Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

File access protection

&pagelevel(4)&pagelevel

Refer also to the manual "POSIX Basics".

POSIX files and POSIX directories can be protected against unauthorized access within POSIX by means of protection bits. The container files which contain the individual file systems of the POSIX file tree can be additionally protected in BS2000 by means of appropriate file attributes. For distributed resources, access controls can additionally be implemented when such resources are made available and/or mounted.

Access protection for container files

The POSIX installation program creates container files having the attributes USER-ACCESS=*OWN and ACCESS=*WRITE for the specified user ID. These attributes should not be modified. Moreover, no file password may be assigned.

The user of a POSIX file does not require any access right for the container file in which the POSIX file is located.

Protection bits

Access protection for files and directories is implemented in POSIX by means of protection bits, as are usual in UNIX. There are three protection bits, which can be individually specified for each of the three user classes, and one identification character:

Identification character


Owner

Group

Others

- regular file
d directory
l symbolic link
p named pipe (FIFO file)
b block-oriented device
c character-oriented device


r read
w write
x execute

r read
w write
x execute

r read
w write
x execute

Example 1

- rwx r-- r--

These characters relate to a file which the owner may read, write to and execute; other members of the group and other users may only read the file.

Example 2

d rwx r-- r--

These characters relate to a directory in which the owner can read and create/delete entries, and on which the owner can perform search operations; other members of the group and other users may only read entries in the directory.

Access protection for remote resources

The commands for making available (sharing) and mounting resources offer options which allow differential control of client access. Certain levels of authorization which can be granted to all or selected clients are listed below:

  • root authorization

  • read-only access

  • read and write access

Through a combination of user authorizations and file access protection mechanisms it is possible to achieve the required level of protection for distributed resources in any situation.

Example

The directory /usr1/v1 belongs to the user having uid=4712.
It has the following protection bits: d rwx r-- r--
It is made available for remote NFS clients with read and write access by means of the command share -F nfs /usr1/v1. Any clients which mount this resource then only have read access to it. Client processes that are supposed to have write access to the directory must be logged in with the same uid on their computer as the owner of the directory (i.e. 4712) because the protection bits do not permit write access by group and others.

Powered by Atlassian Confluence and Scroll Viewport.