Modify POSIX user attributes
Component: | SRPMNUC |
Functional area: | User management |
Domain: | USER-ADMINISTRATION |
Privileges: | STD-PROCESSING |
Function
The MODIFY-POSIX-USER-ATTRIBUTES command modifies the POSIX user attributes of a BS2000 user ID in the user catalog of the specified pubset.
Each time a new BS2000 user ID is set up (with the ADD-USER command), its POSIX user attributes are automatically set to the POSIX defaults (as defined with the MODIFY-POSIX-USER-DEFAULTS command). Where necessary, these POSIX user attributes can be changed.
Systems support can configure a BS2000 user ID as a POSIX user with the ADD-POSIX-USER command.
The following users are authorized to do so:
holders of the POSIX-ADMINISTRATION or USER-ADMINISTRATION privilege, for all BS2000 user IDs on all pubsets.
group administrators, for the group and subgroup members they are in charge of on the pubset they manage. However, the following restrictions apply to group administrators:
A group administrator’s ADM-AUTHORITY authorization governs the POSIX user attributes which that administrator is allowed to modify.
The range of values a group administrator is allowed to assign to POSIX user attributes is limited.
Details are given in the relevant operand descriptions.
The current POSIX default values can be displayed by means of the SHOW-POSIX-USER-ATTRIBUTES.
Format
MODIFY-POSIX-USER-ATTRIBUTES |
USER-IDENTIFICATION = <name 1..8> ,PUBSET = *HOME / <cat-id 1..4> ,USER-NUMBER = *UNCHANGED / *BY-POSIX-USER-DEFAULTS / *HOME / <integer 0..60002> ,GROUP-NUMBER = *UNCHANGED / *BY-POSIX-USER-DEFAULTS / *GROUP-ADMINISTRATOR / <integer 0..60002> ,COMMENT = *UNCHANGED / *BY-POSIX-USER-DEFAULTS / *NONE / <c-string 1..255 with-low> ,DIRECTORY = *UNCHANGED / *BY-POSIX-USER-DEFAULTS / *ROOT / <posix-pathname 1..1023 without-wild> ,PROGRAM = *UNCHANGED / *BY-POSIX-USER-DEFAULTS / *SHELL / <posix-pathname 1..1023 without-wild> |
Operands
USER-IDENTIFICATION = <name 1..8>
BS2000 user ID for which the POSIX user attributes are to be changed.
PUBSET =
Pubset for which the POSIX user attributes in the user catalog are to be changed.
PUBSET = *HOME
The change affects the home pubset.
PUBSET = <cat-id 1..4>
The change affects the pubset with the specified catalog ID.
USER-NUMBER =
The user number which is automatically allocated when a BS2000 user ID is set up can be changed.
The USER-NUMBER attribute is a security issue, as the user number governs the associated privileges and determines who is the owner of a file. Group administrators cannot change the user number unless they have at least the group administrator privilege MANAGE-MEMBERS; and the range of values they can assign is restricted:
They cannot allocate a user number of 0, which is the root privilege.
They can only change the default user number.
They can only allocate user numbers which are greater than the default user number.
They cannot allocate duplicate user numbers.
On a data pubset they can only assign the user number of the BS2000 user ID of the same name on the home pubset.
USER-NUMBER = *UNCHANGED
The user number is not changed.
USER-NUMBER = *BY-POSIX-USER-DEFAULTS
The user number is given the value of the corresponding POSIX default attribute as recorded in the user catalog of the specified pubset.
USER-NUMBER = *HOME
The user number of the BS2000 user ID of the same name on the home pubset is used. This value is meaningful only if the user number is being changed on a data pubset. It is redundant on the home pubset.
USER-NUMBER = <integer 0..60002>
The user number is given the specified value.
GROUP-NUMBER =
The group number which is automatically allocated when a BS2000 user ID is set up can be changed.
The GROUP-NUMBER attribute is a security issue, as POSIX does not check the admissibility of the BS2000 user/group combination against the POSIX group catalog when a user logs in.
Group administrators cannot change the group number unless they have at least the group administrator privilege MANAGE-MEMBERS, and the range of values they can assign is restricted:
They can allocate only the default group number or the group number of the group administrator for the BS2000 user group to which the BS2000 user ID belongs.
They cannot allocate a different group number for their own BS2000 user ID.
GROUP-NUMBER = *UNCHANGED
The group number is not changed.
GROUP-NUMBER = *BY-POSIX-USER-DEFAULTS
The group number is given the value of the corresponding POSIX default attribute as recorded in the user catalog of the specified pubset.
GROUP-NUMBER = *GROUP-ADMINISTRATOR
Allocates the group number owned by the group administrator of the BS2000 user group to which the BS2000 user ID belongs.
GROUP-NUMBER = <integer 0..60002>
The group number is given the specified value.
COMMENT =
The comment can be changed. Further information relating to the owner of the BS2000 user ID can be added as appropriate.
Note
This comment is used, for example, by mail programs to describe the sender.
COMMENT = *UNCHANGED
The comment is not changed.
COMMENT = *BY-POSIX-USER-DEFAULTS
The value is taken from the corresponding POSIX default attribute as recorded in the user catalog of the specified pubset.
COMMENT = *NONE
No comment is added.
COMMENT = <c-string 1..255 with-low>
The specified comment is added.
DIRECTORY =
The absolute path name of the user’s login directory can be changed. This attribute is not a security issue, as it governs only the value of the HOME shell variable and the initial value of the working directory. It cannot be used to bypass file and directory protection attributes.
DIRECTORY = *UNCHANGED
The absolute path name is not changed.
DIRECTORY = *BY-POSIX-USER-DEFAULTS
The value is taken from the corresponding POSIX default attribute as recorded in the user catalog of the specified pubset.
DIRECTORY = *ROOT
The root directory “/” is allocated.
DIRECTORY = <posix-pathname 1..1023 without-wild>
The specified path name is allocated.
PROGRAM =
The program which is run after a remote login or after the START-POSIX-SHELL command can be changed.
This attribute is not a security issue, as only such programs as the user is allowed to execute can be run.
PROGRAM = *UNCHANGED
The program is not changed.
PROGRAM = *BY-POSIX-USER-DEFAULTS
The value is taken from the corresponding POSIX default attribute as recorded in the user catalog of the specified pubset.
PROGRAM = *SHELL
The default POSIX shell is started up.
PROGRAM = <posix-pathname 1..1023 without-wild>
The specified program is run.
Return codes
(SC2) | SC1 | Maincode | Meaning |
|---|---|---|---|
0 | CMD0001 | Command executed without error | |
2 | 0 | SRM6001 | Command executed with warning |
32 | SRM6020 | Command rejected owing to system error | |
64 | SRM6040 | Command rejected with error message | |
130 | SRM6030 | Command rejected owing to insufficient resources |
Examples
The POSIXTST user ID is to be allocated a user number of 55 and a group number of 66. The login directory (home directory) is to be /home/posixtst. Following a POSIX login, the Bourne shell is to be started up.
There is to be a comment reading: “posix-user@posix-server.com”.
/MODIFY-POSIX-USER-ATTRIBUTES USER-ID=POSIXTST, - / USER-NUMBER=55, - / GROUP-NUMBER=66, - / DIRECTORY=/home/posixtst, - / PROGRAM=*SHELL, - / COMMENT='posix-user@posix-server.com'
The PSXROOT user ID is to have root privileges. Its home directory is to be /home/psxroot.
/MODIFY-POSIX-USER-ATTRIBUTES USER-ID=PSXROOT, - / USER-NUMBER=0, - / GROUP-NUMBER=0, - / DIRECTORY=/home/psxroot,