Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

100

OSS System Security

Security Management Guide — 522283-021

4 - 10

Process Security Attributes

You can also control the privileges of OSS processes through the set-user-ID and

set-group-ID permission bits of an OSS program file.

Process Security Attributes

For OSS processes, several attributes associated with each process control process

access. These attributes are listed in Table 4-2. They are used to determine if the

process has the authority to make requests to the system (to open an OSS file, stop

another OSS process, and so on).

When a process is created, the real user ID and real group ID are passed to the

descendent process. The effective IDs and saved-set-IDs of the new process can

come from either of two sources: the IDs of its creator (the usual case) or the owner of

the program file (if file-owner adoption was specified through the set-user-ID or

set-group-ID permission bits).

Table 4-2. Security-Related OSS Process Attributes

Attribute Description

Effective group ID The group ID under which the process is currently running. The

fective group ID is initialized to the same group ID as the real

group ID when the process is authenticated. The effective group ID

is changed if the process executes a program file that has its set-

group-ID bit set. A process can use the setgid() function to change

its own effective group ID.

Real group ID The primary group of the user ID that created the process.

Saved-set-group-ID A stored group ID that allows a process to switch its effective group

ID bet

ween the value of the saved-set-group-ID and the real group

ID. This switch is accomplished by executing a setgid() function. The

saved-set-group-ID is initialized to the same value as the real group

ID. The saved-set-group-ID is changed if the process executes a

program file that has its set-group-ID bit set.

Group list A list containing the file-sharing group

s associated with the process.

Effective user ID The user ID under which the process is currently running. Always

kept synchronized with the

PAID. The effective user ID is initialized

to the same user ID as the real user ID when the process is

authenticated. The effective user ID is changed if the process

executes a program file that has its set-user-ID bit set. A process can

use the setuid() function to change its own effective user ID.

Real user ID The user ID that created the process (not always equal to the CAID).

Saved-set-user-ID A stored user ID that allows a process to switch its effective user ID

bet

ween the value of the saved-set-user-ID and the real user ID.

This switch is accomplished by executing a setuid() function. The

saved-set-user-ID is initialized to the same value as the real user ID.

The saved-set-user-ID is changed if the process executes a program

file that has its set-user-ID bit set.