Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Guardian System Security
Security Management Guide522283-008
2-5
Guardian Process Security
For example, a security string of AOAO specifies that any local user (A) can read and
execute the file, but only the owner on the local system (O) can write to or purge the
file. For more information about setting and changing the security string, see Guardian
Security on page 5-9.
Users can issue the WHO command to display their current default file-security string.
This default security string applies to all files a user creates. Users can change their
default file-security string with the DEFAULT program. Under normal circumstances,
the new default file-security string does not take effect until the next time the user logs
on. For the change to take effect immediately, the user must enter a VOLUME
command with no parameters.
Both the FILEINFO command and the FUP INFO command display security strings for
individual files or all files in a subvolume. Users can change the security of files they
own using the FUP SECURE command.
Additionally, the FILEINFO and FUP INFO commands display the owner of a file. To
transfer ownership, the owner can issue the FUP GIVE command to specify a new
owner.
Guardian Process Security
The Guardian environment provides security features that protect and restrict access
to and by running processes. These features include several process attributes that
identify a process and control process access. The following subsection describes the
process attributes used to control access to Guardian processes and access by
processes to Guardian files. For a description of the process attributes applicable to
OSS files and processes, see OSS Process Security on page 4-7.
You can also control the privileges of running processes through the Program file
owner ID adoption (PROGID) and LICENSE attributes of program files.
Process and Creator Access IDs
For processes, two of the identifiers associated with each process are used to control
Guardian process access and Guardian file access: the creator access ID (CAID) and
the process access ID (PAID). The CAID identifies the user who initiated the creation
of the process. The PAID, which is often the same as the CAID, identifies the process
and is used to determine if the process has the authority to make requests to the
system (to open a Guardian file, stop another Guardian process, and so on).
A Any user on the local system can perform the designated operation.
N Any user on the local system or on the network can perform the designated
operation.
- Only the local super ID can perform the designated operation.
Table 2-2. Guardian Disk-File Security Settings (page 2 of 2)
Code Access