Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
31323334353637383940
Guardian System Security
Security Management Guide 522283-021
2 - 6
Guardian Process Security
The group list remains the same as that of the user running the program. In making the
access decisions, the PAID, effective group ID, and group lists are considered.
Adopting the Owner ID of a Program File (PROGID)
PROGID allows the owner of a program file (or the super ID) to specify that the PAID of
any Guardian process created by running that program file is the same as the owner ID
of the program file rather than the PAID of the creating process. This option allows the
owner of the program file to control the files that the new process can access and to
control the operations that can be performed on or by the process. Specify PROGID
with the FUP SECURE command or the SETMODE or SETMODENOWAIT procedure.
For more information about the use and implications of the PROGID option, see Uses
of PROGID Programs on page 2-28.
The LICENSE Attribute
If a program contains privileged procedures (procedures having the CALLABLE or
PRIV attribute), it must be licensed before it can be run by any user other than the
super ID. The super ID must perform licensing through the FUP LICENSE command.
Programs running in the privileged mode have total freedom to access operating
system tables and to execute privileged instructions and procedures, so such
programs might circumvent the file security checks and thereby gain access to any file.
However, the system needs some privileged programs. Through licensing, the
installation can run privileged programs that it has authorized, but users cannot run
unauthorized privileged programs.
For more information about licensing and it
s implications, see Licensing Programs on
page 2-24
.
Table 2-3. Status of Guardian and OSS Process Attributes
Process Attributes PROGID Set PROGID Not Set
PAID Program file owner ID Creator’s ID
CAID Creator’s ID Creator’s ID
Effective user ID* Program file owner ID Creator’s ID
Saved-set-user-ID* Program file owner ID Creator’s ID
Real user ID* Creator’s ID Creator’s ID
Effective group ID* Group ID of program file owner Group ID of creator
Saved-set-group-ID* Group ID of program file owner Group ID of creator
Real group ID* Group ID of creator Group ID of creator
* For OSS attribute descriptions, see OSS Process Security on page 4-9.