Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Guardian System Security
Security Management Guide 522283-021
2 - 5
Guardian Process Security
Additionally, the FILEINFO and FUP INFO commands display the owner of a file. To
transfer ownership, the owner can issue the FUP GIVE command to specify a new
owner.
Guardian Process Security
The Guardian environment provides security features that protect and restrict access
to and by running processes. These features include several process attributes that
identify a process and control process access. The following subsection describes the
process attributes used to control access to Guardian processes and access by
processes to Guardian files. For a description of the process attributes applicable to
OSS files and processes, see OSS Process Security on page 4-9.
You can also control the privileges of running processes through the Program file
owner ID adoption (PROGID) and LICENSE attributes of program files.
Process and Creator Access IDs
For processes, two of the identifiers associated with each process are used to control
Guardian process access and Guardian file access: the creator access ID (CAID) and
the process access ID (PAID). The CAID identifies the user who initiated the creation
of the process. The PAID, which is often the same as the CAID, identifies the process
and is used to determine if the process has the authority to make requests to the
system (to open a Guardian file, stop another Guardian process, and so on).
A Guardian process can determine its CAID and PAID by using the
PROCESS_GETINFO_ procedure. For more information, see the Guardian
Programmer’s Guide. The PAID (along with the effective group ID and group list) is
used to determine if Guardian file access is allowed. The PAID is also used to
determine whether certain security-restricted operations, such as STOP and DEBUG,
can be performed if the requester is neither the creator of the process nor the super ID.
Security-restricted operations on a process can be performed by:
The super ID
A process with a PAID equal to the group manager’s user ID for the target process
A process with a PAID equal to the CAID of the target process
A process with a PAID equal to the PAID of the target process
When a process is created, the creator
’s PAID is passed to the descendent process.
This ID becomes the CAID of the new process. The PAID of the new process can
come from either of two sources: the PAID of its creator (the usual case) or the owner
ID of the program file (if file adoption was specified with the PROGID attribute).
The PAID is kept synchronized with another process attribute, the effective user ID.
The effective user ID is a scalar representation of the PAID. It is used to determine
access to OSS files as described in
OSS Process Security on page 4-9.