Open System Services Management and Operations Guide (G06.25+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

231

232

233

234

235

236

237

238

239

240

Managing Security

Open System Services Management and Operations Guide—527191-002

8-10

How Users Gain Access to the OSS Environment

A NonStop operating system user belongs to a primary group and can belong to more

than one file-sharing group. File-sharing groups other than the primary group are called

supplementary groups in POSIX terminology, although that term does not appear in

Safeguard manuals. All groups configured for the user make up the user’s group list.

By default, the primary group for a new user is the administrative group of the user.

The primary group should not be an administrative group and can be changed to any

other group in the user’s group list.

You should also configure an OSS user’s initial working directory when you configure

the user. You configure the user’s initial working directory with the SAFECOM ADD

USER, ALTER USER, ADD ALIAS, and ALTER ALIAS commands.

You cannot:

•

Move user or group membership definitions directly from a UNIX system into the

OSS environment. If you want to duplicate your UNIX system user and group

definitions, you must recreate them through the Safeguard subsystem.

•

Copy an /etc/group file to define user groups for the OSS environment. OSS

security processing does not use an /etc/group file.

•

Copy an /etc/passwd file to define users for the OSS environment. OSS security

processing does not use an /etc/passwd file.

•

Copy an /etc/ftpusers file to bar specific users from FTP access to the OSS

and Guardian file systems.

•

Use UNIX Network Information Service (NIS) “yellow pages” to define users for the

OSS environment. OSS security processing does not currently support NIS.

How Users Gain Access to the OSS Environment

A user gains access to the OSS environment through a server process. The most

commonly used server subsystems are Telserv and the file transfer protocol (FTP)

server. Other servers, such as the iTP WebServer httpd process, are beyond the

scope of this guide.

Both Telserv and the FTP server authenticate the user’s login information against the

user definitions configured through the Safeguard subsystem.

Note. The EDIT file $SYSTEM.ZTCPIP.FTPUSERS can be used to disallow access to FTP by

valid users of other subsystems. When a user name appears in the FTPUSERS file, FTP

rejects access without authenticating the user definition. This control mechanism is similar to

that provided on a UNIX system by the /etc/ftpusers file.

When you configure a user, make sure that the FTPUSERS file does not conflict with your

intent. For example, access by the FTP user anonymous is disallowed if the Guardian user

NULL.FTP or the OSS user aliases anonymous or ftp are listed in the FTPUSERS file.

See the TCP/IP Applications and Utilities User Guide for more information about the use of

FTPUSERS.