SQL/MX 3.2.1 Management Manual (H06.26+, J06.15+)
File and Directory Commands
Only the file owner or the super ID can alter a file’s permission bits and thereby control access to
that file. For detailed descriptions of the commands to alter these bits, see the Open System Services
User’s Guide.
Like the FILEINFO and FUP INFO commands in the Guardian environment, the ls command in the
OSS environment allows users to display information, including the permission codes, for their files
and directories. Users can change the permissions by using the chmod command, which performs
a function similar to that of the FUP SECURE command in the Guardian environment. In addition,
the file’s group can be changed by using the chgrp command.
Unlike the FUP GIVE command in the Guardian environment, the OSS chown command cannot
be used by the file owner to transfer ownership of a file. Only the super ID can transfer file ownership
by using the chown command.
OSS automatically assigns default permissions to files and directories when they are created. The
umask command can be used to establish a user mask, which specifies the maximum permissions
that can be applied to a file or directory when it is created.
The super ID can include a umask command in the /etc/profile file to specify the user mask for all
users who log on to the shell. An individual user can also include a umask command in his or her
profile file to establish a personal user mask.
Safeguard Security
For additional security protection, use the Safeguard product to restrict access to physical Guardian
volumes and subvolumes containing the distributed SQL/MX product component files.
NOTE: SQL/MX module files and some database software components reside in the OSS file
space and are subject to OSS system security.
Safeguard and SQL/MX File Security
Safeguard security protection for Guardian files is not extended to SQL/MX files. Safeguard
bypasses SQL/MX files for security violations at the volume and subvolume level so that any volume
or subvolume protection provided by Safeguard does not apply to SQL/MX objects. As a result,
SQL/MX files can be created on a disk volume that is protected by Safeguard. SQL/MX INITIALIZE
SQL and CREATE SCHEMA operations can create SQL/MX metadata tables on any local disk
that is not managed by SMF.
NonStop SQL/MX recognizes the Guardian user ID, which can be added by SAFECOM, and
records it in the SQL/MX metadata and file labels. However, NonStop SQL/MX does not recognize
or consider the Guardian user group.
NonStop SQL/MX uses its own security mechanism to authorize access to SQL/MX objects, and
Safeguard contains code that specifically supports the SQL/MX security mechanism. Security for
a given SQL/MX object is set at object creation time and is independent of Safeguard security
settings. Subsequent changes to privileges for an SQL/MX object are performed by GRANT and
REVOKE statements independent of Safeguard regulations. Privileges for accessing SQL/MX objects
are stored in SQL/MX metadata tables and the underlying file labels. These privileges are not
visible to unauthorized users. For more information, see the “Access Privileges for SQL/MX Database
Objects” (page 79).
OSS Interoperability With Safeguard Security
Safeguard security features affect your use of the OSS environment in these ways:
• All system users are added and managed by using SAFECOM USER commands.
• All user aliases are added and managed by using SAFECOM ALIAS commands.
• All file-sharing groups are added and managed by using SAFECOM GROUP commands.
44 Planning Database Security and Recovery