Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

241

242

243

244

245

246

247

248

249

250

10 Managing OSS Security

This section provides a brief overview of the features available for program control of OSS process

and file security. The following topics are discussed:

ContentTopic

Summary of the differences between OSS and UNIX

security management

“Common and Unique Characteristics” (page 249)

Describes the C functions available for managing the

security of OSS objects

“Functions Available for Security Management” (page 250)

Describes the application program interfaces (APIs) that

can be audited when performing OSS file access and

process control activities

“Security Auditing of OSS files” (page 253)

Provides a simple example of managing file ownership in

the OSS environment

“Example of Managing file Ownership” (page 256)

Describes OSS access control lists and their use.“Using OSS Access Control Lists (ACLs)” (page 259)

Describes restricted-access filesets and how to access files

in these filesets.

“Restricted-Access Filesets and File Privileges” (page 270)

Common and Unique Characteristics

Basic file security is the same for the OSS environment as on a UNIX system. files are accessed

according to a file mode and access permissions, as described in the Open System Services User’s

Guide and in Chapter 2: Managing Files (page 53) of this guide.

Certain differences might require you to code the security management portions of a program or

shell script in a manner specific to the OSS environment. For example:

• OSS user and group administration occurs through tools based in the Guardian environment,

such as the Safeguard command interpreter (SAFECOM) program or third-party products.

OSS user and group administration does not use any of the following files or directories, which

can be the target of security intruders:

/etc/groups

/etc/passwd

/etc/security

/etc/shadow

Standard C functions do provide access to information needed from the security database.

However, the database files themselves are not available in the OSS file system.

• OSS administration of device access does not use files in the /dev directory that are available

on some UNIX systems, such as:

console

kmem

ttyda

Again, these files can be the target of security intruders.

• The OSS environment does not provide common UNIX default user names and user IDs unless

they are explicitly created by a site administrator. However, equivalent OSS user names and

user IDs do exist. For example, the privileges normally associated with the UNIX user name

root and the user ID of 0 exist for the OSS user ID of 65535 (the super ID), which is normally

the user SUPER.SUPER.

Common and Unique Characteristics 249