HPlogo User's Guide to MPE/iX Security: HP 3000 MPE/iX Computer Systems > Chapter 3 Protecting Your System with Access Control Definitions (ACDs)

User Identification

» 

Technical documentation

Complete book in PDF
» Feedback

 » Table of Contents

 » Index

Users on MPE/iX are now identified by a user ID (UID). The UID is a string (in the form user.account) with a corresponding integer value. Each MPE account has a group ID (GID) associated with it. The GID is a string (in the form account) and also has a numerical value assigned to it. UIDs and GIDs were added to file and process structures to more easily identify object owners and file sharing groups, respectively.

In addition to the UIDs and GIDs, users are identified as follows:

Table 3-2 User Categories

CategoryConditions
File Owner The user whose UID matches the object's UID (also called user.account or $OWNER in ACDs). By default, when a user creates a file or directory it is assigned the same UID as that user.
File Group MemberAny user whose GID matches the GID of the object (also called @.account or $GROUP in ACDs). By default, all members of an account are assigned the same GID. This group is a new file sharing concept that should be distinguished from MPE groups (that is, group directories). By default, when a user creates a file or directory, it is assigned the parent directory's GID.

 

SAVE access in MPE groups

Create directory entries (CD) access and delete directory entries (DD) access to all MPE groups is governed by appropriate privileges or SAVE access. (A complete definition of appropriate privilege appears later in this chapter.) SAVE access for an MPE group implies CD and DD permission for directory entries. That is, a user can create or delete a directory in an MPE group if the group grants SAVE access to the user. However, you still need write access to a file to be able to delete it from an MPE group.

CWD and File Security

You can now change the current working directory (CWD) to any directory (including an MPE account, an MPE group, the root directory, or an HFS directory) as long as you have TD access to the directories in the path to the directory. This means that you can change your CWD to any MPE group on the system because all users have RD and TD access to the root directory, all accounts, and all groups, by default.

It is important to note that changing your CWD to a new MPE group (using the CHDIR command) does not make you a GU user of the new group. GU is based on your logon group and account; this can only be changed using CHGROUP. If you attempt to access a file in the new group, you may not be able to access it. If the new group is in your logon account, you are allowed account level privileges in the new group. If the new group is not in your logon account, you are allowed the access privileges given to any user. No password check is done when you change your CWD. This is unlike CHGROUP which does a password check.

Feedback to webmaster