The default security class for a process is nonprivileged. On a typical system, the vast majority of processes fall into this class. A nonprivileged process can perform any of the following actions:
-
Inspect or modify any object within the extended addressing environment of the process. For information about the addressing environment, refer to Using Global Objects and Using Parameters.
-
Create, remove, open, close, read, write, copy, or access the file attributes of data files.
-
Initiate, copy, remove, open, close, read, or access the file attributes of object code files.
-
Use the nonprivileged form of the GETSTATUS directory call. The nonprivileged form of this call provides information only about directories having the same usercode as the process.
-
Use the VOLUME CHANGE form of the WFL VOLUME statement to affect tape volumes whose FAMILYOWNER value is the same as the usercode of the process.
-
Use the WFL ARCHIVE command to back up, roll out, or restore files that have the same usercode as the process.
-
Use the MAKEUSER utility to change owner-modifiable attributes of the usercode of the process. A nonprivileged process can change only attributes of its own usercode. Of these attributes, the process can change only those marked with a status of OWNER by a PRIVILEGES segment in the USERDATAFILE.
The ability of a nonprivileged process to access a particular disk file is determined by the values of certain task attributes and file attributes. The following task attributes affect file access rights:
-
USERCODE
The USERCODE value generally grants the process access to files that are stored under the usercode. Certain USERCODE values can also grant special privileges, as discussed under Privileged Status and Nonusercoded Status later in this section.
-
ACCESSCODE
The ACCESSCODE value can grant the process access to some files that are protected by guard files, as discussed later in this subsection. The process can assign only accesscode/password combinations corresponding to values in the ACCESSCODELIST usercode attribute. Additionally, the process can delete the accesscode value by assigning a null string.
-
NAME
The value of this task attribute can grant the process access to some files that are protected by guard files, as discussed later in this subsection.
-
FILEACCESSRULE
The effects of this task attribute are discussed in Using Shared Files.
-
GROUPCODE and SUPPLEMENTARYGRPS
If a process is not the owner of a file, and one of the values of GROUPCODE or SUPPLEMENTARYGRPS matches the GROUP file attribute of the file, then the file access rights are determined by the group-related subattributes of the SECURITYMODE file attribute.
The process that creates a disk file can assign security-related file attributes to determine which nonprivileged processes can access the file. Thereafter, only privileged processes or processes running with the same usercode as the file can change the values of these security-related file attributes. Following are brief descriptions of the security-related file attributes:
-
TITLE
This file attribute includes the usercode under which the file is stored. For nonusercoded files, an asterisk (*) is included instead of a usercode. Only privileged or nonusercoded processes can create a nonusercoded file.
-
SECURITYTYPE
This file attribute specifies whether a process must have the same usercode as the file in order to access the file. A value of PUBLIC allows any process to access the file. A value of PRIVATE enables nonprivileged processes to access the file only if the processes are running under the same usercode as the file. For nonusercoded files, a value of PRIVATE enables only privileged processes and nonusercoded processes to access the file. A value of GUARDED or CONTROLLED specifies that a guard file is used to determine which nonprivileged processes can access the file.
-
SECURITYUSE
This file attribute specifies whether nonprivileged processes having a usercode different from the file can read from or write to the file. SECURITYUSE does not restrict the ability to initiate an object code file. SECURITYUSE has effect only if the SECURITYTYPE file attribute value is PUBLIC.
-
SECURITYGUARD
For files with a SECURITYTYPE value of GUARDED or CONTROLLED, the SECURITYGUARD file attribute specifies the title of the guard file to be used.
-
SECURITYMODE
This file attribute provides an alternative method of specifying the security restrictions for a file. SECURITYMODE provides functions similar to the SECURITYTYPE and SECURITYUSE attributes. However, SECURITYMODE provides more detailed control. SECURITYMODE specifies
-
Separate file access rights for three classes of users: the owner, group members, and other users. For each class of users, SECURITYMODE can specify any combination of read access, write access, and execution access.
-
Whether a guard file is used and whether the guard file also applies to the owner of the file.
-
Whether code files should run under the usercode and group code of the initiator of the program or under the usercode and group code of the code file itself. For more information about this topic, refer to Real, Saved, and Effective Process Identities later in this section.
-
-
GROUP
This file attribute specifies the group to which a file belongs. When determining the rights of a process to access a particular file, if the usercode of the process differs from the owner of the file, the system compares the GROUPCODE and SUPPLEMENTARYGRPS attributes of the process with the SECURITYMODE and GROUP attributes of the file.
-
OWNER
This attribute is read-only and reports the usercode portion of the TITLE file attribute. If TITLE begins with an asterisk (*) instead of a usercode, OWNER returns a null string.
These file attributes are described in detail in the File Attributes Programming Reference Manual.
Guard files can be created using the GUARDFILE utility, which is described in the Security Features Operations and Programming Guide. A guard file can include detailed information about the types of access allowed to various nonprivileged processes. The guard file can include USERCODE or ACCESSCODE clauses that discriminate between processes on the basis of the corresponding task attributes. The guard file can also include a PROGRAM clause that discriminates between processes on the basis of the NAME task attribute value, and a CODEFILE clause that discriminates between processes on the basis of the code file title.
If a guard file is used, it overrides the value of the SECURITYUSE attribute.
If the tape volume security feature of the Secure Accountability Facility is enabled on the system, then the rights of a nonprivileged process to access a particular tape file are regulated by the task attributes and file attributes listed in the previous discussion as well as by the tape volume attributes FAMILYOWNER, PERMANENTLYOWNED, and MATCHONLYSERIALNO. The tape volume attributes can be assigned only by a privileged user or a privileged process with the WFL VOLUME statement. The security administrator can enable tape volume security by using the SECOPT (Security Options) system command to set the security option TAPECHECK to AUTOMATIC. If tape volume security is not enabled, then a nonprivileged process can open a tape file on any tape unit that is not currently in use by another process.
An additional security restriction for disk files is system file status. The operating system marks disk files that are part of the acting system software as system files. Examples of system files are the object code file of the current MCP, the job description file, and the current system log. An application process cannot remove or change the title of any system file. Some files have a modified form of system file status. Thus, the USERDATAFILE has system file status and additionally is protected from being read by any application process (only system software can read this file).
