Guardian Procedure Calls Reference Manual
◦ Login name
◦ Current working directory (cwd)
◦ Maximum file size
◦ No other OSS process attribute is inherited by the new process.
• OSS file opens in the calling process are not propagated to the new process.
File Privileges Considerations
On systems running J06.11 or later J-series RVUs or H06.22 or later H-series RVUs, files have an
additional file privilege attribute that specifies special privileges, if any, a file has when accessing
files in a restricted-access fileset. For example, the executable files for the Backup and Restore 2
product can be given the PRIVSOARFOPEN file privilege to a locally-authenticated member of the
Safeguard SOA group to back up and restore files that are in a restricted-access fileset.
File privileges:
• Only have impact when set on executables, user libraries, or ordinary DLLs. A process created
from an executable file inherits the privileges of that executable file.
• Are ignored when accessing files that are not in a restricted-access fileset.
• Can be set by members of the Safeguard SPA group, using either the SETFILEPRIV command
or the setfilepriv() function.
Use the GETFILEPRIV command to get information about the file privileges for a file. For information
about the GETFILEPRIV command, see the getfilepriv(1) reference page either online or in
the Open System Service Shell and Utilities Reference Manual.
For information about the SETFILEPRIV command, see the setfilepriv(1) reference page either
online or in the Open System Service Shell and Utilities Reference Manual. For more information
about the setfilepriv() function, see the setfilepriv(2) reference page either online or
in the Open System Service System Calls Reference Manual.
PRIVSOARFOPEN File Privilege
The PRIVSOARFOPEN file privilege allows a process to directly access any file in a restricted-access
fileset on the local system, but only if that executable file has been started by a locally-authenticated
member of the Safeguard SOA group. If the executable has a file privilege, any user library or
ordinary DLL used by that process must also have that file privilege.
If an executable with the PRIVSOARFOPEN is started by a user who is not a member of the SOA
group, that process is created without the PRIVSOARFOPEN privilege.
The PRIVSOARFOPEN file privilege can be inherited by child processes created using fork()
because the parent and child process share the same executable. Any child processes created by
other process creation functions or procedure calls (such as exec() or PROCESS_CREATE_)
acquire their file privileges from that target executable file.
The most common use for this file privilege is to allow a SECURITY-OSS-ADMINISTRATOR to use
the Backup and Restore 2 product to back up files that are in restricted-access filesets. It is not
required that the executable file be in the restricted-access fileset.
File privileges are removed from a file if the file is changed (such as by being opened for writing).
PRIVSETID File Privilege
The PRIVSETID file privilege allows the locally-authenticated super ID to start a process from an
executable and use a privileged switch operation, such as setgid() or setuid(), to switch to
another user ID or group ID (without a password) and, based on the permissions for that ID, access
PROCESS_LAUNCH_ Procedure 1077