Open System Services Management and Operations Guide (G06.30+, H06.08+, J06.03+)
PRIVSOARFOPEN File Privilege
The PRIVSOARFOPEN file privilege allows a process to directly access any file in a restricted-access
fileset on the local system, but only if that executable file has been started by a locally-authenticated
member of the Safeguard SECURITY-OSS-ADMINISTRATOR (SOA) group. If an executable file has
the PRIVSOARFOPEN file privilege and is started by a member of the Safeguard SOA group, then
any user library or ordinary DLL used by that process must also have the PRIVSOARFOPEN privilege.
Otherwise, an error is reported when the process attempts to load that library or DLL.
If an executable with the PRIVSOARFOPEN is started by a user who is not a member of the SOA
group, then that process is created without the PRIVSOARFOPEN privilege.
The PRIVSOARFOPEN file privilege can be inherited by child processes created using fork()
because the parent and child process share the same executable. Any child processes created by
other process creation functions or procedure calls (such as exec() or PROCESS_CREATE_)
acquire their file privileges from that target executable file.
The most common use for this file privilege is to allow a SECURITY-OSS-ADMINISTRATOR to use
the Backup and Restore 2 product to back up files that are in restricted-access filesets (see “Backup
and Restore 2 Product and Restricted-Access Filesets” (page 192)). It is not required that the executable
file be in the restricted-access fileset.
File privileges are removed from a file if the file is changed (such as by being opened for writing).
PRIVSETID File Privilege
The PRIVSETID file privilege allows the locally-authenticated super ID to start a process from an
executable file and use a privileged switch operation, such as setgid() or setuid(), to switch
to another user ID or group ID (without a password) and, based on the permissions for that ID,
access files in restricted-access filesets. It is not required that the executable file be in the
restricted-access fileset.
If the executable file has the PRIVSETID file privilege and is started by the super ID, then any user
library or ordinary DLL loaded by the process must also have the PRIVSETID file privilege. Otherwise,
an error is reported when the process attempts to load that library or DLL.
The PRIVSETID file privilege can be inherited by child processes created using fork() because
the parent and child process share the same executable. Any child processes created by other
process creation functions or procedure calls (such as exec() or PROCESS_CREATE_) acquire
their file privileges from that target executable file.
If an executable without the PRIVSETID file privilege performs a privileged switch ID operation, the
process is unconditionally denied access to files in the restricted-access fileset.
File privileges are removed from a file if the file is changed (such as by being opened for writing).
Authenticated Logons, Authorized Privileged Switch ID Operations, and Restricted-Access Filesets
The user ID and group ID of a process must have been locally-authenticated with a password (at
logon) in order for a process to access a files in a restricted-access fileset.
A process performs a privileged switch ID operation when it uses a function such as such as
setgid() or setuid() to switch to another user ID or group ID (without a password).
If a process performs a privileged switch ID operation and the process does not have the PRIVSETID
file privilege, then that privileged switch ID operation is considered unauthorized and that process
is denied access to files in restricted-access filesets. Additionally, any child process subsequently
created by that process is denied access to files in restricted-access filesets.
Thus, for a process to access a file in a restricted-access fileset, the logon user ID and group ID of
the process must have been locally-authenticated, and any privileged switch ID operation performed
by the process (and its process ancestors) must have been authorized by the PRIVSETID file privilege
on the executable file or files. A process is not permitted to acquire SOA or SPA privileges as the
result of a privileged switch ID operation. The SOA or SPA user ID must have been
locally-authenticated with a password (at logon).
230 Managing Security