Manualshelf

Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Mappings of OSS file-access permissions to Guardian security are based on user information and
are not predictable based only on file permission information. OSS file-access permissions do not
reflect:
Safeguard access control lists (ACLs). To determine whether there is an Safeguard ACL on a
Guardian file, use the Guardian FILE_GETINFOLISTBYNAME_ procedure.
OSS ACLs. To determine whether there is an OSS ACL on an OSS file you can use these
functions:
The OSS stat(), fstat(), and lstat() system calls return an ACL-PRESENT flag
that specifies if the file or directory has an optional OSS ACL entry.
Guardian FILE_GETINFOLIST_ and FILE_GETINFOLISTBYNAME_ procedures return an
ACL-PRESENT flag that specifies if the file or directory has a optional OSS ACL entry.
Information about the file privilege file attribute (H06.22 and later H-series RVUs and J06.11
and later J-series RVUs only). To list the file privileges for a file, use the getfilepriv
command. Also, the OSS stat(), fstat(), and lstat() system calls return a stat or
stat64 structure that includes the st_fileprivs member, which indicates the file privileges
for the file. The Guardian FILE_GETINFOLIST_ and FILE_GETINFOLISTBYNAME_ procedures
do not indicate if a file has file privileges.
Safeguard Protection and Disk Volumes
You cannot use Safeguard access control lists (ACLs) to protect individual OSS files. However, you
can protect the disk volume in which OSS files reside by restricting the ability of users to create
files in that volume.
If an Safeguard ACL restricts create access within a disk volume where OSS files reside, you cannot
create files in that volume unless you are one of the users listed in the Safeguard ACL. If you are
not listed in the Safeguard ACL, you can still open, read, and write to any existing file in that
volume.
The Safeguard product is a NonStop subsystem. For information about programmatic access to
this subsystem, see the Safeguard Management Programming Manual and the SPI Programming
Manual.
OSS ACLs
OSS ACLs are supported for directories, regular files, first-in, first-out (FIFO) files, and bound
AF_UNIX sockets in Version 3 catalog filesets on systems running J-series RVUs, H06.08 and later
H-series RVUs, and G06.29 and later G-series RVUs.
ACLs offer a greater degree of selectivity than permission bits. ACLs allow a process whose effective
user ID matches the file owner, super ID, or a member of the Safeguard
SECURITY-OSS-ADMINISTRATOR security group to permit or deny access to a file to a list of specific
users and groups.
ACLs are supported as a superset of the UNIX operating system discretionary access control (DAC)
mechanism for files, but not for other objects such as interprocess communication (IPC) objects.
All OSS system calls that include pathnames are subject to the ACLs on any directory or file in the
path.
For details about OSS ACLs, see “Using OSS Access Control Lists (ACLs)” (page 259).
The OSS and Guardian File Systems 63