Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Guardian System Security
Security Management Guide522283-008
2-6
Guardian Process Security
A Guardian process can determine its CAID and PAID by using the
PROCESS_GETINFO_ procedure. For more information, see the Guardian
Programmer’s Guide. The PAID (along with the effective group ID and group list) is
used to determine if Guardian file access is allowed. The PAID is also used to
determine whether certain security-restricted operations, such as STOP and DEBUG,
can be performed if the requester is neither the creator of the process nor the super ID.
Security-restricted operations on a process can be performed by:
The super ID
A process with a PAID equal to the group manager’s user ID for the target process
A process with a PAID equal to the CAID of the target process
A process with a PAID equal to the PAID of the target process
When a process is created, the creators PAID is passed to the descendent process.
This ID becomes the CAID of the new process. The PAID of the new process can
come from either of two sources: the PAID of its creator (the usual case) or the owner
ID of the program file (if file adoption was specified with the PROGID attribute).
The PAID is kept synchronized with another process attribute, the effective user ID.
The effective user ID is a scalar representation of the PAID. It is used to determine
access to OSS files as described in OSS Process Security on page 4-7.
The group list remains the same as that of the user running the program. In making the
access decisions, the PAID, effective group ID, and group lists are considered.
Table 2-3. Status of Guardian and OSS Process Attributes
Process Attributes PROGID Set PROGID Not Set
PAID Program file owner ID Creator’s ID
CAID Creators ID Creator’s ID
Effective user ID* Program file owner ID Creator’s ID
Saved-set-user-ID* Program file owner ID Creators ID
Real user ID* Creator’s ID Creator’s ID
Effective group ID* Group ID of program file owner Group ID of creator
Saved-set-group-ID* Group ID of program file owner Group ID of creator
Real group ID* Group ID of creator Group ID of creator
* For OSS attribute descriptions, see OSS Process Security on page 4-7.