Grouping Users to Enforce Security
Before explaining how security of resources works (in the next section), I must explain how users can be grouped. OpenVMS supports three grouping mechanisms:
-
Individual users
-
Groups based on user identification codes (UICs)
-
Groups based on rights identifiers
For the sake of simplicity, the following examples are applied to files; however, as you read this section, remember that the same principles apply to the following resources:
-
Common event flag clusters (simple semaphores)
-
Global data sections
-
Print and batch queues
-
Devices (such as disk drives)
-
Removable media (such as floppy disks and tapes), called volumes
-
Logical tables
-
Lock manager resources (complex semaphores)
Every user is assigned a UIC when entered into the SYSUAF. Refer to the UAF>SHOW DMILLER/FULL listing in Chapter 4. The second line of that display is:
Account: UIC: [20,4] ([DMILLER])
The UIC on the right has two values: one numeric and the other alphanumeric. The numeric value is arbitrary and assigned by the manager. In this example, all users whose numeric UIC begins with 20 are in the same group. The alphanumeric is derived from the user name, of course, and has no inherent group designation in this case. The numeric group has meaning in the protection scheme. For instance, to examine the security level of one of my files, I would enter the following:
$ show security login.com FACULTY:[DMILLER]LOGIN.COM;101 object of class FILE Owner: [DMILLER] Protection: (System: RWED, Owner: RWED, Group, World) Access Control List: (IDENTIFIER=[HICKEY],ACCESS=READ)
The first line displays the path name of the file. FACULTY is the name of the device. [DMILLER] in this context is the directory name. The file, LOGIN.COM, is in its 101st generation. The final phrase will be explained in the next section.
The second line specifies the alphanumeric UIC of the owner, [DMILLER], which happens to be the directory name and the account name.
The third line states the UIC protection levels; there are four in OpenVMS, not three as in UNIX. System refers to the system manager, and REWD is shorthand for Read-Execute-Write-Delete, meaning that all of those privileges are granted to System, and the Owner has the same privileges; however, the rest of the [20,*] group has no privileges, and neither do any of the other users (i.e., World). System and Owner may change the access privileges (i.e., Control privilege is automatically, and invisibly, granted). No flag is shown for UIC Control privilege.
The last two lines, the access control list, are described in the further discussion in this section.
Returning to UIC protection, I will demonstrate how to manipulate these fields. For instance, to change the UIC protection level to permit World read access to the file, DMILLER (or SYSTEM) would issue the command:
$ SET SECURITY/PROTECTION=(W:R) LOGIN.COM
To see the result, I have chosen an alternative command (DIR/SEC) to list the change. Also notice that I used abbreviations. This time the UIC protection is displayed in parentheses on the far right in a more cryptic form than the SHOW SECURITY command produces. The rightmost "R" is the World privilege just granted.
$ dir/sec login.com Directory FACULTY:[DMILLER] LOGIN.COM;101 [DMILLER] (RWED,RWED,,R) (IDENTIFIER=[HICKEY],ACCESS=READ)
ACLs are another way to control file access and, more generally, resource access. An ACL can be turned to either a specific user or to a rights list.
As it stands, one user, HICKEY, has read access to this file (i.e., before allowing world-read access). The following command adds another user, STUROSS, to the ACL list and displays the directory for the file again:
$ set sec/acl=(id=stuross,access=read) login.com $ dir/sec login.com Directory FACULTY:[DMILLER] LOGIN.COM;101 [DMILLER] (RWED,RWED,,) (IDENTIFIER=[STUROSS],ACCESS=READ) (IDENTIFIER=[HICKEY],ACCESS=READ)
EAN: 2147483647
Pages: 130