Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
81828384858687888990
OSS System Security
Security Management Guide522283-008
4-7
OSS Process Security
OSS automatically assigns default permissions to files and directories when they are
created. The umask command can be used to establish a user mask, which specifies
the maximum permissions that can be applied to a file or directory when it is created.
The super ID can include a umask command in the /etc/profile file to specify the user
mask for all users who log on to the shell. An individual user can also include a umask
command in his or her .profile file to establish a personal user mask.
OSS Process Security
The OSS environment provides security features that protect and restrict access to and
by running processes. These features include several process attributes that identify a
process and control process access. The following subsection describes the process
attributes used to control access to OSS processes and access by processes to OSS
files. For a description of the process attributes applicable to Guardian files and
processes, see Guardian Process Security on page 2-5. The PAID and CAID are not
applicable to OSS process access control.
You can also control the privileges of OSS processes through the set-user-ID and set-
group-ID permission bits of an OSS program file.
Process Security Attributes
For OSS processes, several attributes associated with each process control process
access. These attributes are listed in Table 4-2. They are used to determine if the
process has the authority to make requests to the system (to open an OSS file, stop
another OSS process, and so on).
Table 4-2. Security-Related OSS Process Attributes
Attribute Description
Effective group ID The group ID under which the process is currently running. The
effective group ID is initialized to the same group ID as the real
group ID when the process is authenticated. The effective group ID
is changed if the process executes a program file that has its set-
group-ID bit set. A process can use the setgid() function to change
its own effective group ID.
Real group ID The primary group of the user ID that created the process.
Saved-set-group-ID A stored group ID that allows a process to switch its effective group
ID between the value of the saved-set-group-ID and the real group
ID. This switch is accomplished by executing a setgid() function. The
saved-set-group-ID is initialized to the same value as the real group
ID. The saved-set-group-ID is changed if the process executes a
program file that has its set-group-ID bit set.
Group list A list containing the file-sharing groups associated with the process.