Controlling File Access

Defining Group Membership

Users on your system can be divided into working groups so that files owned by members of a given group can be shared and yet remain protected from access by users who are not members of the group. A user’s primary group membership number is included as one entry in the /etc/passwd file. Group information is defined in /etc/group and/etc/logingroup.

Users who are members of more than one group, as specified in /etc/group, can change their current group with the /usr/bin/newgrp command. You do not need to use the newgrp command if user groups are defined in /etc/logingroup. If you do not divide the users of your system into separate working groups, it is customary to set up one group (usually called users) and assign all users of your system to that group.

You can use HP SMH to add, remove, or modify group membership.

To manually change group membership, edit /etc/group and optionally /etc/logingroup with a text editor, such as vi. Although you can enter a group-level password in /etc/group, it is not recommended. To avoid maintaining multiple files, you can link /etc/logingroup to /etc/group. For details on the /etc/group and /etc/logingroup files, see the group(4) manpage. For information on linking files, see the link(1M) and ln(1)manpages.

You can assign special privileges to a group of users using the /usr/sbin/setprivgrp command. For more information, see chown(1), getprivgrp(1), setprivgrp(1M), chown(2), getprivgrp(2), lockf(2), plock(2), plock(2), rtprio(2), setgid(2), setgid(2), setprivgrp(2), setuid(2), shmctl(2), and shmctl(2).

Setting File Access Permissions

The /usr/bin/chmod command changes the type of access (read, write, and execute privileges) for the file’s owner, group members, or all others. Only the owner of a file (or the superuser) can change its read, write, and execute privileges. For details, see chmod(1).

By default, new files have read/write permission for everyone (-rw-rw-rw-) and new directories have read/write/execute permission for everyone (drwxrwxrwx). Default file permissions can be changed using the /usr/bin/umask command. For details, see umask(1). The default for trusted systems is different; see the HP-UX System Administrator’s Guide: Security Management.

Setting Ownership for Files

The /usr/bin/chown command changes file user (and group) ownership. To change the user, you must own the file (and belong to a group with the CHOWN privilege) or have superuser privileges.

The /usr/bin/chgrp command changes file group ownership. To change the group, you must own the file (and belong to a group with the CHOWN privilege) or have superuser privileges.

For more information, refer to chown(1) and chgrp(1).

Setting Access Control Lists

Access control lists (ACLs) offer a finer degree of file protection than traditional file access permissions. You can use ACLs to allow or restrict file access to individual users unrelated to what group the users belong. Only the owner of a file (or the superuser) can create ACLs.

ACLs are supported on both JFS and HFS file systems, but the commands and some of the semantics differ. On a JFS file system, use setacl to set ACLs and use getacl to view them. On an HFS file system, use chacl to set ACLs and use lsacl to view them.

For a discussion of both JFS and HFS ACLs, see the HP-UX System Administrator’s Guide: Security Management.

For additional JFS ACL information see setacl(1), getacl(1), and aclv(5).

For additional HFS ACL information, see lsacl(1), chacl(1), and acl(5).