Open System Services Management and Operations Guide (G06.30+, H06.08+, J06.03+)
used by the undocumented RPC interfaces underlying such products as the Network File System
(NFS) for Open System Services.
• To protect sensitive files from access by the super ID, place those files in a restricted-access
fileset. For more information about restricted-access filesets, see “Using Restricted-Access
Filesets and File Privileges” (page 228).
• Use the shred command to permanently erase data and optionally remove sensitive files.
For more information about permanently erasing data and removing files, see “Erasing and
Removing OSS Files” (page 195).
• Use the Safeguard security product to implement other security policies. For more information
about security and the Safeguard product, see the Security Management Guide.
Using Restricted-Access Filesets and File Privileges
On systems running J06.11 or later J-series RVUs or H06.22 or later H-series RVUS, OSS Version
3 catalog filesets can be configured as restricted-access filesets. Restricted-access filesets deny the
super ID (255,255 in the Guardian environment, 65535 in the OSS environment) special access
privileges.
However, because some applications still require special privileges for accessing restricted-access
file sets, the J06.11 and H06.22 RVUs introduce the file privilege file attribute, which is used for
executable files, user libraries, and ordinary DLLs. System DLLs (provided as part of the system
files) and public DLLs (installed by the system administrator) do not require file privileges.
The combination of the Safeguard security groups and file privileges restricts the use of special
access privileges in restricted-access filesets to certain system management tasks (like backing up
and restoring files using the Backup and Restore 2 product) and to customer-designated programs.
Restricted-Access Filesets
Restricted-access filesets have the RESTRICTEDACCESS fileset attribute set to a value other than
DISABLED. By default, restricted-access filesets are audited. For information about creating
restricted-access filesets, see the “ADD FILESET Command” (page 256). For information about
changing the value of the RESTRICTEDACCESS attribute, see the “ALTER FILESET Command”
(page 269).
Applications that depend on the super ID for file access are subject to additional restrictions for
files that are in restricted-access filesets. When accessing a file in a restricted-access fileset, the
super ID is restricted by the same file permissions and owner privileges as any other user ID: It has
no special privileges unless the executable file started by the super ID has the PRIVSETID file privilege
(see “PRIVSETID File Privilege” (page 230)).
Instead of the super ID, it is members of the Safeguard SECURITY-OSS-ADMINISTRATOR (SOA)
security group, sometimes in combination with executable files that have file privileges, that have
the appropriate privileges to directly perform the operations permitted to the super ID in unrestricted
OSS filesets.
NOTE: Network File System (NFS) clients are not granted SOA group privileges, even if these
clients are accessing the system with a user ID that is a member of the SOA security group.
Members of the SOA security group have the same privileges to manage files in restricted-access
filesets as they have to manage files in unrestricted filesets. But, to use all the functions a super ID
would be allowed to use in an unrestricted fileset on a file that is in a restricted-access fileset, the
executable file (including any user libraries or ordinary DLLs) that uses the functions must both:
• Be started by a locally-authenticated member of the SECURITY-OSS-ADMINISTRATOR group
• Have the PRIVSOARFOPEN file privilege
228 Managing Security