Differences Between System Access Permissions

This section describes the differences between the access permissions of the UNIX system and a network running Advanced Server software. It explains the UNIX system access permissions — how to display them and how to change them with the uchmod command. The uchmod command is an MS-DOS executable command residing in the DOSUTIL shared directory.

An Advanced Server is a computer that also is running the UNIX operating system. All of its files also are UNIX system files with their own set of UNIX system access permissions.

UNIX system access permissions on an Advanced Server file will be compatible with the Advanced Server only if the UNIX system access permissions are changed explicitly. If these UNIX system access permissions are modified, they can prevent access to a file or directory even if Advanced Server access permissions grant access.

For example, if a user has Advanced Server change permission for a file, then this file needs to have the UNIX system equivalent of change permission (RWX) in order for the user to perform all of the operations allowed by the Advanced Server change permission (read, write, create, and execute).

However, if you changed the file's UNIX system permissions, eliminating the write (W) permission for everyone other than the file's owner, then no one but the owner can alter or remove the file, regardless of the generous Advanced Server permissions.

Advanced Server automatically adds the appropriate UNIX system access permissions when files and directories are created on the network. These permissions are determined by two keywords in the Advanced Server Registry: UnixFilePerms and UnixDirectoryPerms.

Check whether the values assigned to these keywords provide the desired UNIX system protection for your files and directories. These keywords are in the following key:

\SYSTEM\CurrentControlSet\Services\AdvancedServer\FileServiceP
arameters

For more information, see Appendix A, "Advanced Server Registry."

For more information about security and access permissions, see Advanced Server Concepts and Planning.

UNIX System Access Permissions

The UNIX system assigns access permissions to all directories and files. These UNIX system access permissions, together with Advanced Server file and permissions, determine whether you can read, write, or create directories and files on the server.




	NOTE: Note It is not necessary to know the UNIX system access permissions assigned to directories and files unless these access permissions prevent access when Advanced Server permissions appear to allow access. Access is determined through access permissions assigned by Advanced Server and the UNIX system. Advanced Server access permissions assigned to files or directories are based on the access permissions assigned to the individual user. These access permissions can be found in the access control list that resides on Advanced Server.

UNIX System Group Permissions and Advanced Server

The effect of setting UNIX system group permissions on Advanced Server files is limited. In the UNIX system, the group field is used for storing information about file attributes. When a file is accessed from a client computer, its group may change to reflect its attributes (for example, to DOS----). Therefore, it is inadvisable to rely on UNIX system group permissions to restrict access to Advanced Server files unless keepunixgroups is set to yes.

UNIX System Permissions on Directories

UNIX system permissions on all directories in the path leading to a file must be at least read and execute (RX) for users to access files on Advanced Server successfully.

Turning Off UNIX System Permission Checking

If the protection of Advanced Server files provided by UNIX system permissions can be ignored, and if it is appropriate to rely solely on Advanced Server permissions to manage file access, you can set the IgnoreUnixPermissions keyword to 1 (ignore UNIX system permissions) in the Advanced Server Registry. This keyword is in the following key:

\SYSTEM\CurrentControlSet\Services\AdvancedServer\FileServiceP
arameters

This will cause Advanced Server to ignore all UNIX system permissions on files except for read-only permissions, which are translated into read-only file attributes when client computers attempt to access files.

For more information about the Advanced Server Registry, see Appendix A.

UNIX System File and Directory Permissions

UNIX system file and directory permissions are assigned by a default set of access permissions on the system upon creation of files and directories. The UNIX system distinguishes the following three types of users with respect to access permissions:

User — If you own a UNIX system file or directory, you can assign it access permissions for yourself. For example, to prevent unauthorized users from executing a program, you can assign execute permissions to yourself only.
Group — You can assign permissions for other users in your group to files and directories that you own. When your administrator creates your home directory, you are automatically assigned to the UNIX system group other, as are all others with home directories. This assignment enables you to share data easily with other network users, but prevents UNIX system users in different groups from reading or changing your files.
Other — You can assign access permissions to files and directories that you own for all UNIX system users other than yourself and the users in your group. Depending on your needs, you can allow these other users to read or change your files and directories or you can prevent such access. Restricting access to others does not affect your own access to the files and directories.

When a user attempts to access a file or directory, access to the server is allowed or denied depending on the permissions assigned to that user.

Understanding UNIX System Access Permissions

You can use the udir command to check the current UNIX system access permissions of any file or directory. The Modes column of the udir command shows the UNIX system access permissions for each file and directory. These access permissions are displayed as three sets of three access permissions each. The first set shows the user/owner access permissions. The second set shows the group access permissions. The third set shows the access permissions provided to other UNIX system users. Following are the access permissions abbreviations and their meanings:

Permission	Description
r	Permission to display or read the file or directory.
w	Permission to modify or write to the file or to create or remove files in the directory.
x	Permission to execute the file or move to the directory. Client application files do not need execute permission because they execute under the client computer's operating system, not the UNIX system.
-	The relevant permission is denied.
l	Mandatory locking is enabled.

The following access permissions rarely appear in a display but are described here for completeness:

Permission	Description
s	Whenever a file with this permission is executed, regardless of who executes it, the invoked process takes on the identity of the file's owner (or group) for the duration of the execution.
t	If space is available, a text file with this permission stays in swap space after execution. This permission speeds UNIX system program loading.

Changing UNIX System Access Permissions

You can use the uchmod command from a client computer to change the UNIX system access permissions for files and directories.

With the uchmod command, you enter only the access permissions you want to change. You do not have to enter all of the permission characters. For example, to change the write permission on a file named budget so that it cannot be modified, you would enter the following command:

uchmod -w budget

Maintaining Permissions for Specific Files

Some programs, such as Microsoft Word, maintain temporary files by renaming the source file to a temporary name. Then, when the user saves the file, these programs create a new file with the name of the source file. The temporary file is then deleted.

The permissions that have been assigned to a specific file are not assigned to the new file which has the same file name. These permissions apply only to the original file which was renamed to the temporary file name and then deleted. The updated file is treated as a completely new file by Advanced Server which means it inherits the permissions of the directory in which it resides.

Files that are likely to go through this kind of updating process should be maintained in directories that have the permissions you want these files to inherit.

Tighten File Security when CreateUnixUser=0

When the value CreateUnixUser is set to 0 in the registry, HP-UX accounts are not created for AS/U users. When such a user creates a new file from a down level client (Windows 3.1 or Word for Windows), the file will be owned by the HP-UX user lmworld.

AS/U treats files owned by lmworld as owned by the server user SYSTEM. This prevents users, other than those who have explicit permissions to do so, from taking ownership or modifying permissions for such files.