Guardian User's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

331

332

333

334

335

336

337

338

339

340

Managing Users and Security

Guardian User’s Guide—425266-001

16-15

Process Security

This security string means that any local user can read the file, only local members of

the ADMIN group can write to the file, any network user can execute the file, and only

the owner (whether logged on locally or remotely) can purge it.

If a second user ADMIN.ANN is on a remote system in the network, she can only

execute the file. However, if she logs on locally, she also has read and write access for

BILLFILE.

Default Security of Remote Files

The default security of a file that you create on a remote system might not be the same

as your default security on your home system. For example, if your default security is

GGGU, and you create a file on a remote system, its default file security is CCCU.

To give you, the owner of the file, the ability to access the file on the remote system,

your local file access is converted to local and remote access for that remote file. This

means that the local files access codes A, G, and O are converted to N, C, and U,

respectively, for files you create remotely.

Process Security

The system can prevent one process from interfering with another process. Process

security features, however, do not interfere with applications running on systems where

security is not required.

This subsection describes the security features that protect and restrict access to running

processes, such as process and creator access IDs, and describes their use in the security

system. Also described are procedures for licensing programs and for adopting the user

ID of a program file owner as that program’s process access ID.

Process and Creator Access IDs

Two identifications are associated with each process: the creator access ID and the

process access ID. The creator access ID identifies the user who initiated the creation of

the process. The process access ID, which is often the same as the creator access ID,

identifies the process and is used to determine if the process has the authority to make

requests to the system (to open a file, stop another process, and so on).

Figure 16-1

shows a chain of process creations in which the process access ID of the

original process is passed to other generations of processes. In this figure, CI is a

command interpreter process, p1 and p2 are processes created by CI, and p3 is a process

created by p2.

A process can determine its creator access ID and process access ID using the

CREATORACCESSID and PROCESSACCESSID procedures, respectively (see the

Guardian Programmer’s Guide).

The process access ID is used to determine if file access is allowed. The process access

ID is also used to determine whether certain security-restricted operations can be

performed if the requester is neither the creator of the process nor the super ID.