HP OpenVMS Systems
HP Advanced Server for OpenVMS
To simplify creating a new group, you can use the COPY GROUP command to copy an existing group to the new group, with a new name, keeping the members and description from the previous group. For example, to form a new group called QUADLINGS from an existing group called MUNCHKINS, use the following command:
LANDOFOZ\\TINMAN> COPY GROUP MUNCHKINS QUADLINGS %PWRK-S-GROUPCOPY, group "MUNCHKINS" copied to "QUADLINGS" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>
This command copies the description and group members from MUNCHKINS to the new group named QUADLINGS. You can display information about the new group using the SHOW GROUPS/FULL command. For example, the following command displays the type, description, and members of the QUADLINGS group:
LANDOFOZ\\TINMAN> SHOW GROUPS QUADLINGS/FULL Groups in domain "LANDOFOZ": Group Name Type Description ---------- ------ ----------------------------- QUADLINGS Local Oz local group Members: [US]LION,[US]SCARECROW Total of 1 group LANDOFOZ\\TINMAN>
LANDOFOZ\\TINMAN> MODIFY GROUP MONKEYS/ADD_MEMBERS=LION %PWRK-S-GROUPMOD, group "MONKEYS" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW GROUP MONKEYS Groups in domain "LANDOFOZ": Group Name Full Name Type Description ---------- --------- ------- ------------------------ MONKEYS Global Winged monkeys Members: [US]LION Total of 1 group) LANDOFOZ\\TINMAN>
To remove a member from a group, use the MODIFY GROUP command with the /REMOVE_MEMBERS qualifier. For example, to remove SCARECROW from the group MUNCHKINS, enter the following command:
LANDOFOZ\\TINMAN> MODIFY GROUP MUNCHKINS/REMOVE_MEMBERS=SCARECROW %PWRK-S-GROUPMOD, group "MUNCHKINS" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN>
To change the group description, use the MODIFY GROUP/DESCRIPTION command, as in the following example:
LANDOFOZ\\TINMAN> MODIFY GROUP MUNCHKINS/DESCRIPTION="First Floor" %PWRK-S-GROUPMOD, group "MUNCHKINS" modified on domain "LANDOFOZ"
Internally, the Advanced Server recognizes every group by its security identifier (SID), which is used when assigning permissions to a resource. If you delete a group and then create another group with the same group name, the new group does not inherit access to any resources available to the old group because the groups have different SIDs. To delete a group, use the REMOVE GROUP command, as in the following example:
LANDOFOZ\\TINMAN> REMOVE GROUP QUADLINGS Each group is represented by a unique identifier which is independent of the group name. Once this group is deleted, even creating an identically named group in the future will not restore access to resources which currently name this group in the access control list. Remove "QUADLINGS" [YES or NO] (YES) : YES %PWRK-S-GROUPREM, group "QUADLINGS" removed from domain "LANDOFOZ" LANDOFOZ\\TINMAN>
The command deletes the group QUADLINGS from the LANDOFOZ domain.
You use the ADMINISTER command-line interface to set up files and directories for sharing. To do this, you need to become familiar with the concepts and procedures described in this chapter:
To serve your users most effectively, you should plan carefully for sharing files and directories. Some projects will require directory sharing, and some groups may need to share only certain files. Use the Shares Worksheet in the HP Advanced Server for OpenVMS Concepts and Planning Guide to help you set up your shares.
Sharing a directory makes the directory and the files located in it available to other network users. The Advanced Server integrates two levels of permissions for shared files and directories: share permissions, and file and directory access permissions.
When you copy files or directories, security permissions set on them are discarded in addition to ownership and auditing information. The files inherit a new set of permissions from the directory into which they have been copied. If the new directory does not specify permissions for files, only the file's owner (the person who copied the file) will have permission to use the file.
In addition to the two levels of permissions supported by the
Advanced Server, the OpenVMS file system imposes a set of protections,
which are used if the Advanced Server and OpenVMS security model is
enabled. These must be considered when managing shared directories.
(For more information, see Section 4.1.2,Advanced Server Security Models.) Shared directories must have
the appropriate OpenVMS system protections applied to them if
interactive OpenVMS users and other OpenVMS processes need access to
4.1.1 Disk Resources
For more information about Extended File Specifications, refer to the OpenVMS Guide to Extended File Specifications. For details about managing disk resources on ODS-5 disk volumes, see Section 4.5, Using ODS-5 Disk Volumes in the Advanced Server Environment.
Disk resources include the disk devices on a server, the directories on those devices, and the files in the directories. With Advanced Server you can create a share for a directory, including the root directory for a disk, and specify access permissions for the share. Access permissions define the network users or groups permitted to access the share, and the kinds of operations that each may perform.
You cannot create a share for a file. Users access files through the directory share where the files reside. However, you can set access permissions on shares, directories, and files.
By configuring the server security model, you can enhance access
permissions using OpenVMS file protection mechanisms.
4.1.2 Advanced Server Security Models
All Advanced Server users have either a network user account or access to the Guest account. The type of access allowed to each user account is determined by the access permissions set on the resource. Each network user account may be mapped to an OpenVMS user account. This mapping enables the Advanced Server to integrate network security with OpenVMS file access security.
You can change the security model configuration parameter setting, using the Configuration Manager as described in Chapter 7, Managing Server Configuration Parameters. You can also enable the server to perform dynamic upgrading of network security on files it accesses. Files whose security is specified entirely according to PATHWORKS V5 for OpenVMS (LAN Manager) security are upgraded to PATHWORKS V6 for OpenVMS (Advanced Server) security. For more information, see Section 126.96.36.199, Enabling Dynamic Security Upgrade.
The following sections describe the security models in more detail. Each security model provides the security checks shown in Table 4-1, Security Checks.
|Security Model||Checks Advanced Server Permissions?||Checks OpenVMS Protections?|
|Advanced Server Only||Yes||No|
|Advanced Server and OpenVMS||Yes||Yes|
To effectively implement the Advanced Server Only security model, keep the following in mind:
As enforced by the Advanced Server Only security model, network security uses Windows NT security descriptors for each shared directory and file.
A Windows NT security descriptor contains information such as the Windows NT owner of the file and a list of Windows NT users and groups with their respective access levels for that file.
These descriptors are stored in OpenVMS application access control
entries (ACEs) that are included in the OpenVMS access control lists
(ACLs) associated with the file.
188.8.131.52 Advanced Server and OpenVMS Security Model
An OpenVMS account identifies a user to the OpenVMS operating system. The account includes the user's name, a password, privileges, and access to directories and files associated with the account. Network user accounts are associated with OpenVMS user accounts by means of host mapping. For more information about host mapping, see Section 3.1.16, User Account Host Mapping.
In short, the OpenVMS operating system provides two methods of assigning protection to files and directories:
RMS sets protection on files and directories based on user identification codes (UICs). A UIC consists of a group code and a user code assigned to every OpenVMS user by the system administrator. The user's UIC determines which categories a user belongs to. Table 4-2, OpenVMS Group Codes, lists and describes the group codes.
|System (S)||Users with SYSTEM privileges (the OpenVMS privilege SYSPRV) or users with low group numbers in their UICs, as determined by the system administrator.|
|Owner (O)||The user who is the owner of a file or directory. The user code of the UIC associated with the file or directory matches the user code of the UIC of a user.|
|Group (G)||All users who have the same group code in their UICs.|
|World (W)||All users regardless of UIC.|
RMS assigns file protections for each of these categories according to the following format:
The default protections are: System: RWED, Owner: RWED, Group: no
access, World: no access. This RMS protection allows read, write,
execute, and delete access to the system and to the owner of the file,
but users in the same group and other users have no access to the file.
184.108.40.206.2 Access Control Lists (ACLs)
An access control entry (ACE) is an entry in an access control list (ACL) that controls access to files and directories by resource identifiers. ACLs give you more control than RMS protections. For example, with RMS, the only way to grant READ access to users in different UIC groups is to grant World Read (W:R) access. In contrast, with ACLs, you can provide users from several UIC groups with access to a file or directory without granting World access, and you can deny specific users access to specific files.
If you use both RMS protections and ACLs, OpenVMS checks ACEs in the
ACLs before it checks the RMS protections. For more information about
RMS protections and ACLs, refer to the HP OpenVMS System Manager's Manual.
4.1.3 The Advanced Server and Windows NT Security Information
The Advanced Server supports both OpenVMS and network security, and ownership information. It achieves this by storing Windows NT security descriptors for directories and files on OpenVMS disk devices. (For more information on Windows NT security descriptors, see Section 220.127.116.11.1, Windows NT Security Descriptors.
The following sections explain how the Advanced Server handles file
security information and describes utilities you can use to manipulate
18.104.22.168 Inheritance of Directory Permissions
Each Windows NT directory has two sets of permissions: (A) directory-specific security permissions that provide access control to the directory itself and (B) inheritable permissions that will be inherited automatically by any file created in that directory, becoming the default access permissions for that new file.
The Advanced Server is designed to conform with Windows NT security
behavior. When you create a file in a shared directory, the parent
directory's inheritable permissions (B) are propagated to that file to
become the file's access permissions. When you create a subdirectory,
both the parent directory's access control permissions (A) and
inheritable permissions (B) propagate to the subdirectory becoming the
subdirectory's access control (A) and inheritable permissions (B),
22.214.171.124 Inheritance of Ownership
In conformance with Windows NT security behavior, Advanced Server
security is designed to assign ownership of a file or directory to the
user who creates the file or directory. The owner can always control
access to the file or directory by changing the permissions set on it.
126.96.36.199 ACEs and OpenVMS Volume Index Files
Every OpenVMS file has a file header block stored in the volume index file, INDEXF.SYS. Each file header is limited to 512 bytes. The ACL for a file is stored in the file's header. When a file contains several ACEs, it may exceed the 512-byte limit, and a secondary file header (known as an extension file header) is allocated.
When a file has a large number of "PATHWORKS" ACEs (displayed as PATHWORKS ACES, these are ACEs created by Advanced Server or PATHWORKS servers; see Section 188.8.131.52, Displaying Advanced Server for OpenVMS and PATHWORKS ACEs), the secondary headers required to store the ACEs will consume additional space in the index file. As the index file extends to provide more headers, the space available for other files is reduced, and the index file itself becomes fragmented. In addition, there is a limit to the number of times the index file can be extended. Its header can become full from mapping its own multiple extensions.
You can reduce the number of ACEs by using local groups in permissions lists for files and directories, rather than by adding individual users or global groups. Ideally, each file and directory permissions list should reflect only local groups, and no two entries in a permissions list should duplicate the same permissions. The Advanced Server for OpenVMS can help reduce the number and size of the ACEs created, and thereby reduce the consumption of index header blocks used for secondary headers.
For example, the file server parameter Store_Security_Aces allows you to control the amount of Windows NT security information stored with the file at file creation. By default (parameter value equals YES), the file server writes a complete set of Windows NT security information to a new file. By changing the value of the Store_Security_Aces parameter to NO, only the ownership information is represented in the file's ACL, excluding all the file access permission ACEs. For more information about this parameter, see Section 184.108.40.206, Streamlining Security Information Storage and Lookups. This can make more efficient use of disk space.
Note that there are tradeoffs for using the Store_Security_Aces=NO setting. For example, while conserving disk space, additional run-time is required to determine access permissions for files that do not have explicit access permissions associated with them. Section 220.127.116.11, Streamlining Security Information Storage and Lookups, discusses the tradeoffs in more detail, and explains how to recover from over consumption of disk space caused by oversized file security descriptors (excessive ACEs on a file) or inappropriate propagation of ACEs to files.