Open System Services Management and Operations Guide (G06.30+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

211

212

213

214

215

216

217

218

219

220

9 Managing Security

This chapter provides information about:

• “Common and Unique Characteristics of OSS and UNIX Security” (page 216)

• “Differences Between OSS and UNIX User and User-Group Configuration” (page 222)

• “OSS Security Auditing” (page 223)

• “Protecting Your System” (page 225)

Common and Unique Characteristics of OSS and UNIX Security

Basic file security is the same for the OSS environment as on a UNIX system. Files are accessed

according to a file mode and access permissions, as described in the Open System Services User’s

Guide.

OSS Version 3 catalog filesets on J-series RVUs, on H06.08 and later H-series RVUs, and G06.29

and later G-series RVUs support access control lists (ACLs), in addition to basic file security, for

directories, regular files, FIFO special files, and bound AF_UNIX sockets. OSS ACLs allow a

process whose effective user ID matches the file owner, super ID, or a member of the Safeguard

SECURITY-OSS-ADMINISTRATOR security group to permit or deny access to a list of specific users

and groups.

OSS ACLs:

• Support separate permissions for up to 146 additional users and groups.

• Can contain up to 150 ACL entries.

• Are based on the POSIX 1003.1e draft standard and the HP-UX implementation of ACLs.

• Are not supported by the OSS Network File System (NFS) for J06.08 and earlier J-series RVUs,

H06.19 and earlier H-series RVUs, or G-series RVUs. Any attempt by NFS clients to access

OSS objects protected by OSS ACLs that contain optional ACL entries is denied.

• Are supported by the OSS NFS for J06.09 and later J-series RVUs and H06.20 and later

H-series RVUs as follows:

◦ Access by the OSS Network File System (NFS) to OSS objects protected by OSS ACLs

that contain optional ACL entries can be allowed, depending upon the NFSPERMMAP

attribute value for the fileset that contains the object.

◦ The NFSPERMMAP attribute value selects the algorithm used to map the OSS ACL

permissions for the object to the standard permissions (rwxrwxrwx) expected for the object

by NFS V2 clients.

◦ The default value for the NFSPERMMAP attribute, DISABLED, specifies that any attempt

by NFS clients to access OSS objects protected by OSS ACLs that contain optional ACL

entries is denied. This behavior matches the behavior for J06.08 and earlier J-series RVUs,

H06.19 and earlier H-series RVUs, and G-series RVUs.

For information about the NFSPERMMAP attribute, see “ADD FILESET Command” (page 256)

and “ALTER FILESET Command” (page 269). For more information about OSS NFS file system

security, see the Overview of NFS for Open System Services and the Open System Services

NFS Management and Operations Guide.

All OSS system calls that include pathnames are subject to the ACLs on any directory or file in the

path.

For a detailed description of OSS ACLs, including examples, see the acl(5) reference page

either online or in the Miscellaneous Topics section of the Open System Services System Calls

Reference Manual.

216 Managing Security