The system can determine whether a usercode or process can access a file based on either of the following criteria:
-
Declarer
-
The values of the NAME, USERCODE, GROUPCODE, and SUPPLEMENTARYGRPS task attributes of the process associated with the block in which the file was declared. The system uses the name of the process that executed the block containing the file declaration and the USERCODE, GROUPCODE, and SUPPLEMENTARYGRPS task attributes associated with that block to determine whether access is granted.
-
The privilege of the code file in which the file is declared is also used to determine file access rights. If the file declarer is a privileged transparent library, the code file is assumed to have no privilege; it does not acquire its caller's privilege.
-
The GROUPCODE and SUPPLEMENTARYGRPS attributes are checked against the GROUP attribute of the file.
-
-
Actor
-
The values of the USERCODE, NAME, GROUPCODE, and SUPPLEMENTARYGRPS task attributes of the process that acted to open the file or to change the value of the SECURITYMODE, SECURITYTYPE, SECURITYUSE, or SECURITYGUARD attribute of the file. When a process acts on a file, these task attributes of the acting process become the basis for access checking.
-
The GROUPCODE and SUPPLEMENTARYGRPS attributes are checked for the process that tried to access the file.
-
The FILEACCESSRULE task attribute enables you to control how these criteria are applied to access checking for files. When the value of FILEACCESSRULE is DECLARER, checking is based on the first criteria just described. When the value of the attribute is ACTOR, checking is based on the second criteria. When the value of the attribute is DEFAULT (which is the default value), access checking is based on the first criteria. Unless FILEACCESSRULE is explicitly set to ACTOR, the system bases access checking on the name and usercode of the declarer.
When access checking is based on the actor, circumstances can arise that make it possible for a process to pass, inadvertently, file access privileges to another process. For example, suppose that a task, P1, initiates an external task, P2, and passes P2 a file, F, as a parameter. Suppose further that F is guarded by a guard file that grants P1 access by process name to F, but does not grant P2 similar access.
In this situation, the ability of P2 to access F depends entirely on whether P1 accesses F before passing F as a parameter to P2. If P1 accesses F first, then when P1 passes F to P2, P2 gains the same access rights to F as P1. However, if P1 passes F to P2 before P1 has accessed F, P2 has no access rights.
To avoid this type of situation, arrange security checking that is based on the declarer rather than the actor.
The ability to assign the value ACTOR to the FILEACCESSRULE task attribute is limited to privileged users, privileged processes, and message control systems (MCSs), and is valid only for active tasks.
