Open System Services Programmer's Guide
OSS ACLs:
• Are supported in Version 3 and later catalog versions of OSS filesets.
• Are supported for directories, regular files, first-in, first-out (FIFO) files, and bound AF_UNIX
sockets.
• Support up to 150 ACL entries.
• Support separate permissions for up to 146 additional users and groups.
• Support default ACL inheritance (see “ACL Inheritance” (page 263)).
• Are based on the POSIX 1003.1e draft standard and the HP-UX implementation of ACLs.
• Are not supported by the OSS Network File System (NFS) for J06.08 and earlier J-series RVUs,
H06.19 and earlier H-series RVUs, or G-series RVUs. Any attempt by NFS clients to access
OSS objects protected by OSS ACLs that contain optional ACL entries is denied.
• Are supported by the OSS NFS for J06.09 and later J-series RVUs and H06.20 and later
H-series RVUs, depending upon the NFSPERMMAP attribute value for the fileset that contains
the object. For information about the NFSPERMMAP attribute, see “OSS Network File System
(NFS) and ACLs” (page 267).
• Beginning with the J06.15 and H06.26 RVUs, a partner or customer OSS Security Event-Exit
Process (SEEP) is supported and can participate in access-control decisions for OSS objects.
The OSS SEEP returns a file-access ruling for file operations in OSS SEEP-protected filesets, if
the OSS SEEP is running. The OSS SEEP’s YES ruling does not override denials due to a POSIX
ACL. For details of OSS SEEP results, see “Final Result of the Operation” (page 277).
Definitions
Control of access to data is a key concern of computer security. These definitions, based on the
Department of Defense Trusted Computer System Evaluation Criteria, explain the concepts of access
control and its relevance to OSS security features:
access
A specific type of interaction between a subject and an object that results in the flow of
information from one to the other. Subjects include persons, processes, or devices that cause
information to flow among objects or change the system state. Objects include files (ordinary
files, directories, special files, FIFOs, and so on) and IPC features (shared memory, message
queues, semaphores, and sockets).
access control list (ACL)
An access control list is a set of user.group, mode entries associated with a file that specifies
permissions for all possible combinations of user IDs and group IDs.
ACL entry
An entry in an ACL that specifies access rights for a file owner, owning group, group class,
additional user, additional group, or all others.
change permissions
The right to alter DAC information (permission bits or ACL entries). Change permission is
granted to object (file) owners and to privileged users.
discretionary access control (DAC)
A means of restricting access to objects based on the identity of subjects, groups to which they
belong, or both. The controls are discretionary because a subject with a certain access
permission is able to pass that permission (perhaps indirectly) to any other subject.
mode
Three bits in each ACL entry that represent read, write, and execute or search permissions.
260 Managing OSS Security