the le system. Notice that accounts, directories, groups, and les all connect back to one directory designated by a \/" (slash). This is referred to as the root or the root directory . Figure 1-4.
HFS file names MPE/iX Release 4.5 allows you to assign longer le names than in previous versions of MPE/iX. Table 1-2 summarizes name lengths for accounts, groups, directories, and les previous to Release 4.5 and after Release 4.5. Table 1-2.
HFS syntax Table 1-3 summarizes some of the syntax enhancements introduced by the MPE hierarchical le system. The syntax that you are used to still works for les in groups and accounts. So to use HFS syntax, you must precede le and directory names with ./ or /. Otherwise, MPE/iX treats the names using traditional MPE syntax rules. This manual refers to les that are named using HFS syntax as HFS les . Table 1-3.
2 Accessing the System Getting Started To Log On Logging on means identifying yourself to the computer. You must identify yourself as an authorized user by typing your logon identity (user name and account) and a password. If you do not have a logon identity, ask your system administrator to give you one. If this is the rst time you have logged on to this system you will be asked to select a password. After switching on the terminal, press Return one or more times until you see the system prompt.
Never use your birthday, your street address, or any other number that has anything to do with yourself. Never use any word spelled backwards. Never share passwords. When two (or more) people use the same account, the system loses its ability to hold users responsible for their actions. Never write passwords down. Some of the most notorious penetrations have occurred because a user wrote a password on a terminal. Never re-use a password. This increases the probability that someone can guess the password.
Use the NEWACCT, NEWGROUP, and NEWUSER commands to create passwords for a new account, group, and user, respectively. Use the ALTACCT, ALTGROUP, and ALTUSER commands to modify existing passwords. Changing Your Password You can change your own passwords with the \:PASSWORD" command. To change a password, enter: \:PASSWORD" The system prompts for the required information. When using :PASSWORD, a user may not replace an existing password with exactly the same password.
If the user makes a mistake when entering the new password the second time, the system prints the message NEW PASSWORD NOT VERIFIED, and asks the user to enter the new password again. If the user is not successful after three tries, the logon process terminates, and the user must go though the procedure again. A user will not be allowed to log on until a new password is successfully entered.
not. Old passwords stay unencrypted. As new passwords are added or old ones changed, the system encrypts them automatically. Caution Minimum Password Lengths Your old password is not encrypted. The system leaves your old password unencrypted until you change it. MPE/iX permits passwords of up to eight characters. The longer the password, the more di cult it is for it to be discovered by trial and error. A minimum length for passwords can be set by the System Manager.
PASSWORD PROMPTS ARE REQUIRED, EMBEDDED PASSWORDS ARE NOT ALLOWED. (CIERR 1449) Note If you have attempted to log on with an embedded password and gotten an error message, be careful to clear the screen so that your password will not be discovered.
This exception is intended to prevent situations where a system is inaccessible because all user ID's have been disabled. Batch data and jobs cannot be submitted using user ID's associated with disabled user entries. Attempts to submit batch data or jobs using disabled user ID's will be aborted. User ID's with non-zero down-time intervals are automatically enabled after their downtime intervals have elapsed.
Providing Minimal Logon Assistance Normally, when users make a mistake while logging on, the system helps by identifying the mistake. For example, when a user enters an invalid logon command, the system displays one or more of the following messages: EXPECTED [SESSION NAME,] USER.ACCT[,GROUP] (CIERR 1424) EXPECTED ACCOUNT NAME. (CIERR 1426) EXPECTED GROUP NAME. (CIERR 1429) If your system con gured for minimal logon assistance, such messages will not be displayed.
PASSWORD !COMMENT The rst example will be rejected if embedded passwords and exempting REMOTE HELLO are not allowed. The second example is acceptable whether or not embedded passwords are allowed. Note Passwords in Batch Submissions Embedded passwords in remote sessions are not recommended. Just as embedded passwords are a source of security exposure in sessions, so too are passwords embedded in batch submissions.
Restricting Job Cross Streaming The Cross Streaming Authorization Option To preserve accountability of each individual user, the security administrator will be able to disallow cross streaming. This prevents a person without SM or AM (of the appropriate account ) from streaming jobs that log on as another person. Since these rules may be too restrictive in some situations, an exception to the rule is provided in the form of the Cross Streaming Authorization option.
The Stream Privilege feature is independent of the Cross Streaming restriction. System Managers, Account Managers and job owners always have the right to stream jobs within their domain of control, even with the cross streaming restriction in e ect. On the other hand, they do not have the right to bypass password authentication when the Stream Privilege feature is not enabled. Stream privilege can be granted at two levels: 1.
Protecting Your System with Access Control Definitions 3 (ACDs) Access Control Definitions (ACDs) Note What is an ACD? MPE/iX le system access can be controlled by using access control de nitions (ACDs). You can use an ACD to specify permissions and restrictions for access to a le. In addition, ACDs allow you to secure logical devices, device names, and device classes. ACD security replaces all standard le system security that may be in e ect for that le or device.
c. If there is an ACD associated with the le and that ACD contains the $OWNER entry, you are restricted to the access permissions assigned to $OWNER. (Since you are the le owner, you can always modify the ACD if you need more access permissions than provided by the $OWNER entry.) If you are not the owner of the le, the system performs the check described in step 4. 4. Is there an ACD assigned to the le? If there is no ACD assigned to the le, the system performs the checking described in step 5.
Access modes ACD pairs control the ability to access and change MPE les, hierarchical directories, and the les within them. MPE/iX has enhanced the ALTSEC command to support access to directories. The available ACD access modes are as follows: FILES AND DEVICES R W L A X Read a le. Write to a le. Lock a le. Append to a le. Execute a le. DIRECTORIES CD Create directory entries. DD Delete directory entries. RD Read directory entries. TD Traverse directory entries.
Table 3-1. File Access Modes Access Mnemonic Modes Code Meaning READ R Allows users to read les. LOCK L Permits a user to prevent concurrent access to a le. Speci cally, it permits the use of the FLOCK and FUNLOCK intrinsics, and the exclusive-access option of the HPFOPEN and FOPEN intrinsics, all described in the MPE/iX Intrinsics Reference Manual (32650-90028).
Because the root, accounts, and MPE groups are special types of directories on MPE/iX, you cannot control access to them using ACDs. You cannot apply TD, DD, CD, or RD to MPE groups or accounts. You need to use existing mechanisms. For example, use the ALTGROUP command to change save access permissions for MPE groups. The userspecs part of an ACD pair speci es one user or a group of users assigned the access modes speci ed in modes part of the same pair.
$GROUP $GROUP_MASK Speci es the le group members of the le or directory. If the user's GID (in the form account ) matches the GID of the le, the user is granted the access permission assigned to $GROUP. Restricts all ACD entries except for $OWNER and @.@. In this case, if a user matches a user.account entry, $GROUP entry, or @.account entry, the matching entry is granted the access if it appears in both $GROUP and $GROUP_MASK. An ACD with a $GROUP_MASK entry must also have a $GROUP entry.
HFS Object deletion HFS File renaming To delete a le or subdirectory from a directory, you must have DD access to the directory. For les in MPE groups, you only need WRITE access to the le. For directories in MPE groups, you only need SAVE access to the MPE group. Any user with the proper access can rename a le. To rename a le, you must have both CD and DD access. DD is required to delete the old entry from the directory where the le resides, and CD is required to create the new directory entry.
Appropriate privilege means that the user has su cient capabilities to perform an operation even if the user is not explicitly granted the necessary access. The user's capabilities grant the correct access to the directory or le. Appropriate Privilege Appropriate privilege does not override le lockwords, privileged les, privileged le codes, or write-protected les.
Users with appropriate privilege still get X access to les with executable le codes. X is also used to grant STREAM access to JOB les. Users with appropriate privilege can still stream these les because they have R access to the les. User Identification Users on MPE/iX are now identi ed by a user ID (UID). The UID is a string (in the form user.account ) with a corresponding integer value. Each MPE account has a group ID (GID) associated with it.
CWD and File Security You can now change the current working directory (CWD) to any directory (including an MPE account, an MPE group, the root directory, or an HFS directory) as long as you have TD access to the directories in the path to the directory. This means that you can change your CWD to any MPE group on the system because all users have RD and TD access to the root directory, all accounts, and all groups, by default.
ACD examples You assign ACDs using the ALTSEC command. In addition, les created in hierarchical directories and hierarchical directories themselves are automatically assigned ACDs. Following is an example of an ACD that could be assigned to a text le: NONE:JIM.DOE,@.ACCTING;R,W,X,L:@.PAYROLL;R:@.@ The ACD pairs in this example set up the following access controls on the text le: Deny JIM.DOE and all users in the ACCTING account access to the le.
The following sections describe tasks relating to system security such as listing ACDs, assigning ACDs, changing ACDs, and copying ACDs. Tasks Involving System Security Use the -2 list le option of the LISTFILE or LISTF commands to list ACD information associated with a le. Any user on a system can use these commands to determine if a le has an ACD. In order to view the contents of an ACD, you must be either an owner of the le or be a user granted RACD access to that le.
Because ACDs supersede other security mechanisms, it is useful to be able to determine whether or not an HFS directory or le has an ACD assigned to it and, if so, what it is. Any directories or les residing outside of traditional MPE groups are automatically assigned ACDs when they are created. You can list ACDs by using the LISTFILE command with the -2 (also called ACD) option.
d a listfile /OFFICE/GRP/assets,-2 PATH=/OFFICE/GRP/ ------------ACD ENTRIES-------------- FILENAME c d ZONIS.OFFICE @.OFFICE @.@ : R : R,W : R,W,X assets b The next example shows how you can list the ACDs for all of the les in the GRP directory. It shows the ACDs on the le assets as in the previous example and lists the ACDs on the other two les in the directory. listfile /OFFICE/GRP/@,-2 a PATH=/OFFICE/GRP/ ------------ACD ENTRIES------------ FILENAME c ZONIS.OFFICE @.OFFICE @.@ ZONIS.
Creating ACDs Use the NEWACD option of the ALTSEC command to create an ACD and assign it to a le or device. You must be an owner of a le to create and assign an ACD to that le. Only a system manager can assign ACDs to logical devices, device names, and device classes. You can assign ACD pairs to the new ACD either from within the command line or by referencing a le that contains one or more ACD pairs. To create an ACD and assign it to the le PROGNAME, enter: ALTSEC PROGNAME;NEWACD=(X:@.@;W:@.
The le SUMMARY has an ACD (RACD:@.@). You want to grant read and write access to users in your account: :ALTSEC SUMMARY;ADDPAIR=(W,R:@.ACCT) Adding an ACD Pair Use the ADDPAIR parameter of the ALTSEC command to add an ACD pair to an ACD. To add a new ACD pair that grants the user ENGR.LAB the access modes READ, WRITE, LOCK, APPEND, EXECUTE, and RACD to the le PROGNAME, enter: ALTSEC PROGNAME;ADDPAIR=(R,W,L,A,X,RACD:ENGR.
Deleting ACDs Use the DELACD parameter of ALTSEC to delete an ACD assigned to a le or device. You must be an owner of a le in order to delete an ACD from that le. Only a system manager can delete ACDs from logical devices, device names, and device classes. To eliminate any ACD that may be in e ect for device class LP, enter: ALTSEC LP,DEVCLASS;DELACD Deleting an ACD Pair Use the DELPAIR parameter of the ALTSEC command to delete a user name from an ACD. All other user names are una ected.
Copying ACDs Use the COPYACD parameter of the ALTSEC command to copy an ACD from a source le to a target le or device. In order to copy an ACD, you must be an owner of the source le or a user granted RACD access to the source le. In addition, you must be an owner of the target le. To copy the ACD from the le PROGNAME to the le NEWFILE, enter: ALTSEC NEWFILE;COPYACD=PROGNAME Copying ACD Pairs You can copy ACD pairs from one le to another or from one directory to another.
target le, removing all security restrictions in e ect for the target le. When an ACD is removed from a le, standard le system security restrictions are imposed.
Protecting Your Files with Capabilities, File Access 4 Restrictions and Lockwords File System Security Features The account structure contains three important, standard le system security features: capabilities, le access restrictions, and lockwords. The recommended le system security feature, \Access Control De nitions," is described in a previous chapter. Capabilities A variety of people use HP 3000 Computer Systems.
Listing Capabilities Note If the password is encrypted, the commands LISTUSER, LISTGROUP, and LISTACCT will only display the password as \*ENCRYPTED*", making a password truly private to its owner. Listing Account Capabilities Use the LISTACCT command to check the capabilities of an account.
d a ****************** GROUP: ENGR.SMITH c DISC SPACE: 5752 (SECTORS) PASSWORD: * * CPU TIME: 102(SECONDS) SECURITY-- READ : GU CONNECT TIME: 0(MINUTES) WRITE : GU DISC LIMIT: UNLIMITED APPEND : GU CPU LIMIT: UNLIMITED LOCK : GU CONNECT TIME: UNLIMITED EXECUTE : GU PRIV VOL : n/a SAVE : GU FILE UFID: $OOOD401 $80001050 $OOOFF620 $00000008 $OOOOOOOA MOUNT REF CNT: n/a HOME VOL SET : MPE_SYS_VOL_SET CAP: IA,BA b Refer to appendix A for de nitions of the capabilities.
Listing User Capabilities Use the LISTUSER command to check the capabilities of a user. For example, to review the capabilities of the user BORIS in the JONES account, enter: LISTUSER BORIS d The screen displays: ******************** USER: BORIS.JONES HOME GROUP: DEVELOP PASSWORD: *ENCRYPTED* MAX PRI : 150 LOC ATTR: $00000000 CONNECT TIME: 0(MINUTES) WRITE : GU LOGON CNT : 1 CAP: AM,AL,GL,DI,DV,UV,LG,CS,ND,SF,IA,BA,PH,DS,MR,PM c a b Refer to appendix A for de nitions of the capabilities.
Capabilities Table Table 4-1 lists MPE/iX capabilities and their standard abbreviations. It also shows the types of users that require each capability. Use the information in Table 4-1 to establish capabilities for your system. Table 4-1.
Table 4-1.
Extra Data Segments (DS) Group Librarian (GL) Interactive Access (IA) Multiple RIN (MR) Caution This capability lets users and programs create and manage extra data segments. Normally, a program uses these data segments for temporarily storing large amounts of data. Thus, the program's global data area stays relatively small. The extra data segment is purged at the end of the program. Programmers manage extra data segments through the GETDSEG, FREEDSEG, DMOVIN, DMOVOUT, and ALTDSEG intrinsics.
Use Nonshareable Devices (ND) Use Mountable Volume Sets (UV) Privileged Mode (PM) This capability allows the use of devices other than terminals and discs including spooled devices. If the device is not spooled, the user has complete control of it. Examples of nonshareable devices are card readers, line printers, magnetic tape units, and plotters. This capability is not needed to use the standard job or session input and list devices.
Save User Files Permanently (SF) System Manager (SM) System Supervisor (OP) Use User Logging This capability allows the use of the BUILD, SAVE, and RESTORE commands, and the SAVE option of the FILE command, described in the MPE/iX Commands Reference Manual Volumes 1 and 2 (32650-90003 and 32650-90364). Users without SF capability can create job or session temporary les that MPE/iX automatically deletes when the job or session ends.
Restricting File Access Associated with each account, group, and individual le is a list of le access restrictions. Access restrictions apply to disk les only. Their restrictions are based on the following: File access modes, such as reading, writing, saving, executing, locking, and appending. User types, such as account librarians, group librarians, and account members for whom certain access modes are allowed. The access restrictions for any le describe who can access it and in what manner.
User Types Table 4-3 lists user types, the codes used to reference them, and their complete descriptions. Table 4-3. User Types User Type Any user Mnemonic Code Meaning ANY Any user de ned in the system. This includes all categories de ned below. Account librarian user AL User with account librarian capability, who can manage les within the account which may include more than one group.
Specifying File Access Restrictions When a user tries to access a le, the system checks the account-level, group-level, and le-level le access restrictions. Those restrictions must give the user access rights at all three levels. If the user fails to pass the security check at any level, the system denies the user access to the le. Account le access restrictions are set when an account is created. You set group le access restrictions when you create a group.
For all other accounts, READ, APPEND, WRITE, LOCK, and EXECUTE access are limited to account members (R,A,W,L,X:AC). Group-Level Security The account manager sets the le access restrictions that apply to all les within a group when creating the group. They can be equal to or more restrictive than the provisions speci ed at the account level.
For a public group (named PUB) of an account (named SYS), the following default restrictions apply: (R,X,L:ANY;W,A,S:AL,GU). For all other groups in the account, READ, APPEND, WRITE, SAVE, LOCK, and EXECUTE access are limited to group users (R,A,W,S,L,X:GU). File-Level Security When you create a le, it has the default le-level security provisions assigned by MPE and the provisions assigned by the account and the group to which it belongs.
Table 4-4. Default File Access Restrictions Save File File Reference Access Permitted Access To Group Any le in public group of system account lename. PUB.SYS Any le in any group in system account lename. groupname .SYS Any le in public group of any account lename. PUB accountname Any le in any group in any account lename.groupname.
Figure 4-1. Lockwords and Passwords Note Releasing and Securing File Security Lockwords should not be used on les that have ACDs attached to them. Sometimes other users need temporary access to your les. For example, individual members of a project team might keep their own records of the hours they worked on di erent aspects of the project. At the end of the month, the project manager compiles the individual reports into a team report.
When default le access restrictions are in e ect, general users can release and secure les only in their logon group and account. Summary Here is a summary of some important le system security rules: General users can create les only in their own accounts. Only the creator can modify a le's security or rename the le. If a le has a lockword, that lockword is required to open the le. An account manager has unlimited access to every le within an account.
A Error Messages General Error Messages 351 353 410 411 The rst section of this appendix describes error messages returned by the CI (Command Interpreter) that relate to general security and account structure functions. Possible causes and suggestions for recovery are provided. The second section of this appendix describes ACD related error messages.
500 501 502 503 504 505 A-2 MESSAGE EXPECTED "(" TO START SECURITY SPECIFICATIONS CAUSE The left parenthesis was not included at the beginning of the security speci cations. ACTION Include the left parenthesis on the command line. MESSAGE EXPECTED a ")" following the SECURITY SPECIFICATIONS CAUSE The right parenthesis was not included at the end of the security speci cations. ACTION Include the right parenthesis on the command line.
506 507 508 509 510 511 MESSAGE IGNORED. SAVE ACCESS NOT ALLOWED AT ACCOUNT LEVEL CAUSE You cannot specify SAVE access at the account level. ACTION This message is informational only. MESSAGE EXPECTED "colon" SEPARATING MODE LIST FROM USER LIST CAUSE You did not include a colon (:) between the mode list and the user list. ACTION Include a colon (:) on the command line. MESSAGE EXPECTED ONE OF ANY AC, AL, GU, GL, OR CR USER TYPES CAUSE You did not include an acceptable user type.
512 513 514 515 516 517 A-4 MESSAGE THIS USER TYPE NOT ALLOWED AT ACCOUNT LEVEL CAUSE You speci ed a user type that is not allowed at the account level. ACTION This message is informational only. MESSAGE READ ACCESS FOR THIS USER TYPE REDUNDANTLY SPECIFIED CAUSE You speci ed read access more than once on the same command line. ACTION This message is informational only.
518 519 530 531 532 534 MESSAGE SAVE ACCESS FOR THIS USER TYPE REDUNDANTLY SPECIFIED CAUSE You speci ed save access more than once on the same command line. ACTION This message is informational only. MESSAGE THIS ACCESS MODE REDUNDANTLY SPECIFIED ON THIS ACCESS LIST CAUSE One of the access modes that you speci ed was repeated in the access list. ACTION This message is informational only.
535 540 541 542 544 550 A-6 MESSAGE MISSING DELIMITER AFTER FILE NAME CAUSE You did not include a delimiter after the le name. ACTION Include a delimiter (semi-colon, comma, period, or space), after the le name. See the MPE XL Commands Reference Manual (32650-90003) for the correct syntax. MESSAGE FIRST CHARACTER IN GROUP NAME NOT ALPHABETIC CAUSE The rst character of your group name is nonalphabetic. You probably mistyped the group name. ACTION Retype the command.
551 552 554 590 591 592 MESSAGE ACCOUNT NAME MISSING CAUSE You did not include an account name on the command line. ACTION Specify an account name on the command line. MESSAGE ACCOUNT NAME is more than eight CHARACTERS LONG CAUSE The account name that you speci ed is greater than eight characters. Account names can only be eight characters or fewer in length. You probably mistyped the account name. ACTION Retype the command.
594 730 731 732 733 734 A-8 MESSAGE EMBEDDED NON-ALPHANUMERIC CHARACTER IN USER NAME CAUSE User names can consist of both alphabetic and numeric characters. One of the characters in the user name that you speci ed is neither alphabetic nor numeric. You probably mistyped the user name. ACTION Retype the command. MESSAGE ALTACCT CAN HANDLE A MAXIMUM OF 71 PARAMETERS CAUSE You have speci ed too many parameters on the command line.
735 736 737 738 739 MESSAGE NEWUSER CAN HANDLE A MAXIMUM OF 71 PARAMETERS CAUSE You have speci ed too many parameters on the command line. ACTION Consult the MPE XL Commands Reference Manual (32650-90003) for acceptable parameters. MESSAGE EXPECTED COMMA AFTER ACCOUNT NAME, BEFORE MANAGER'S NAME CAUSE You failed to include a comma between the account name and the manager's name. ACTION Include a comma between the account name and the manager's name.
740 741 742 743 744 A-10 MESSAGE UNIDENTIFIABLE PARAMETER. CAUSE The command that you issued does not recognize one of the parameters. It might be that you did not include a delimiter (semi-colon, comma, period, or space), between parameters. ACTION Check the MPE XL Commands Reference Manual (32650-90003) and make sure that you did not omit a delimiter. If you did, enter it.
745 746 747 748 749 750 MESSAGE MAXPRI INAPPROPRIATE FOR GROUPS. IGNORED CAUSE The MAXPRI parameter cannot be speci ed for groups. It was ignored. ACTION This message is informational only. MESSAGE CAPABILITY LIST REDUNDANTLY SPECIFIED. LAST OCCURRENCE USED CAUSE You speci ed the CAP parameter twice on the same command line. The last CAP list that was speci ed is the one implemented by the command. ACTION This message is informational only. MESSAGE NO CAPABILITY SPECIFIED.
751 752 753 754 755 756 A-12 MESSAGE CREATOR SPECIFIED NEITHER IA NOR BA FOR ACCOUNT, SO BOTH WERE IMPOSED CAUSE You did not specify either interactive access (IA) or batch access (BA) for the account. These must be speci ed. ACTION This message is informational only. MESSAGE CREATOR SPECIFIED NEITHER IA NOR BA FOR USER, SO BOTH WERE IMPOSED CAUSE You did not specify either interactive access (IA) or batch access (BA) for the user. These must be speci ed.
758 760 761 762 764 765 MESSAGE EMBEDDED SPECIAL CHARACTER IN MANAGER'S NAME CAUSE The name of the manager can consist of both alphabetic and numeric characters. One of the characters in your manager name is neither alphabetic nor numeric. You probably mistyped the command. ACTION Retype the command. MESSAGE PASSWORD MUST START WITH ALPHABETIC CHARACTER CAUSE The password that you speci ed does not start with an alphabetic character. You probably mistyped the command.
767 768 769 770 771 773 A-14 MESSAGE FILES OPTION INAPPROPRIATE FOR USERS. IGNORED CAUSE You cannot specify the FILES option for a user. ACTION This message is informational only. MESSAGE EXPECTED POSITIVE INTEGER <2,147,483,647 AS SECTORS LIMIT CAUSE You speci ed a sectors limit with the FILES option that is greater than 2147483647. ACTION Spec y a new sectors limit that is less than 2147483647.
774 775 776 779 781 782 MESSAGE EXPECTED POSITIVE INTEGER <2,147,483,647 AS CPU SECONDS LIMIT CAUSE You speci ed a CPU limit that is greater than 2147483647. ACTION Spec y a new CPU limit that is less than 2147483647. MESSAGE CPU SECONDS LIMIT MAY NOT BE A NEGATIVE NUMBER CAUSE You speci ed a negative number for the CPU seconds limit. Only a positive number is allowed. ACTION This message is informational only. MESSAGE CPU SECONDS LIMIT REDUNDANTLY SPECIFIED.
784 785 786 787 788 789 A-16 MESSAGE "SM" CAPABILITY CANNOT BE REMOVED FROM MANAGER.SYS. REJECTED CAUSE You cannot remove System Manager (SM) capability from MANAGER.SYS. ACTION Review account structure capabilities in this manual. MESSAGE ATTEMPT TO REMOVE SM CAPABILITY FROM SYS ACCOUNT OVERRIDDEN CAUSE You cannot remove System Manager (SM) capability the SYS account. ACTION Review account structure capabilities in this manual.
790 791 792 793 794 MESSAGE GROUP CAPABILITIES REQUESTED EXCEED ACCOUNT CAPABILITIES "NOT" GRANTED CAUSE The group capabilities cannot exceed the account capabilities. ACTION This message is informational only. MESSAGE GROUP FILE SPACE LIMIT REQUESTED LESS THAN ACTUAL SPACE ALREADY IN USE. COMMAND REJECTED CAUSE You have requested a group le space limit that is less than the space that is already in use. ACTION This message is informational only.
795 796 797 798 799 A-18 MESSAGE USER ASSIGNED LOCAL ATTRIBUTES GREATER THAN THE ACCOUNT LOCAL ATTRIBUTES. LOWERED TO ACCOUNT'S CAUSE User local attributes cannot be greater than the account's local attributes. ACTION The user local attributes were automatically lowered to the account's local attributes. MESSAGE HOME GROUP REDUNDANTLY SPECIFIED. LAST OCCURRENCE USED. CAUSE You speci ed the home group more than once on the command line. The last home group speci cation is the one implemented.
6 957 MESSAGE THIS COMMAND REQUIRES SYSTEM MANAGER (SM) CAPABILITY CAUSE You must have System Manager (SM) capability to execute this command. ACTION See the System Manager. MESSAGE THIS COMMAND REQUIRES ACCOUNT MANAGER (AM) CAPABILITY CAUSE You must have Account Manager (AM) capability to execute this command. ACTION See the Account Manager.
ACD Related Error Messages 7100 This appendix lists error messages which you may encounter when creating or modifying ACDs. MESSAGE UNABLE TO DEALLOCATE ACD SPACE. (CIWARN 7100) CAUSE ACD information is kept as an MPE \pseudo extent". A pointer to this \pseudo extent" is maintained for each le or device which has an ACD. If you are attempting to delete an ACD, the pseudo extent will be deallocated by MPE. Even if the operation fails and you get this warning, the ACD will still be deleted.
7102 7103 7104 7105 MESSAGE ACD WAS CORRUPTED PRIOR TO BEING DELETED. (CIWARN 7102) CAUSE This message indicates that the ACD you deleted was corrupted. The delete operation succeeded so there is no ACD associated with the device or le in question. ACTION No action needs to be taken. The delete operation has removed the corrupted ACD. You can create a new ACD, if you wish, without any further side e ects. MESSAGE OPERATION FAILED ON SOME DEVICES SPECIFIED.
7221 7223 7224 7225 7227 7228 A-22 MESSAGE WILDCARDS NOT ALLOWED IN FILENAME HERE. (CIERR 7221) CAUSE You have speci ed a generic le name which contains wildcards as the target le name or the source le name in the :ALTSEC command. ACTION Repeat the :ALTSEC command for each le contained in the le set speci ed by the wildcard. MESSAGE LOCKWORDS NOT ALLOWED IN GENERIC FILE SETS. (CIERR 7223) CAUSE A le speci cation containing wildcards should not contain a lockword.
7229 7230 7231 7250 MESSAGE "_" (UNDERBAR) CHARACTER NOT ALLOWED IN DEVICE CLASS NAME. (CIERR 7229) CAUSE The \ " (underbar) character was included in a device class name. Device class names must begin with a letter and they can contain letters or numbers after the rst character. The maximum length for a device class name is 8 characters. ACTION Remove the \ " (underbar) character from the device class name and re-issue the command.
7251 MESSAGE DUPLICATE ACCESS MODE SPECIFIED. (CIERR 7251) CAUSE Your ACD speci cation contains a duplicated access mode in the list of access modes speci ed for a single ACD entry. Examples: :ALTSEC FILENAME;NEWACD=( R,W,R: FRED.SMITH ) The :ALTSEC command shown above is illegal because read access is speci ed twice for a single ACD entry (corresponding to user FRED.SMITH). :ALTSEC FILENAME;NEWACD=( R,W: JOE.SMITH; R,X: BILL.
7253 MESSAGE CONTRADICTORY ACCESS MODES SPECIFIED. (CIERR 7253) CAUSE You have speci ed access modes for a given entry which are contradictory. The examples below will clarify what is meant by contradictory access modes. Examples: :ALTSEC FILENAME;NEWACD=( R,W,NONE: @.@ ) The :ALTSEC command shown above is illegal because you are granting read and write access to the same user (@.@) you are granting no access. :ALTSEC FILENAME;NEWACD=( R,W: @.@; NONE: BILL.
7256 7257 7258 7259 MESSAGE MISSING CLOSE PARENTHESIS ")". (CIERR 7256) CAUSE You have omitted the close parenthesis \)" from your ACD speci cation. Unless you are using an ACD indirect le both the open and close parentheses are required. ACTION Re-issue the command and add the missing close parenthesis. MESSAGE MISSING COLON ":". (CIERR 7257) CAUSE You have omitted the colon character from your ACD speci cation. A colon is required after the access modes and before the user speci cation.
7261 MESSAGE USER NAME MUST BE "@" IF ACCOUNT NAME IS SPECIFIED AS "@". (CIERR 7261) CAUSE You must specify a standard MPE user speci cation. This speci cation must take one of the following forms: username.acctname @.acctname @.@ You must use \fully quali ed" user speci cations (for example, you cannot put the username by itself and default acctname to the logon account). 7262 ACTION Correct the user speci cation to conform to the rules speci ed above.
7265 MESSAGE USER SPECIFICATION MUST BE FULLY QUALIFIED. (CIERR 7265) CAUSE You must specify a standard MPE user speci cation. This speci cation must take one of the following forms: username.acctname @.acctname @.@ You must use \fully quali ed" user speci cations (eg: you cannot put the username by itself and default acctname to the logon account). 7266 7267 7268 7269 A-28 ACTION Correct the user speci cation to conform to the rules speci ed above. MESSAGE INVALID USER NAME SPECIFIED.
7270 7271 7272 7273 7274 7275 MESSAGE INTERNAL ERROR NUMBER "-270". (CIERR 7270) CAUSE An unexpected internal error has occurred. ACTION Try re-issuing the command. If you still get this error, contact your HP Representative and give him/her the internal error number. MESSAGE INTERNAL ERROR NUMBER "-271". (CIERR 7271) CAUSE An unexpected internal error has occurred. ACTION Try re-issuing the command.
7300 7301 7302 7303 A-30 MESSAGE ACD ENTRY DOES NOT EXIST. (CIERR 7300) CAUSE You are attempting to access (delete or replace) an ACD entry which does not exist in the speci ed ACD. ACTION You can list the content of an ACD using the :LISTF ,-2 command (for le ACDs) or the :SHOWDEV command with the ;ACD option (for device ACDs). MESSAGE THERE IS NO ACD ASSOCIATED WITH THE SOURCE FILE.
7304 7305 7306 7307 MESSAGE THE ACD ASSOCIATED WITH THE TARGET FILE IS CORRUPTED. (CIERR 7304) CAUSE You are attempting to copy a le ACD which is corrupted. ACTION You cannot copy this ACD because it is corrupted. It is possible to delete the ACD using the ;DELACD option on the :ALTSEC command. This will leave your le without an ACD to protect it.
7308 7309 7310 7311 A-32 MESSAGE THERE IS ALREADY AN ACD ASSOCIATED WITH THE TARGET LDEV. (CIERR 7308) CAUSE You are attempting to create a new ACD for (via the ;NEWACD option), or copy an existing ACD to (via the ;COPYACD option) a device which already has an ACD associated with it. ACTION You must either delete the existing ACD prior to executing the :ALTSEC command with the ;NEWACD or ;COPYACD option, or you must use the ;ADDPAIR and ;REPPAIR options to change the existing ACD.
7312 7313 7314 7315 MESSAGE INVALID ACD INDIRECT FILE CODE. FILE CODE MUST BE 0. (CIERR 7312) CAUSE You have speci ed an ACD indirect le with a non-zero le code. This should not be a problem very often because most editors create text les with a le code of zero. ACTION You can determine if the le code for a le is zero by using the :LISTF command. You can use :FCOPY to copy the le to another le which has a le code of zero. MESSAGE INVALID ACD INDIRECT FILE RECORD SIZE. MUST BE <= 88 BYTES.
7316 7317 7318 A-34 MESSAGE MAXIMUM NUMBER OF ACD ENTRIES (40) WOULD BE EXCEEDED. (CIERR 7316) CAUSE You are attempting to add some number of entries to the ACD. If you added these entries to the ACD then the total number of entries in the ACD would exceed the maximum number allowed (40). ACTION You cannot have more than 40 entries in a given ACD. You may be able to combine some of the entries by using wildcards.
7319 7320 7321 MESSAGE INCOMPATIBLE TARGET AND SOURCE FOR COPYING ACD. (CIERR 7319) CAUSE The target and source le/device speci ed on the :ALTSEC command must be of the same type. Either they must both be devices, or they must both be les. ACTION If you want to grant the same explicit access rights to a le and a devices you should create an indirect le containing the ACD speci cation and use this indirect le on the :ALTSEC command with the ;NEWACD option.
7322 7323 MESSAGE OPERATION FAILED ON ALL DEVICES SPECIFIED. (CIERR 7322) CAUSE The operation which you requested (;NEWACD, :DELACD, ;REPPAIR, ;DELPAIR, ;ADDPAIR, or ;COPYACD) did not succeed for any of the devices in the the device speci cation. If a device class was speci ed, the operation failed for all of the devices in the device class. If \@" was speci ed, indicating all devices on the system, then the operation failed on all devices on the system.
7324 MESSAGE USER NOT ALLOWED TO COPY THE SOURCE ACD. (CIERR 7324) CAUSE The user attempting to copy the ACD does not have su cient capabilities, is not the creator of the le, or has not been granted explicit \read ACD" (RACD) permission. The capability requirements for copying an ACD are as follows: a user with SM capability can copy any ACD; a user with AM capability can copy any ACD associated with a le in the account for which he/she has AM capability; the creator of the le can copy the ACD.
7400 7401 7402 MESSAGE ACD INTERNAL ERROR. (CIERR 7400) CAUSE This message indicated that some kind of internal error occurred while processing your command. This message will be preceded by another message indicating the internal status and subsystem number. This information will be helpful in diagnosing the cause of the problem. ACTION Contact you HP Support Representative. MESSAGE ERROR ENCOUNTERED WITHIN ACD INDIRECT FILE.
7403 MESSAGE ACD INTERNAL STATUS ! - SUBSYSTEM NUMBER !. CAUSE An unexpected internal error has occurred. ACTION Try re-issuing the command. If you still get this error, call in the internal error number to your HP Representative.
Index A access control de nition see ACDs, 3-1 accessing les, directories, 3-14 access modes, 3-3 APPEND, 4-10 EXECUTE, 4-10 les, 4-10 LOCK, 4-10 READ, 4-10 SAVE, 4-10 user types, 4-11 WRITE, 4-10 account manager, 3-8 accounts, 1-10 access modes, 4-12 capabilities, 4-1 characteristics, 1-8 components, 1-5 de ned, 1-6 displaying capabilities, 4-2 le security, 4-12 listing capabilities, 4-2 passwords, 2-2 relationships, 1-6 structure de ned, 1-5 users, 4-12 user types, 4-12 ACD owner de ned, 3-7 ACD pair ad
devicec security, 3-1 displaying, 3-12 evaluation, 3-1 examples, 3-11 listing, 3-12, 3-13 modifying, 3-16 NONE access, 3-5 owners, 3-7 replacing, 3-16 replacing an ACD pair, 3-16 user speci cation, 3-5 adding an ACD pair, 3-16 ALTSEC command, 3-5, 3-15, 3-18 adding an ACD pair, 3-16 copying an ACD, 3-18 creating ACDs, 3-15 deleting an ACD, 3-17 deleting an ACD pair, 3-17 replacing an ACD pair, 3-16 APPEND access mode, 4-10 appropriate privilege, 3-8 assigning ACDs, 3-15 C Index-2 capabilities, 4-1 account
D E F deleting ACDs, 3-17 objects, 3-7 deleting ACD pairs, 3-17 deleting an ACD, 3-17 directory, 1-10 access to, 3-4 changing access to, 3-14 permissions, 3-9 read, 3-4 traverse, 3-4 displaying ACDs, 3-12 displaying capabilities, 4-2 displaying group capabilities, 4-2 displaying lockwords, 4-15 displaying user capabilities, 4-4 evaluating ACDs, 3-1 EXECUTE access mode, 4-10 execute (x) access, 3-8 le changing access to, 3-14 name conventions, 1-13 names, 1-12 renaming, 3-7 security, 3-10 le access restri
summary, 4-17 le system, 1-10 fully quali ed group name, 1-9 fully quali ed user name, 1-9 G H L Index-4 GID, 3-8, 3-9 $GROUP, 3-6 group HFS, 3-9 MPE/iX, 3-9 group capabilities displaying, 4-2 listing, 4-2 group ID (GID), 3-8, 3-9 group-level default le security, 4-13 group-level security, 4-13 $GROUP MASK, 3-6 group names de ned, 1-9 fully quali ed, 1-9 groups access modes, 4-13 capabilities, 4-1 default le security, 4-13 displaying capabilities, 4-2 group names, 1-9 listing capabilities, 4-2 passwords
M O P R S modifying ACDs, 3-16 MPE/iX le system, 1-10 MPE syntax, 1-12 objects, 3-1 creating, 3-6 deleting, 3-7 $OWNER, 3-6, 3-7 owner, 3-7, 3-9 ACDs, 3-7 PASSWORD command, 2-3 passwords account-level, 2-2 changing, 2-3 de ned, 2-2 frequency of change, 2-2 group-level, 2-2 recommended length, 2-2 user-level, 2-2 permissions directory, 3-9 privilege, appropriate, 3-8 RD access, 3-4 READ access mode, 4-10 read directory entries, 3-4 RELEASE command, 4-16 releasing le security, 4-16 renaming les, 3-7 repl
releasing le security, 4-16 standard le system, 4-1, 4-17 SHOWDEV command listing device ACDs, 3-12 special characters, 1-13 specifying le access restrictions, 4-12 standard le system security, 4-1 structure of accounts, 1-5 syntax HFS, 1-12 system directory, 1-5 de ned, 1-8 system manager, 3-8 T U W Index-6 TD access, 3-4 traverse directory entries, 3-4 types of users, 4-11 UID, 3-9 user access passwords, 2-2 restricting, 2-2 user capabilities displaying, 4-4 listing, 4-4 user categories, 3-9 user iden